Hi there's one thing left to say: If you open SSL on your Firewall, the data stream goes, without virus-scanning at the perimeter, directly to your client. For normal http-traffic you should have virus and active content filterering on a gateway at your perimeter. This line of defence does not count for you by using ssl.
The risk is: A Website gets infected by a worm (like nimda, and there will be other worms in the future), gets its whole html-files infected, and now you let them through via ssl to your client. If you have no up to date virus detection at every Worksation Boom This is my opinion, why you can't treat ssl as http Best regards Holger Reichert www.holysword.de -----Ursprüngliche Nachricht----- Von: Kutulu [mailto:[EMAIL PROTECTED]] Gesendet: Montag, 1. Oktober 2001 18:59 An: Walker Andrew Cc: '[EMAIL PROTECTED]' Betreff: Re: SSL connections through firewall At 11:52 AM 09/28/2001 +0200, Walker Andrew wrote: >I read up about SSL as a protocol and about public key encryption, but I'm >still undecided. I have no help from the firms Internet policy to guide me >so I'm looking for advise regarding how one would go about allowing it by a >rule on FW1, if there are any security risks to be aware of, and also if >anyone has any guidelines or experience of internet policies that deal with >this kind of Internet usage from within the firm. From a technological standpoint, all you need to do to permit this is open the https port, which I believe is 443, for outgoing connections. As for security risks, there aren't any specific to SSL web traffic, that I know of. On the individual level (the user), there is a big difference in security between http and https, but from an overall corporate network perspective, it's basically all just web traffic. There's always the risk of the user downloading some sort of trojan or virus or whatnot, but this risk is no larger than with standard web traffic. In fact, it is probably smaller given the cost and effort required to set up an SSL web server properly (e.g., purchase valid keys and certificates, install and perhaps licence the SSL software, etc). The major decision here, not surprisingly, is one of corporate policy, not technical policy. SSL traffic, on the whole, is more likely to be 'legitimate' use than non-SSL traffic. That is, you will find most SSL traffic being used for internet banking, online shopping, etc. (Of course, you also find it on most adult sites). So the decision comes down to wether or not you want your employees using the web for personal reasons during the day. If you already have an established web-use policy, then it should apply as-is to secure web-use. If you don't have an established web-use policy, then you probably will need input from several higher-ups to create one. Smaller companies I have worked for had basically no usage policy apart from "don't do anything illegal on our equipment." I know of other companies that completely block all traffic except for web traffic, which is all shunted through restrictive and logging proxy servers. Most companies are probably somewhere in between. My own personal opinion is that it's much better to enforce web policy on a management level than a technical level. That is, not to have the firewall and proxy servers enforcing a 'no use' rule, but rather, simply have an established internet usage policy that is enforced by management on a case by case basis. This works out well for my current company, though YMMV. I feel this approach is more flexible, as it allows those who have a (somewhat) legitimate need to access the internet (our developers for support, out MIS department for patches and updates, our accountants for financial news, the CEO for whatever he wants, etc), to do so without intervention from the network administrators.. It's also easier to get an exception from your immediate supervisor than to implement a change to the firewall ruleset. --K
