On 1/30/08, Ben Scott <[EMAIL PROTECTED]> wrote: > On Jan 30, 2008 10:16 PM, Kurt Buff <[EMAIL PROTECTED]> wrote: > > Not quite - I don't know of any application proxy that actually > > does well with all of the verbs, etc., in the HTTP suite, especially > > when you throw javascript, xml, activeX controls, etc., etc., etc. at > > it. > > I don't know why any of that should be relevant.
Because the content needs to be inspected, validated and accepted or rejected. ActiveX controls are mostly just executables, but the rest could, usually, be considered part of the HTTP protocol suite, in one sense or another. Even if not part of the protocol suite, it's content that needs the same scrutiny as anything else. <snip> > > I do know of at least one firewall that will decrypt SSL as it > > passes through, though, for inspection purposes - of course, that > > means some tricky work with certs ... > > Hmmm... I'm guessing it has you add a local CA certificate to the > trusted CA list on all the clients, and then the proxy impersonates > whatever SSL site the client is requesting? Wouldn't that break > client SSL certificates, though? > > Even so, I'm kinda curious -- got a link or product name? Sidewinder, by Secure Computing. > > ... you have the underlying protocol that's > > being tunneled, and if it's not HTTP, then it gets really tricky. > > *Exactly*. Although, if the goal is just to make sure TCP/443 is > only being used for HTTP-over-SSL (and not some arbitrary protocol), > it at least makes that much possible. Of course, there's still the > possible use of HTTP as a covert channel. I think someone has created > an "IP over HTML" proof-of-concept. > > >> Default deny with whitelisting of SSL sites is one approach, but > >> that's an obvious hassle. > > > > Yes, and I'm nearly ready to go there. > > Wish I could. Cost/benefit isn't there for us. Isn't there for me, either, but there are days when I want to do it anyway! > > I say, let's kill all the users - then we'll have good security, eh? :) > > The DoD still says the best way to secure a classified system is > with the Air Gap(TM) firewall -- don't connect it to a network and > you've solved the network attack problem. Yup, if you have two armed guards, no USB or other ports, etc. Heh. ~ Upgrade to Next Generation Antispam/Antivirus with Ninja! ~ ~ <http://www.sunbelt-software.com/SunbeltMessagingNinja.cfm> ~
