On Thursday 07 September 2006 18:28, Jakob Curdes wrote:
> several months ago we had a lengthy discussion here about the prevention
> of ssl tunneling through a http proxy. The conclusion was that to avid
> this type of misuse which can undermine your entire security strategy
> you need to inspect the ssl content.
Definitely. People will play tricks on you for sure otherwise. Guess how
many SSH servers run on port 443...
> I just sutmbled on the commercial
> product "WebWasher" from Securecomputing Inc. Does anybody have
> experience with this or similar products?
Yes, we are running WebWasher for 5,500 users. While the previous versions
were a bit unstable the current 5.x versions are working smoothly. The SSL
scanner they developed works like a charm.
> Can it be integrated in a linux-based squid / iptables system (there is
> a linux version but no technical details)? Is there any open source
> program to achieve the same thing ?
I don't know any free SSL scanner. We are using the WebWasher for much more
than just SSL scanning anyway. Squid isn't sufficient at all for enforcing
a corporate security policy. This may change once large companies will
stop using crap like Windows and especially the Internet Explorer.
We use Squid and WebWasher in a proxy chain though because WebWasher is
weak at ACLs. Squid has an unmatched flexibility in terms of ACLs and is
obviously a cache - what WebWasher isn't. You could as well try to use
both through an ICAP connection since WebWasher works both as a
HTTP/HTTPS/FTP proxy and as an ICAP server.
Enough advertisement. :)
Cheers
Christoph
Received on Thu Sep 07 2006 - 13:46:04 MDT
This archive was generated by hypermail pre-2.1.9 : Sun Oct 01 2006 - 12:00:03 MDT