>The only context I can think of this making any sense is when you >have an inside agent program that makes an SSL connection to an >external host for the express purpose of providing access to systems >on the inside (sort of like dial-back). You mean like if someone made a back orifice plug in or something like that? >The `solutions' are not pretty: disable any protocol using encryption >because the firewall cannot validate the message's integrity or force >everything to be decrypted and re-encrypted as required to allow the >message to be checked that it matches the right protocol. No, it's worse. The 'solution' is to disable any protocol that issues connections which are not immediately tied to an authentication that isn't performed by a computer. mjr.
This archive was generated by hypermail 2b30 : Fri Apr 13 2001 - 14:00:14 PDT