My New Year's resolution is to be civil and only offer useful information on the list.
I'm a nice guy nice now :) Thanks! Tom -----Original Message----- From: Ben Scott [mailto:[EMAIL PROTECTED] Sent: Wednesday, January 30, 2008 8:57 PM To: NT System Admin Issues Subject: Re: L2TP vs. SSTP On Jan 30, 2008 9:17 PM, Kurt Buff <[EMAIL PROTECTED]> wrote: > The only cure is an application proxy that actually understand the > protocols, and enforces them, and that's nearly unobtainable. It's not actually that rare. It's a Simple Matter of Programming to confirm that the traffic on TCP/443 actually is SSL. (As I'm sure Tom will point out, ISA Server can do this (I believe)). The real problem is that SSL, by design and intent, prevents you from looking inside the secure tunnel. (If it didn't, it wouldn't be very secure, now would it?) You don't know what the SSL tunnel is being used to carry. Could be HTTP. Could be a backdoor to an attacker. Default deny with whitelisting of SSL sites is one approach, but that's an obvious hassle. Approaches which explicitly open the payload to trusted inspection have been proposed. The idea is, have the client software create an SSL tunnel to the proxy. Using a special protocol over that connection, the client requests an SSL tunnel to the real destination. The proxy creates that SSL tunnel. The client then sends the payload (without further encryption) over the tunnel to the proxy, which can inspect it and (if it passes inspection) forward it over its own SSL tunnel. The problem is there are no standards for this (that I'm aware of), and there are cases which are non-trivial to handle. (What if the remote's CA is unknown? What about client certificates?) Even if we get standards, adoption is going to take some time. There are also obvious security implications with deliberately defeating the end-to-end security model. Presumably one can manage that risk internally, but it's still an issue. -- Ben ~ Upgrade to Next Generation Antispam/Antivirus with Ninja! ~ ~ <http://www.sunbelt-software.com/SunbeltMessagingNinja.cfm> ~ ~ Upgrade to Next Generation Antispam/Antivirus with Ninja! ~ ~ <http://www.sunbelt-software.com/SunbeltMessagingNinja.cfm> ~
