[ previous ] [ next ] [ threads ]
 
 From:  "Klaus Stock" <ks at stock dash consulting dot com>
 To:  m0n0wall at lists dot m0n0 dot ch
 Subject:  Re: [m0n0wall] Firewall virus protection?
 Date:  Thu, 15 Nov 2007 19:00:52 +0100 
> I'm not so concerned with the single point of failure.

Not yet :-)

> Users will now have to use a proxy to check their email?  If they
> don't configure the proxy, they aren't getting any virus protection
> from the firewall?
> 
> I thought it did some sort of deep packet inspection, and just
> monitored all traffic that comes in and goes out.  However I was

I do not know the device in question, but there are firewalls which do
exactly that. The problem is that this approach will silently drop suspicous
packets, perhaps informing the admin that "something was blocked, hooray!"
but leaving the user totally clueless.

> curious exactly how it does this, especially for encrypted traffic
> (not encrypted by the fortigate).  I thought it can monitor plain POP3
> traffic, but what if you are using a ssl cert with your POP3 server,
> then it probably wouldn't work.

A possible approach is the "man in the middle attack". All you gotta do is
to install a new root certificate  (issued by the firewall) in all client
machines. The firewall can then impersonate the remote server. Dumb and
easy.

> Or lets say users are connecting to gmail via ssl, the fortigate
> wouldn't be able to block file downloads.

Clients without the "fake" root certificate will of course receive warnungs
about invalid certficates. Either the user clicks "go ahead" or he won't get
through to gmail. Since the firewall should handle all the certificate
verification on the Internet side (perhaps silently refusing the connection
to a server with a less than optimum certificate...), it should still be
safe.


These "plug-and-forget" all-in-one firewalls are real neat things. If your
m0n0wall fails, the admin will have to rush to bring it back to work. If
your "plug-and-forget" firewall fails (eithe rbecause of flase positives or
because of a real failure), there's about nothing you can do, so no need to
rush. Hey, if no Internet traffic works anymore, you're at least safe from
malware and filth!

Companies for which Internet access is mission critical avoid such
miraculous devices. I suspect for a reason.

Best regards, Klaus

_________________________________________________________
This mail sent using V-webmail - http://www.v-webmail.orgg