Welcome to WebmasterWorld Guest from 54.163.49.19

Forum Moderators: open

Message Too Old, No Replies

Firewalling an SSL Server

Do you let SSL pass throough the firewall?

     
5:11 pm on Jan 4, 2005 (gmt 0)

Senior Member

WebmasterWorld Senior Member 10+ Year Member

joined:June 13, 2002
posts:2162
votes: 0


I am putting IIS in a dmz/screen and providing encryption of the transactions using a server certifcate / https.

What are the security risks with browser ssl sessions? What firewalls do packet inspection for SSL?

Im a bit stumpted here. Can someone explain how it works please as most the firewalls I have looked at dont inspect SSL! I come across alot of https sites - are they not doing packet inspection?

Thanks.

5:34 pm on Jan 4, 2005 (gmt 0)

Senior Member

WebmasterWorld Senior Member 10+ Year Member

joined:Oct 3, 2003
posts:792
votes: 0


443 is the default port for SSL. Any site that is using packet filtering and is serving pages via SSL will have filters set to allow traffic on that port (unless they are using something other than the default). If you only allow traffic on port 80 and maybe a few others like FTP and POP3, then disallow all other traffic, HTTPS requests will not get through.
6:16 pm on Jan 4, 2005 (gmt 0)

Senior Member

WebmasterWorld Senior Member 10+ Year Member

joined:June 13, 2002
posts:2162
votes: 0


Thanks for the explanation.

So by allowing 443 the ssl just passes packets through the firewall, with no application /statefull inspections? This seems bad, what if there were a worm in the packets

3:08 pm on Jan 6, 2005 (gmt 0)

Senior Member

WebmasterWorld Senior Member 10+ Year Member

joined:Oct 3, 2003
posts:792
votes: 0


"Stateful inspection" refers to the packet structure and whether or not the packet is part of an already established connection. It has nothing to do with the packet data contents. Since data is split up and transmitted via multiple packets, and those packets do not necessarily follow the same route from source to destination, and the packets do not necessarily arrive in the same sequence that they are sent, there is not any practical way in which the contents could be inspected while in route. The burden of screening for worms/viruses falls on the receiver or its proxy.

Also, consider that the point of sending via HTTPS is to send encrypted data. Data sent using the public key can only be decrypted by a process with access to the private key. Normally that would only be available by your webserver.