On Mon, May 01, 2000 at 10:16:28PM +0200, Richard Levitte - VMS Whacker wrote:
> From: Tony Nelson <[EMAIL PROTECTED]>
>
> I understand that some corporations choose to do that, although I do
> not agree with that kind of practice.
Basically, companies do it to protect themselves.. for the very technical folks
it is a pain, and they don't like it.. but we have many users that we need
to protect from themselves. We also need to keep detailed logs of network
traffic for legal reasons.
> What I can't understand is how
> it would go undetected, at least of the client or server does
> certificate verification (and I'm especially thinking of servers that
> might have a very strict check on the client certificate)...
>
All that the 'man-in-the-middle' is doing is creating a dummy session.. when
the server requests a client cert, the firewall will pass the request along,
and the client will get it, just as the server sent it.. when the server
sends the replied cert back it will forward it just as the client sent it..
Having the client or server verify remote ip's is simply impractical as most
corporations hide all of their internal machines behind non-routeable ip's
and masquerade at their firewall. Anything that requires ip handshaking
will fail at most firewalls.
By definition, 'man-in-the-middle' attacks are so deadly because they are so
difficult to detect. In the case of a firewall, they are implemented as
'man-in-the-middle' on purpose. They act as a single point of control for
defining network policies and logging network usage.
Hope this helps.
Tony
--
Tony Nelson
www.gnupg.org keyid 136C5B87
- Standard Disclaimers Apply -
Boycott Amazon! - http://www.gnu.org/philosophy/amazon.html
PGP signature
