Comments on: ISA Firewalls Now Support Outbound SSL Tunnel Inspection!

by: Narayanan B Nair

Sun, 10 Sep 2006 14:58:39 +0000

Could you please explain how to block Skype through ISA2004 firewall ?Is it possible ?.Please explain to me.

Thanks a lot

With Regards,

Narayanan B Nair

by: Thomas Shinder

Wed, 21 Jun 2006 01:17:52 +0000

Hi Oren,
Yes, the ISA firewall is acting as a man in the middle, but unlike a MITM attack, the ISA firewall is a TRUSTED middle man.

It is possible that it might be interpreted this way, as a privacy issue. However, HIPAA also requires that you protect your networks from intrusion. By enabling SSL inspection, you can stop the downloading of privacy invading software that would otherwise be hidden inside an SSL tunnel. Since SSL tunnels are become a major vector of attack, I would argue that since only the ISA firewall admins and domain admins can potentially access the data, that the overall security and privacy posture is vastly superior to allowing attackers steal private information over an uninspected SSL tunnel.

Tom

by: Oren

Wed, 21 Jun 2006 01:12:38 +0000

The only way this kind of filtering can work is if it’s a MITM that generates valid SSL certs on the fly from a CA trusted by the browser.

It’s very easy to detect this though since looking at the certificte would show that it’s signed by a corporate CA instead of an external one (like VeriSign).

I’m also wondering about the legal implications of this with regards to the secure transmittal of healthcare information. If an employee is submitting HIPAA protected information through a proxy that’s decrpyting and inspecting it, that could be construed as a violation of privacy rights. Granted, it’s accessed through an employers network, but there are still things that are subject to extra-stringent safegaurds.