AW: SSL connections through firewall

From: Reichert Holger (
Date: 10/15/01

Message-ID: <>
From: Reichert Holger <>
To: "''" <>
Subject: AW: SSL connections through firewall
Date: Mon, 15 Oct 2001 13:37:18 +0200

-----Ursprüngliche Nachricht-----
Von: Pradeep Kumar []
Gesendet: Donnerstag, 11. Oktober 2001 09:54
An: Reichert Holger;;
Betreff: RE: SSL connections through firewall

Solution :-
-Combination of SSL and IPSEC
-For virus protection, have a corporate version of Virus Server.

This does not help, because the virus server (or gateway) cannot scan
encrypted traffic.
Only the workstation is capable of scanning for viruses. This is the only
and last securityline you have.

-Have the correct rules on your FW.Deny domains which you dont want
employess to surf.

This will surely lead to a complex rulebase and degrades your firewall
performance needlessly.
If you choose to control this traffic on your firewall, than take your
standard ending rule: Deny all;
and allow those few domains you trust. (And hope that they have also a good
virus protection)

Best regards
Holger Reichert

-----Original Message-----
From: Reichert Holger []
Sent: Monday, October 01, 2001 11:15 PM
To: ''
Subject: AW: SSL connections through firewall


there's one thing left to say:
If you open SSL on your Firewall, the data stream goes, without
virus-scanning at the perimeter,
directly to your client.
For normal http-traffic you should have virus and active content filterering
on a gateway at your perimeter.
This line of defence does not count for you by using ssl.

The risk is:
A Website gets infected by a worm (like nimda, and there will be other worms
in the future), gets its whole html-files infected, and now you let them
through via ssl to your client.
If you have no up to date virus detection at every Worksation

This is my opinion, why you can't treat ssl as http

Best regards
Holger Reichert

-----Ursprüngliche Nachricht-----
Von: Kutulu []
Gesendet: Montag, 1. Oktober 2001 18:59
An: Walker Andrew
Cc: ''
Betreff: Re: SSL connections through firewall

At 11:52 AM 09/28/2001 +0200, Walker Andrew wrote:

>I read up about SSL as a protocol and about public key encryption, but I'm
>still undecided. I have no help from the firms Internet policy to guide me
>so I'm looking for advise regarding how one would go about allowing it by a
>rule on FW1, if there are any security risks to be aware of, and also if
>anyone has any guidelines or experience of internet policies that deal
>this kind of Internet usage from within the firm.

 From a technological standpoint, all you need to do to permit this is open
the https port, which I believe is 443, for outgoing connections.

As for security risks, there aren't any specific to SSL web traffic, that I
know of. On the individual level (the user), there is a big difference in
security between http and https, but from an overall corporate network
perspective, it's basically all just web traffic. There's always the risk
of the user downloading some sort of trojan or virus or whatnot, but this
risk is no larger than with standard web traffic. In fact, it is probably
smaller given the cost and effort required to set up an SSL web server
properly (e.g., purchase valid keys and certificates, install and perhaps
licence the SSL software, etc).

The major decision here, not surprisingly, is one of corporate policy, not
technical policy. SSL traffic, on the whole, is more likely to be
'legitimate' use than non-SSL traffic. That is, you will find most SSL
traffic being used for internet banking, online shopping, etc. (Of course,
you also find it on most adult sites). So the decision comes down to
wether or not you want your employees using the web for personal reasons
during the day. If you already have an established web-use policy, then it
should apply as-is to secure web-use.

If you don't have an established web-use policy, then you probably will
need input from several higher-ups to create one. Smaller companies I have
worked for had basically no usage policy apart from "don't do anything
illegal on our equipment." I know of other companies that completely block
all traffic except for web traffic, which is all shunted through
restrictive and logging proxy servers. Most companies are probably
somewhere in between.

My own personal opinion is that it's much better to enforce web policy on a
management level than a technical level. That is, not to have the firewall
and proxy servers enforcing a 'no use' rule, but rather, simply have an
established internet usage policy that is enforced by management on a case
by case basis. This works out well for my current company, though YMMV. I
feel this approach is more flexible, as it allows those who have a
(somewhat) legitimate need to access the internet (our developers for
support, out MIS department for patches and updates, our accountants for
financial news, the CEO for whatever he wants, etc), to do so without
intervention from the network administrators.. It's also easier to get an
exception from your immediate supervisor than to implement a change to the
firewall ruleset.