Re: [fw-wiz] Firewall best practices



The firewall needs to know the cert at one end of the connection (it can be either end, so if it knows the client cert you are using it will work as well)

In some cases the firewall makes up a cert on the fly, with the browser set to trust any cert the firewall signs, and the firewall is a full man-in-the-middle proxy.

In other cases the firewall works on a copy of the traffic and decrypts it with the known certs (there are some PKI modes this will not work on)

David Lang

On Tue, 27 Apr 2010, John Morrison wrote:

My understanding of https (and other PKI-based encryption) is that
only the holder of the private key can decrypt the data encrypted with
the other (public) key in the pair. My view is that the firewall can
only decrypt and inspect https traffic if it is acting as the server
to the external client. It can't intercept and decrypt https traffic
destined for another device - the real server. If it did https would
be worthless. Any hacker could buy such a firewall to sniff and
decrypt all https traffic.

On 23 April 2010 20:18, <david@xxxxxxx> wrote:
On Fri, 23 Apr 2010, Martin Barry wrote:

$quoted_author = "Marcus J. Ranum" ;

That's why firewalls need to go back to doing what they
originally did, and parsing/analyzying the traffic that
flows through them, rather than "stateful packet
inspection" (which, as far as I can tell, means that
there's a state-table entry saying "I saw SYN!")

Marcus, are you referring to DPI or proxies or both or something else
entirely?


If the firewall doesn't understand the data it's passing,
it's not a firewall, it's a hub.

If an application emulates HTTPS traffic and is proxy aware, how do you
tell
the difference?

There are firewalls on the market that can decrypt HTTPS traffic (and I
believe be configured to block any traffic that they can't decrypt)

David Lang
_______________________________________________
firewall-wizards mailing list
firewall-wizards@xxxxxxxxxxxxxxxxxxxxx
https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards

_______________________________________________
firewall-wizards mailing list
firewall-wizards@xxxxxxxxxxxxxxxxxxxxx
https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards

_______________________________________________
firewall-wizards mailing list
firewall-wizards@xxxxxxxxxxxxxxxxxxxxx
https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards



Relevant Pages

  • =?ISO-8859-1?Q?Re:_SSL/TLS_Woes_FTP?=
    ... server needs to allow incoming connections to ports higher than 1024. ... you may need firewall adjustments. ... The z/OS FTP client is also very picky about server certificates. ... server cert must be signed by a CA acceptable to the client, ...
    (bit.listserv.ibm-main)
  • Re: 2 Certs for 1 OWA exchange server DR site
    ... Server for example, or another firewall. ... The users will connect to the DNS ... The issue is with the cert. ...
    (microsoft.public.exchange.admin)
  • Re: L2TP/IPSEC - Please help - Im losing it!!
    ... I checked the settings in the Windows 2003 RRAS firewall. ... I also looked at my IAS server config. ... and try to pick a cert from the ...
    (microsoft.public.win2000.ras_routing)
  • Re: Tiger & Root Certificate
    ... I'm sorry to say my previous email about timezone problems was wrong. ... This worked fine under Panther and I've changed nothing on the server side. ... and the mail server's cert using the MS ... I should also mention that the server is NAT'd behind a firewall. ...
    (microsoft.public.mac.office.entourage)
  • Re: [fw-wiz] Security of HTTPS
    ... > attempted SSL session if the certificate does not match the remote ... the problem is that the firewall doesn't know what the client is expecting ... to see in the cert. ... And the other way is to make it so complicated that there are no obvious deficiencies. ...
    (Firewall-Wizards)