Great Circle Associates Firewalls
(December 1997)
 

Indexed By Date: [Previous] [Next] Indexed By Thread: [Previous] [Next]

Subject: Re: off topic: ssl setup on web server inside firewall
From: "Simon J. Gerraty" <sjg @ quick . com . au>
Date: Thu, 1 Jan 1998 03:38:05 +1100 (EST)
To: Rahul Dhesi <dhesi @ rahul . net>
Cc: firewalls @ greatcircle . com
References: <firewalls . 199712301739 . JAA15463 @ arrakis . verisign . com> <199712310003 . AA22347 @ waltz . rahul . net>

Rahul Dhesi writes:
>A secure SSL-enabled web server:

>                                |
>     [ SSL web server ] ------- | ====== The Internet ====
>                                |
>                              firewall

>Here the firewall protects the SSL-enabled web server from all
>connection attempts except through port 443, and possibly port 80.  The

Actually I prefer the model:

(corp net)==[firewall]---(clean)---[firewall]==(Internet)

Put a web server on the exposed side of the net to handle port 80, and 
public content - and arrange for it to be replicated from a safe machine 
inside the firewall... and have it plug port 443 through to a web server
on the clean net.  This SSL server can be configured to do nothing else 
and if you really care, configure it to _require_ a client cert so only 
authenticated connections are possible.  This helps eliminate anonymous
hacking attempts on the ssl sever.

Of course there should still be another firewall between such servers and
the corporate network.

>data are passed on to the application.  This makes SSL close to useless
>for serious security.  Any intrusion into the machine running SSL
>immediately compromises the transaction.

Hmmm, if I can read memory on your system - what good is any form 
of encryption?   If I can write memory, you do not even have data 
integrity.

>final decryption is done inside the firewall.  PGP fits the bill, SSL
>does not.

Granted SSL is less than ideal, but it does exist and can be used.
PGP is not much use outside the US. as many corporations will not use
it due to license/export issues.  Yes there is a version available outside
the U.S. but was it a clean room effort?  There are no such issues with SSL.

Of course folk outside the U.S. are stuffed anyway, until a decent
non-U.S. based browser (not limited to 40bit RC4) comes along.
I don't think there is any interest in any govt anywhere to see this issue
solved to the satisfaction of net users though.

--sjg



References:
Indexed By Date Previous: Re: Intrusion Detection - Switched Network
From: Ted Doty <ted @ iss . net>
Next: Re: Borderware vs Firewall - 1
From: Modify <mdy @ sekurity . org>
Indexed By Thread Previous: Re: off topic: ssl setup on web server inside firewall
From: Michael Sorbera <msorber @ ibm . net>
Next: RE: off topic: ssl setup on web server inside firewall
From: Daniel Todd <dtodd @ usweb . com>

Google
 
Search Internet Search www.greatcircle.com