Timothy Shea wrote:
>I would add to your comments that
>an outgoing proxy (such as squid or bluecoat) allows you to eliminate
>the dreaded "completely open outbound default" rule found on many
>corporate firewalls and allows a higher degree of auditing.

You raise a really interesting point - and the next big problem.
Namely, that's going to be malcode that tunnels over SSL. It's
already a problem, but it's still at the "tip of the iceberg" stage.

I like asking my clients what they have in place to deal with
that when it comes. By the way, I don't think that border
decryptor/MITM proxies are the answer; they'll get DDOS'd
by malcode traffic from within if the floodgates open the
way I expect them to. The right answer would be to white-list
sites that are business critical for SSL and deny all the
rest. I predict a long period of denial, thrashing, hand-wringing,
duct-tape, and band-aids before reality sets in. Although
with the new high-speed silicon-based band-aids the race
will be neck and neck for a while.



firewall-wizards mailing list