AW: SSL connections through firewall

From: Reichert Holger (Holger.Reichert@nondbvwin.de)
Date: 10/15/01


Message-ID: <0CF7D06FA20DD5119A7400508B64927001E9487B@wi-c12.dbvwin.winterthur.com>
From: Reichert Holger <Holger.Reichert@nondbvwin.de>
To: "'security-basics@securityfocus.com'" <security-basics@securityfocus.com>
Subject: AW: SSL connections through firewall
Date: Mon, 15 Oct 2001 13:37:18 +0200


-----Ursprüngliche Nachricht-----
Von: Pradeep Kumar [mailto:pradeep.pillai@nexsi.com]
Gesendet: Donnerstag, 11. Oktober 2001 09:54
An: Reichert Holger; security-basics@securityfocus.com;
kutulu@kutulu."org]"
Betreff: RE: SSL connections through firewall

Solution :-
-Combination of SSL and IPSEC
-For virus protection, have a corporate version of Virus Server.

This does not help, because the virus server (or gateway) cannot scan
encrypted traffic.
Only the workstation is capable of scanning for viruses. This is the only
and last securityline you have.

-Have the correct rules on your FW.Deny domains which you dont want
employess to surf.

This will surely lead to a complex rulebase and degrades your firewall
performance needlessly.
If you choose to control this traffic on your firewall, than take your
standard ending rule: Deny all;
and allow those few domains you trust. (And hope that they have also a good
virus protection)

Best regards
Holger Reichert
www.holysword.de

-----Original Message-----
From: Reichert Holger [mailto:Holger.Reichert@nondbvwin.de]
Sent: Monday, October 01, 2001 11:15 PM
To: 'security-basics@securityfocus.com'
Subject: AW: SSL connections through firewall

Hi

there's one thing left to say:
If you open SSL on your Firewall, the data stream goes, without
virus-scanning at the perimeter,
directly to your client.
For normal http-traffic you should have virus and active content filterering
on a gateway at your perimeter.
This line of defence does not count for you by using ssl.

The risk is:
A Website gets infected by a worm (like nimda, and there will be other worms
in the future), gets its whole html-files infected, and now you let them
through via ssl to your client.
If you have no up to date virus detection at every Worksation
Boom

This is my opinion, why you can't treat ssl as http

Best regards
Holger Reichert
www.holysword.de

-----Ursprüngliche Nachricht-----
Von: Kutulu [mailto:kutulu@kutulu.org]
Gesendet: Montag, 1. Oktober 2001 18:59
An: Walker Andrew
Cc: 'security-basics@securityfocus.com'
Betreff: Re: SSL connections through firewall

At 11:52 AM 09/28/2001 +0200, Walker Andrew wrote:

>I read up about SSL as a protocol and about public key encryption, but I'm
>still undecided. I have no help from the firms Internet policy to guide me
>so I'm looking for advise regarding how one would go about allowing it by a
>rule on FW1, if there are any security risks to be aware of, and also if
>anyone has any guidelines or experience of internet policies that deal
with
>this kind of Internet usage from within the firm.

 From a technological standpoint, all you need to do to permit this is open
the https port, which I believe is 443, for outgoing connections.

As for security risks, there aren't any specific to SSL web traffic, that I
know of. On the individual level (the user), there is a big difference in
security between http and https, but from an overall corporate network
perspective, it's basically all just web traffic. There's always the risk
of the user downloading some sort of trojan or virus or whatnot, but this
risk is no larger than with standard web traffic. In fact, it is probably
smaller given the cost and effort required to set up an SSL web server
properly (e.g., purchase valid keys and certificates, install and perhaps
licence the SSL software, etc).

The major decision here, not surprisingly, is one of corporate policy, not
technical policy. SSL traffic, on the whole, is more likely to be
'legitimate' use than non-SSL traffic. That is, you will find most SSL
traffic being used for internet banking, online shopping, etc. (Of course,
you also find it on most adult sites). So the decision comes down to
wether or not you want your employees using the web for personal reasons
during the day. If you already have an established web-use policy, then it
should apply as-is to secure web-use.

If you don't have an established web-use policy, then you probably will
need input from several higher-ups to create one. Smaller companies I have
worked for had basically no usage policy apart from "don't do anything
illegal on our equipment." I know of other companies that completely block
all traffic except for web traffic, which is all shunted through
restrictive and logging proxy servers. Most companies are probably
somewhere in between.

My own personal opinion is that it's much better to enforce web policy on a
management level than a technical level. That is, not to have the firewall
and proxy servers enforcing a 'no use' rule, but rather, simply have an
established internet usage policy that is enforced by management on a case
by case basis. This works out well for my current company, though YMMV. I
feel this approach is more flexible, as it allows those who have a
(somewhat) legitimate need to access the internet (our developers for
support, out MIS department for patches and updates, our accountants for
financial news, the CEO for whatever he wants, etc), to do so without
intervention from the network administrators.. It's also easier to get an
exception from your immediate supervisor than to implement a change to the
firewall ruleset.

--K



Relevant Pages

  • RE: SSL connections through firewall
    ... Subject: SSL connections through firewall ... -For virus protection, have a corporate version of Virus Server. ... Subject: AW: SSL connections through firewall ... The major decision here, not surprisingly, is one of corporate policy, not ...
    (Security-Basics)
  • RE: [fw-wiz] HTTPS proxy solutions
    ... Apache listens on the exterior (through a firewall), accepts the SSL ... connection and forwards the clear text HTTP to another internal server. ... What I'm thinking of is a proxy that gathers information about name ...
    (Firewall-Wizards)
  • =?Utf-8?Q?Re:_DNS_und_Zertifikatsprobleme_?= =?Utf-8?Q?bei_dummer_Dom=C3=A4nenbezeichnung?=
    ... SSL POP ist doch ok, oder was gäbe es dagegen zu sagen? ... Exchange wird per 1:1 NAT erreicht. ... Dann ist das keine Firewall sondern ein NAT-Router. ...
    (microsoft.public.de.exchange)
  • RE: SSL connections through firewall
    ... the Corporate virus scanner. ... SSL would encrypt and authenticate. ... Subject: AW: SSL connections through firewall ...
    (Security-Basics)
  • Re: IIS Logon Credentials
    ... As far as SSL is concerned, ... Steve ... >would best to use 'basic' together with SSL to secure ... >> accessing through a cisco pix firewall via the ...
    (microsoft.public.inetserver.iis.security)