Buy a box (Palo Alto Networks for example), generate a CA on it, install that CA on all your clients, turn on decryption on the Palo Alto and bobs your uncle, your staff visit https://www.xyz.com, the Palo Alto makes the connection, decrypts it, re-encrypyts it and presents it back to the client, though the cert the client sees, if they look, is going to be the self-signed CA.
Big caveat with the above is tell your staff you're doing it as that way you won't get a mob with pitchforks turn up if they think you're sniffing their paypal/financial transactions etc. Better yet get a box with URL filtering and exclude certain categories i.e. banking and finance. -----Original Message----- From: [email protected] [mailto:[email protected]] Sent: 29 September 2010 04:57 To: NT System Admin Issues Subject: RE: Outbound firewall ports How do you inspect SSL traffic. If one could that that, then it would be not be a secure connection? Greg Sweers CEO ACTS360.com P.O. Box 1193 Brandon, FL 33509 813-657-0849 Office 813-758-6850 Cell 813-341-1270 Fax -----Original Message----- From: James Hill [mailto:[email protected]] Sent: Tuesday, September 28, 2010 11:53 PM To: NT System Admin Issues Subject: RE: Outbound firewall ports I'm not disagreeing with only allowing 443 out from the squid proxy. That's the best way to go for sure. I'm just saying that if the end user is connecting to an external proxy using encrypted traffic through the squid then it makes no difference to that end user. Hence my initial comment about using 443 to bypass internal filtering unless there is https inspection in place. It's a comment trick used particularly in schools it seems. -----Original Message----- From: Kurt Buff [mailto:[email protected]] Sent: Wednesday, 29 September 2010 1:48 PM To: NT System Admin Issues Subject: Re: Outbound firewall ports Yes, it does matter. The inspection of traffic in this case is fairly irrelevant. What I'm after is that *only* the squid proxy gets out on port 443. Anything trying to get out on port 443 that doesn't go through the squid proxy is by definition bad, and therefore blocked. I don't have the resources to inspect traffic. That's a hard fact I have to live with. Therefore, I have to rely on endpoint protection, and the idea that only one host is allowed out. You do what you can with what you have. Kurt On Tue, Sep 28, 2010 at 20:35, James Hill <[email protected]> wrote: > If you aren't inspecting the traffic then it doesn't really matter that it's > going through squid they'll still get to wherever they like. > > -----Original Message----- > From: Kurt Buff [mailto:[email protected]] > Sent: Wednesday, 29 September 2010 1:24 PM > To: NT System Admin Issues > Subject: Re: Outbound firewall ports > > Nope - I proxy SSL through my squid box. Of course, I don't actually inspect > the traffic, but I do log the URLs. It stops potential zombies that don't > understand/respect IE or FF proxy settings. > > On Tue, Sep 28, 2010 at 17:13, James Hill <[email protected]> > wrote: >> 443? Isn't that the port to connect to your external proxy server so >> you can bypass any internal filtering? :) >> >> Unless of course the internal filtering has good https inspection. Not many >> do though. >> >> -----Original Message----- >> From: Kurt Buff [mailto:[email protected]] >> Sent: Wednesday, 29 September 2010 4:03 AM >> To: NT System Admin Issues >> Subject: Re: Outbound firewall ports >> >> Ports 21, 80 and 443, and only for the proxy server. I have ssh open >> outbound to specific customer sites that we support . >> >> I was forced to open 544 (rtsp) recently for a live video event, but did >> that for a single IP address so that the machine showing the event in the >> lunchroom could get to it. >> >> I allow DNS outbound only for our DNS servers, and NTP for our NTP servers. >> >> That covers most of it. >> >> On Tue, Sep 28, 2010 at 10:55, Tom Miller <[email protected]> wrote: >>> Folks, >>> >>> Anyone have a list of the protocols/ports they allow outside their >>> firewalls? I am locking down our firewall outbound traffic to >>> certain ports and am looking for other "standard" items I may be missing. >>> >>> Thanks >>> Tom >>> >>> Confidentiality Notice: This e-mail message, including attachments, >>> is for the sole use of the intended recipient(s) and may contain >>> confidential and privileged information. Any unauthorized review, >>> use, disclosure, or distribution is prohibited. If you are not the >>> intended recipient, please contact the sender by reply e-mail and >>> destroy all copies of the original message. >>> >>> ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ >>> <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~ >>> >>> --- >>> To manage subscriptions click here: >>> http://lyris.sunbelt-software.com/read/my_forums/ >>> or send an email to [email protected] >>> with the body: unsubscribe ntsysadmin >> >> ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ >> <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~ >> >> --- >> To manage subscriptions click here: >> http://lyris.sunbelt-software.com/read/my_forums/ >> or send an email to [email protected] >> with the body: unsubscribe ntsysadmin >> >> >> ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ >> <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~ >> >> --- >> To manage subscriptions click here: >> http://lyris.sunbelt-software.com/read/my_forums/ >> or send an email to [email protected] >> with the body: unsubscribe ntsysadmin > > ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ > <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~ > > --- > To manage subscriptions click here: > http://lyris.sunbelt-software.com/read/my_forums/ > or send an email to [email protected] > with the body: unsubscribe ntsysadmin > > > ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ > <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~ > > --- > To manage subscriptions click here: > http://lyris.sunbelt-software.com/read/my_forums/ > or send an email to [email protected] > with the body: unsubscribe ntsysadmin ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to [email protected] with the body: unsubscribe ntsysadmin ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to [email protected] with the body: unsubscribe ntsysadmin ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to [email protected] with the body: unsubscribe ntsysadmin -- MIRA Ltd Watling Street, Nuneaton, Warwickshire, CV10 0TU, England Registered in England and Wales No. 402570 VAT Registration GB 114 5409 96 The contents of this e-mail are confidential and are solely for the use of the intended recipient. If you receive this e-mail in error, please delete it and notify us either by e-mail, telephone or fax. You should not copy, forward or otherwise disclose the content of the e-mail as this is prohibited. ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to [email protected] with the body: unsubscribe ntsysadmin
