>From what I heard, SOS will soon release a version of Freestone which has
SSL proxy capability, plus telnet-gw and ftp-gw which actually works.
The USENIX firewall group meetings I attended yesterday grumbled that TIS
abandoned fwtk, and is no longer maintaining fwtk proxies for new
applications and protocols. Rumor has it SOS Freestone will have a fwtk
migration tool for disgruntled fwtk users.
Bill Stout
At 07:40 AM 1/22/96 EST, you wrote:
>
>I recently posted a note to the Firewalls @
GreatCircle mailing list asking
>about commerical firewall product support for SSL and S-HTTP proxies. Here
>are some posted summaries as of 11 January 1996. If there is additional
>vendor support (specifically for dual-homed gateway-based firewalls),
>please let me know. I realize that screening routers and packet filtering
>systems can support SSL and S-HTTP, my interest was in proxy services.
>
>1. TIS Firewall Toolkit (patch is available for supporting https:// URLS)
>
>2. TIS Gauntlet: SSL annd S-HTTP proxies in next release.
>
>3. KarlBridge/KarlBrouter: S-HTTP proxy
>
>4. Milkyway Blackhole: S-HTTP proxy. Currently supports SSL
>transparently and will support proxy-ssl and proxy-pct in the next release
>3.0. SSL is currently support via proxy-tcp (many to many version of
>plug-gw if you prefer). PCT is Microsoft's SSL++.
>
>4. SOS Brimstone: S-HTTP proxy
>
>5. Technologic Interceptor: S-HTTP proxy
>
>6. V-One SmartWall: S-HTTP proxy
>
>7. ANS InterLock: ANS InterLock has an SSL proxy for handling https:// URLs.
>
>License versions of TIS Gauntlet will support whatever the next Gauntlet
>release supports.
>-------------------------------------------
>
>From: "Mark Horn [ Net Ops ]" <mhorn @
funb .
com>
>Subject: Re: SSL and S-HTTP Proxy support
>Date: Fri, 5 Jan 1996 12:29:05 -0500 (EST)
>
>Well, I know that these aren't firewall vendors, but here are two more proxys
>that support SSL:
>
> CERN Proxy with Ari Luotonen's patch. For more info:
> http://www.w3.org/pub/WWW/Daemon/
> http://www.w3.org/pub/WWW/Daemon/User/Patch/
>
> Netscape Proxy server. For more info:
> http://home.netscape.com/comprod/server_central/test_drive.html
>-------------------------------------------
>
>Date: 05 Jan 1996 15:28:01 -0600
>From: "Koch, Bryan" <Bryan-T .
Koch @
norwest .
com>
>Subject: RE: SSL and S-HTTP Proxy support
>Mime-Version: 1.0
>
>While not a "firewall vendor", Netscape also markets an http/s-http proxy
>server. They claim it is compatible with the TIS FWTK. I've not tested it.
>-------------------------------------------
>
>See ftp://ds.internic.net/internet-drafts/draft-luotonen-ssl-tunneling-02.txt
>-------------------------------------------
>
>Date: Tue, 19 Dec 1995 10:24:55 +0100
>From: Jean-Christophe Touvet <jct @
edelweb .
fr>
>Sender: owner-fwtk-users @
TIS .
COM
>Precedence: -100
>
>[To unsubscribe from this list send the message "unsubscribe fwtk-users" in the
>BODY of a mail message to majordomo @
tis .
com .
]
>
>> I am looking for ssl patches/mods/plug-gw hints for Netscape. It is
>> important for some of my users to get access to ssl-controlled sites.
>
> Look at <ftp://ftp.edelweb.fr/pub/contrib/fwtk/ssl-gw.tar.Z> and don't forget
>to read carefully the README file.
>
> Disclaimer: this code is not supported (I will not answer any question about
>it), and should be patched to avoid logging of User-Agent header with
>Netscape 2.x. Anyway, it works ;-)
>-------------------------------------------
>
>Date: Mon, 8 Jan 1996 11:55:39 -0600
>From: Rick Smith <smith @
sctc .
com>
>To: firewalls @
greatcircle .
com
>Cc: smith @
sctc .
com, mckenney @
smiley .
mitre .
org
>Subject: Re: SSL and S-HTTP Proxy support
>
>mckenney @
smiley .
mitre .
org (Brian W. McKenney) writes:
>
>>I would like to have an update as to which commercial firewall vendors
>>support or plan to support (when) an SSL and/or S-HTTP proxy. I will post
>>a summary.
>
>The answer depends on what you're trying to do. If you're trying to
>let clients residing on a protected internal net browse an external,
>less trustworthy net (the Internet) then all the major firewalls
>should provide similar service, including our Sidewinder.
>
>The service is based on a generic proxy that tunnels the traffic
>through the firewall. Some firewalls (like Sidewinder) can apply
>access controls as follows:
>
>1) permit/deny traffic according to source IP address.
>2) permit/deny traffic according to destination IP address.
>3) restrict to inbound only or outbound only.
>4) require login/password from browser.
>
>All except 4) are generic proxy controls and not specific to Web
>service.
>
>As far as I know, *nobody* actually cracks the SSL at the firewall and
>applies access control on the crypto credentials being passed. With
>today's Netscape browsers, of course, this can only authenticate the
>server being accessed, not the client. I don't know of anyone doing
>this with SHTTP, either. If anyone does, I'd be interested to hear
>what security objectives are involved and what mechanism is used.
>
>If, on the other hand, you need to provide Web service to clients on a
>potentially hostile external network (the Internet) then existing
>proxy techniques aren't going to protect you much. You need to host
>the Web service on a platform capable of resisting sophisticated
>attacks. That's a different problem.
>
>
>Respectfully,
>
>Brian W. McKenney (mckenney @
mitre .
org)
>Network Security Engineering
>The MITRE Corporation Mail Stop: Z-231
>7525 Colshire Drive McLean, VA 22102
>Voice: 703-883-5463 Fax: 703-883-1245
>
>
>
>
|
|
