The Evils of SSL Tunneling

re: The Evils of SSL Tunneling

shinder — Wed, 27 Apr 2005 20:53:00 GMT

Tom,

IMHO, outbound SSL bridging cannot be done, at least not without actually being the 'man-in-the-middle'. The private key that belongs to the public key that is in the certificate of the destionation website obviously isn't known to ISA. 'Dynamically generating certificates' doesn't generate certificates with correct public keys. You can't just copy the public key from the original certificate, because ISA won't be able to decrypt it.

Correct?

re: The Evils of SSL Tunneling

shinder — Wed, 27 Apr 2005 14:16:00 GMT

Hi Mea Culpa,

Exactly! The Apache is unsecure becasue it only does SSL to HTTP bridging, in contrast to the ISA firewall's SSL to SSL bridging. Since the Web site certificate is installed on the ISA firewall, the client can trust the ISA firewall in the same way that it trusts the Web site. Very slick and secure. However, the ISA firewall solution doesn't perform outbound SSL to SSL bridging, which is a major problem, as you need to dynamically generate certificates on the fly to impersonate the destination SSL site. Hopefully we'll see this in a future version.
Thanks!
Tom

re: The Evils of SSL Tunneling

shinder — Wed, 27 Apr 2005 14:12:00 GMT

We used to call this a 'man-in-the-middle' attack, but now that ISA can SSL bridge those stuff and make sure that HTTPS means HTTP-over-SSL and not whatever-over-SSL, makes this okay? Apache with mod_ssl and mod_rewrite is already able to do this several years. As a client, how can I trust the server when ISA is in between? ISA seems to terminate my SSL connection so I'm using a scam-certificate...

re: The Evils of SSL Tunneling

shinder — Tue, 15 Feb 2005 11:58:00 GMT

Hi Blah,
No, it can be done. The ISA firewall can dynamically impersonate the Web server. But there are legal issues that so-called "privacy advocates" bring forth, which puts everyone at increased risk. Well, except for the attys who catch in on the scam :(

re: The Evils of SSL Tunneling

shinder — Tue, 15 Feb 2005 11:56:00 GMT

There's a reason no outbound SSL bridging exists, and it's not lack of effort. When the Web server is controlled by some third party on the Internet, the ISA Server doesn't have access to its private SSL key.

re: The Evils of SSL Tunneling

shinder — Thu, 20 Jan 2005 23:05:00 GMT

Actually, setting up a network access policy on the local client computers can go a long ways towards locking down your network. So can segmenting/VLans, ACLs, Firewalling/Proxying, Vlan assignment based on MAC address or machine Certificates, and local client firewall/network control software, and signed binaries go a long way. Relying on your ISA server to do all of this, or even being your main protection, probably isn't a good idea. I'd think of it as part of an overall plan for protection - also, how many users on your network need to go out over ssl and http, and what sites do they need to get at to do their job? Most businesses I've worked with only NEED a small subset of http/https connections to service their buiness needs; are you leaving all outbound http/https connections open? If users complain about the restriction than you could setup a kiosk(s) for them to use on their lunch break, etc, and put it on a different network with something like clean sweep to keep them sane.

The best security is much easier to circumvent if you allow your users to have the tools they need to do so.

Dan

re: The Evils of SSL Tunneling

shinder — Sun, 10 Oct 2004 09:47:00 GMT

Hello,

I would be very interested in reading about ways to use ISA 2004 to prevent or at least monitor HTTP tunneling activity in my network.

Any comments on the subject would be greatly appreciated.

Sincerely,
Martin Ames
martin.ames@thewarehouse.co.nz