These things are starting to appear everywhere....
I vaguely recall hearing of one group looking at getting our own intermediate
CA.
Searching came up with this: http://www.startssl.com/?app=5
For as long as I've been here there has always been talk by one group or
another about having such things screening traffic in and out of campus.
Right now there's a Procera in our network path....we recently upgraded out
core network to 20Gbps, our service provider is a dual ring 10Gbps loop.
Connects us to I1 and I2 in KC.
But, the Procera is currently only licensed for 4Gbps.
And, there's several groups on our campus and our neighbor (KU) that are
working on getting our connectivity upgraded to 100Gbps.
But, network security will show up if you do more than 100Mbps for any length
of time, and some researchers have found that they've been locked down to
only 10Mbps....what was the point of upgrading network to have (at least)
gigabit everywhere?
Though I have also learned that our internal firewall is only capable of
5Gbps (which was fine when our core was 2Gbps.)
Another thing that we used to have on our network was a coradiant box, while
intended to try to improve our web performance....it does get all our
certificates, so it can see the contents of our users accessing our
websites....which IT security has used for various other purposes, namely to
track down compromised computers or accounts. Its installed using a fiber
tap in front of my F5. Not sure what's going to happen when we switch to the
new F5.
Though security is doing their best to make it useless...making it log
everything to where it can't do anything else....
Actually, I think the base LTM can already do SSL forward proxying....though
it takes another module, which we probably aren't licensed for to do any sort
of inspection. Though I did get asked if was possible to take the DBL feed
we get from spamhaus for our mailservers and write something to use it to
control users with other devices (rather than purchase the same datafeed as
snort rules, or BGP...) Not sure my iRule (TCL) programming is at a level do
attempt something like that. Though at one time I had wondered if I could
write a conversion script to set up my own RPZ for our DNS servers.
And, I am thinking of using the forward proxy feature to replace our current
proxy servers (which are load balanced behind my F5, but haven't been updated
since 2007. But, as we are tossing out all our Sun/Oracle boxes soon, it'll
probably end up in an some ubuntu VMs if not directly on the new F5.
--
Who: Lawrence K. Chen, P.Eng. - W0LKC - Sr. Unix Systems Administrator
For: Enterprise Server Technologies (EST) -- & SafeZone Ally
On 2014-10-10 11:06, Ski Kacoroski wrote:
Hi,
Thanks to everyone for their explanation of what is going on. I really
appreciate it. To summarize:
Q: I was wondering why I needed to use a self signed cert on by iBoss web
filter instead of my wildcard cert?
I had several answers, but I like the one from Robert Lanning the best:
1) Transparent
2) SOCKS
3) Web proxy, where HTTPS is handled by a CONNECT request
1 and 3 are the most common now days.
The certificate check in all cases are the final destination certificate.
There is no "Proxy Certificate".
In transparent mode, the TCP SYN is intercepted and the proxy sends its own.
It retrieves the certificate from the server and generates its own version.
It then fakes being the server back to the client, using its version of the
certificate. It just swaps the public key with its own and resigns the
certificate with its own CA's private key. It then retrieves the request
from the client and duplicates it to the server (if policy allows) and is
then able to scan the content coming from the server.
With SOCKS you are basically intercepting the socket() call instead of
intercepting the packets, but at the high level you are doing the same as
the transparent proxy.
Web proxies are just implemented even higher in the stack. Instead of
intercepting the socket() call, the application talks directly with the
proxy. In the case of SSL traffic, it asks the proxy to make a blind
connection (CONNECT proxy request) and pass the data unhindered. Of course
the proxy can interfere with the connection and swap out the certificate and
lie about the connection.
In all cases the client must have the CA certificate of the proxy.
cheers,
ski
_______________________________________________
Discuss mailing list
[email protected]
https://lists.lopsa.org/cgi-bin/mailman/listinfo/discuss
This list provided by the League of Professional System Administrators
http://lopsa.org/
