a****8 发帖数: 2771 | 1 sonicwall的next gen firewall也很牛。不光filter ip/port了,ssl proxy,通过
traffic分析网络上跑得application,再block或者QoS by application. |
z**r 发帖数: 17771 | 2 到底是说j还是sonicwall?
【在 a****8 的大作中提到】![](/moin_static193/solenoid/img/up.png) : sonicwall的next gen firewall也很牛。不光filter ip/port了,ssl proxy,通过 : traffic分析网络上跑得application,再block或者QoS by application.
|
y*********n 发帖数: 95 | 3 300刀买个FortiGate 60C也可以做这些
【在 a****8 的大作中提到】![](/moin_static193/solenoid/img/up.png) : sonicwall的next gen firewall也很牛。不光filter ip/port了,ssl proxy,通过 : traffic分析网络上跑得application,再block或者QoS by application.
|
a****8 发帖数: 2771 | 4 都很给力
【在 z**r 的大作中提到】![](/moin_static193/solenoid/img/up.png) : 到底是说j还是sonicwall?
|
a****8 发帖数: 2771 | 5 60C能做SSL Proxy?
【在 y*********n 的大作中提到】![](/moin_static193/solenoid/img/up.png) : 300刀买个FortiGate 60C也可以做这些
|
m**t 发帖数: 1292 | 6 VFW 是有些用,不过跟你下面内容没啥关系啊
【在 a****8 的大作中提到】![](/moin_static193/solenoid/img/up.png) : sonicwall的next gen firewall也很牛。不光filter ip/port了,ssl proxy,通过 : traffic分析网络上跑得application,再block或者QoS by application.
|
a****8 发帖数: 2771 | 7 是没啥关系,去了个seminar看到几个新鲜东西就写下来。
【在 m**t 的大作中提到】![](/moin_static193/solenoid/img/up.png) : VFW 是有些用,不过跟你下面内容没啥关系啊
|
a****8 发帖数: 2771 | 8 以前做ssl proxy,data loss prevention的就blue coat等几个,现在成了next gen
firewall的必备项目,人人上了。到了公司,向自己上网炒股,联https,要是用公司
的电脑,公司神不知鬼不觉地的把你的ssl session断掉,解密,分析,再加密连到你
的股票公司。这个去年还是很高端的功能现在很多vendor都有了。 |
|
s*****g 发帖数: 1055 | 9 How does that work? when you connect to your broker via SSL connection, you
encrypt the session with the key derived from your boker's public key and other
parameters only you and your broker's webserver know , only your broker has
corresponding private key, without the private key, how can the firewall
decrypt the session?
If this is doable, then what will stop a hacker from placing such device in the middle
and capture all SSL session information?
【在 a****8 的大作中提到】![](/moin_static193/solenoid/img/up.png) : 以前做ssl proxy,data loss prevention的就blue coat等几个,现在成了next gen : firewall的必备项目,人人上了。到了公司,向自己上网炒股,联https,要是用公司 : 的电脑,公司神不知鬼不觉地的把你的ssl session断掉,解密,分析,再加密连到你 : 的股票公司。这个去年还是很高端的功能现在很多vendor都有了。
|
m**t 发帖数: 1292 | 10 it is do-able, 这功能应该叫 SSL MITM PROXY, 本身是对安全的亵渎
as long as it can sit in the routing path, the proxy can dynamically
generate replacing keys during key exchanges
connection,
you
key and
other
broker
has
firewall
device
in the middle
【在 s*****g 的大作中提到】![](/moin_static193/solenoid/img/up.png) : How does that work? when you connect to your broker via SSL connection, you : encrypt the session with the key derived from your boker's public key and other : parameters only you and your broker's webserver know , only your broker has : corresponding private key, without the private key, how can the firewall : decrypt the session? : If this is doable, then what will stop a hacker from placing such device in the middle : and capture all SSL session information?
|
|
|
s*****g 发帖数: 1055 | 11 OK, so I suppose the firewall will act as HTTPS proxy server? will it claim
itself being the remote server and give the client its own certificate? but
then how will client side browser be fooled? the certificate on this SSL
proxy won't be signed by trusted CA, even it is signed by CA, the
certificate will belong to SSL proxy itself ... I am confused,
please educate me.
【在 m**t 的大作中提到】![](/moin_static193/solenoid/img/up.png) : it is do-able, 这功能应该叫 SSL MITM PROXY, 本身是对安全的亵渎 : as long as it can sit in the routing path, the proxy can dynamically : generate replacing keys during key exchanges : : connection, : you : key and : other : broker : has
|
s*****g 发帖数: 1055 | 12 Hmm, I googled SSL MITM proxy ... it makes sense to me now, when firewall
sees the certificate from remote server, it will change the certificate to
self signed and then send the certificate to client (actually whether it is
self signed or not does not really matter, as long as the firewall itself is
in enterprise CA trusted chain). In a typical enterprise environment, all
devices behind firewall have certificates issued by an enterprise's own/
private CA, so the tempered remote server certificate will be trusted by the
browser.
This won't work for a personal device behind the firewall unless user
explicitly ignores browser warning, but then again a personal device is not
supposed to connected to enterprise internal network.
This won't work for a random hacker either, because there is no way for the
hacker to force clients to trust his tempered server certificate.
claim
but
【在 s*****g 的大作中提到】![](/moin_static193/solenoid/img/up.png) : OK, so I suppose the firewall will act as HTTPS proxy server? will it claim : itself being the remote server and give the client its own certificate? but : then how will client side browser be fooled? the certificate on this SSL : proxy won't be signed by trusted CA, even it is signed by CA, the : certificate will belong to SSL proxy itself ... I am confused, : please educate me.
|
m**t 发帖数: 1292 | 13 the cert "forged" by the proxy for a webserver can be signed by a sub-CA
that is signed by a trusted root CA, the chained CA signing is generally
honored by the browsers. Or Alternatively in a controlled environment, the
user's browser needs to import a signing trusted root cert. The latter is
more used by those SSL proxy firewalls i believe
Google "SSL MITM", you can find more info...
claim
but
【在 s*****g 的大作中提到】![](/moin_static193/solenoid/img/up.png) : OK, so I suppose the firewall will act as HTTPS proxy server? will it claim : itself being the remote server and give the client its own certificate? but : then how will client side browser be fooled? the certificate on this SSL : proxy won't be signed by trusted CA, even it is signed by CA, the : certificate will belong to SSL proxy itself ... I am confused, : please educate me.
|
t*******r 发帖数: 3271 | |
m**t 发帖数: 1292 | 15 such attack is difficult but not impossible
1. the MITM proxy can do chained signing so that can be perfectly legitimate
for browser. unless browser becomes smarter for example to check cert
stored from previous visit or DNSSEC becomes prevailing
2. such attack usually needs to involve other steps to enable the MITM, e.g.
hack the DNS entry, router, cut the wire :) not easy nowadays but still
possible such as weak DNS system depending on target environment
anyways, i don't think J SRX will do this, will it? dump it right away :)
is
is
the
not
【在 s*****g 的大作中提到】![](/moin_static193/solenoid/img/up.png) : Hmm, I googled SSL MITM proxy ... it makes sense to me now, when firewall : sees the certificate from remote server, it will change the certificate to : self signed and then send the certificate to client (actually whether it is : self signed or not does not really matter, as long as the firewall itself is : in enterprise CA trusted chain). In a typical enterprise environment, all : devices behind firewall have certificates issued by an enterprise's own/ : private CA, so the tempered remote server certificate will be trusted by the : browser. : This won't work for a personal device behind the firewall unless user : explicitly ignores browser warning, but then again a personal device is not
|
m**t 发帖数: 1292 | 16 爽人剑 是啥意思?
【在 t*******r 的大作中提到】![](/moin_static193/solenoid/img/up.png) : 所谓NG-FW其实是一把双刃剑.
|
j*a 发帖数: 14423 | 17 windows AD. inject enterprise root cert to your system.
【在 m**t 的大作中提到】![](/moin_static193/solenoid/img/up.png) : the cert "forged" by the proxy for a webserver can be signed by a sub-CA : that is signed by a trusted root CA, the chained CA signing is generally : honored by the browsers. Or Alternatively in a controlled environment, the : user's browser needs to import a signing trusted root cert. The latter is : more used by those SSL proxy firewalls i believe : Google "SSL MITM", you can find more info... : : claim : but
|
t*******r 发帖数: 3271 | 18 你大爷.
不带这么恶搞的.
【在 m**t 的大作中提到】![](/moin_static193/solenoid/img/up.png) : 爽人剑 是啥意思?
|
j*a 发帖数: 14423 | 19 貌似应该是见人爽
【在 m**t 的大作中提到】![](/moin_static193/solenoid/img/up.png) : 爽人剑 是啥意思?
|
m**t 发帖数: 1292 | 20
呵呵,引申的不错, 看下面科学联想
“双刃剑单刃为刀,双刃为剑。古时剑乃上等兵器,也是将帅之饰物。古时人们赞赏剑
的锋利,是因为它能给持剑者以威风、豪爽与侠气,令敌者胆寒,具有很强的杀伤力。
今日,人们论剑已经不仅仅是它兵器上的意义了,战时已被军舰、战斗机、坦克所取代
,现实生活中它被赋予了一种深刻的寓意和丰富的内涵。”
【在 j*a 的大作中提到】![](/moin_static193/solenoid/img/up.png) : 貌似应该是见人爽
|
w*f 发帖数: 111 | 21 SSL proxy needs legal dept clearance |