Welcome to WebmasterWorld Guest from

Forum Moderators: open

Message Too Old, No Replies

Firewalling an SSL Server

Do you let SSL pass throough the firewall?



5:11 pm on Jan 4, 2005 (gmt 0)

WebmasterWorld Senior Member 10+ Year Member

I am putting IIS in a dmz/screen and providing encryption of the transactions using a server certifcate / https.

What are the security risks with browser ssl sessions? What firewalls do packet inspection for SSL?

Im a bit stumpted here. Can someone explain how it works please as most the firewalls I have looked at dont inspect SSL! I come across alot of https sites - are they not doing packet inspection?



5:34 pm on Jan 4, 2005 (gmt 0)

WebmasterWorld Senior Member 10+ Year Member

443 is the default port for SSL. Any site that is using packet filtering and is serving pages via SSL will have filters set to allow traffic on that port (unless they are using something other than the default). If you only allow traffic on port 80 and maybe a few others like FTP and POP3, then disallow all other traffic, HTTPS requests will not get through.


6:16 pm on Jan 4, 2005 (gmt 0)

WebmasterWorld Senior Member 10+ Year Member

Thanks for the explanation.

So by allowing 443 the ssl just passes packets through the firewall, with no application /statefull inspections? This seems bad, what if there were a worm in the packets


3:08 pm on Jan 6, 2005 (gmt 0)

WebmasterWorld Senior Member 10+ Year Member

"Stateful inspection" refers to the packet structure and whether or not the packet is part of an already established connection. It has nothing to do with the packet data contents. Since data is split up and transmitted via multiple packets, and those packets do not necessarily follow the same route from source to destination, and the packets do not necessarily arrive in the same sequence that they are sent, there is not any practical way in which the contents could be inspected while in route. The burden of screening for worms/viruses falls on the receiver or its proxy.

Also, consider that the point of sending via HTTPS is to send encrypted data. Data sent using the public key can only be decrypted by a process with access to the private key. Normally that would only be available by your webserver.


Featured Threads

Hot Threads This Week

Hot Threads This Month