1999-02-04-14:39:36 Michael Sorbera:
> Paul, you mentioned that SSL was one of your "no's". Could you please explain to
> me how SSL can be used to encapsulate something? Also why the no?
Well, I'm not Paul, but I can't resist lobbing an answer in here.
Secure Sockets Layer (SSL) is an end-to-end encryption protocol, and it is by
design cleanly application-independant. It is the design goal that it should
be easy to pass any connection-oriented protocol over SSL, with only
straightforward changes needed to the client and the server.
So by design SSL is an encapsulation protocol. Take a peek at CryptSoft Pty
Ltd <URL:http://www.ssleay.org/>; they have a nice SSL library, and a
collection of apps that have been modified to work through it.
As for why, the role of a firewall is to provide control over the traffic
that is passed through. If you permit SSL, it's really really easy for users
to pass anything through it, bypassing any controls you may wish to impose.
The most trivial example: people who care about security strip applets in
incoming http traffic (and ftp downloads done using ftp URLs through the http
proxy). While the applet stripping isn't 100% perfect, it does tend to work
well enough to be a big help --- unless you pass SSL through, in which case
anybody have applets flung at them, without their knowing, from any secured
server.
For another example, you generally don't want to allow people to set up IP
tunnels through your firewall. You can't make it impossible, but you can make
it difficult, and conspicuous (==> likely to be noticed) --- unless you allow
encrypted tunnels, like SSL, to pass through.
-Bennett
-
[To unsubscribe, send mail to [EMAIL PROTECTED] with
"unsubscribe firewalls" in the body of the message.]
