homepage Welcome to WebmasterWorld Guest from
register, free tools, login, search, pro membership, help, library, announcements, recent posts, open posts,
Become a Pro Member

Home / Forums Index / Hardware and OS Related Technologies / Webmaster Hardware
Forum Library, Charter, Moderator: open

Webmaster Hardware Forum

Firewalling an SSL Server
Do you let SSL pass throough the firewall?

 5:11 pm on Jan 4, 2005 (gmt 0)

I am putting IIS in a dmz/screen and providing encryption of the transactions using a server certifcate / https.

What are the security risks with browser ssl sessions? What firewalls do packet inspection for SSL?

Im a bit stumpted here. Can someone explain how it works please as most the firewalls I have looked at dont inspect SSL! I come across alot of https sites - are they not doing packet inspection?




 5:34 pm on Jan 4, 2005 (gmt 0)

443 is the default port for SSL. Any site that is using packet filtering and is serving pages via SSL will have filters set to allow traffic on that port (unless they are using something other than the default). If you only allow traffic on port 80 and maybe a few others like FTP and POP3, then disallow all other traffic, HTTPS requests will not get through.


 6:16 pm on Jan 4, 2005 (gmt 0)

Thanks for the explanation.

So by allowing 443 the ssl just passes packets through the firewall, with no application /statefull inspections? This seems bad, what if there were a worm in the packets


 3:08 pm on Jan 6, 2005 (gmt 0)

"Stateful inspection" refers to the packet structure and whether or not the packet is part of an already established connection. It has nothing to do with the packet data contents. Since data is split up and transmitted via multiple packets, and those packets do not necessarily follow the same route from source to destination, and the packets do not necessarily arrive in the same sequence that they are sent, there is not any practical way in which the contents could be inspected while in route. The burden of screening for worms/viruses falls on the receiver or its proxy.

Also, consider that the point of sending via HTTPS is to send encrypted data. Data sent using the public key can only be decrypted by a process with access to the private key. Normally that would only be available by your webserver.

Global Options:
 top home search open messages active posts  

Home / Forums Index / Hardware and OS Related Technologies / Webmaster Hardware
rss feed

All trademarks and copyrights held by respective owners. Member comments are owned by the poster.
Home ¦ Free Tools ¦ Terms of Service ¦ Privacy Policy ¦ Report Problem ¦ About ¦ Library ¦ Newsletter
WebmasterWorld is a Developer Shed Community owned by Jim Boykin.
© Webmaster World 1996-2014 all rights reserved