Kriss Andsten wrote:
>
> On Tue, 30 May 2000, Graham Wheeler wrote:
>
> <snip>
> > SSL can be restricted to particular e-commerce sites.
> <snip>
>
> Sounds like a rather interesting approach.. protect users by not letting
> them use secure transports, rather send their junk in plaintext. Hmm.. ;-)
If the aim is to filter active content from SSL. Which in many contexts
is okay - many of our clients severely restrict browsing in any case,
SSL or not. They are not trying to protect the users (who are supposed
to be working, not surfing the net) - they are trying to protect their
network.
> Dont forget that it takes just one successful hit by something that can
> open sockets to make a nice little tunnel into your LAN, no matter how
> many proxies or whatnot you got.
But if your firewall is checking the data that is going through the
tunnel to ensure it is matching the expected protocol, then such
tunneling is much harder to exploit.
And these tunneling exploits are yet another reason why restricting SSL
usage may be a Good Thing to some organisations.
Looking out for oddball stuff hitting the
> network often beats trusting that expensive software that says '100%
> secure' on the packaging, imo.
A good firewall will be doing the former too. And I've never personally
seen software that claims to be 100% secure on the packaging.
--
Dr Graham Wheeler E-mail: [EMAIL PROTECTED]
Director, Research and Development WWW: http://www.cequrux.com
CEQURUX Technologies Phone: +27(21)423-6065
Firewalls/VPN Specialists Fax: +27(21)424-3656
-
[To unsubscribe, send mail to [EMAIL PROTECTED] with
"unsubscribe firewalls" in the body of the message.]
