On 6/19/07, Vadim Pushkin <wiskbroom@hotmail.com> wrote:
> I am only looking to inspect each SSL connection for the purposes of
> determining if the traffic should be allowed, i.e. non-malicious (not chat,
> file-transfer, etc).
If you actually want to inspect the protocol inside the SSL, I'm not
aware of any free products in this space, but it is a feature of a
growing number of commercial products. These all, TMK, assume that
you are able to load your own additional trusted root certificate on
all clients -- this is trivial in corporations, might be more
difficult in a university, and shouldn't be considered by a
traditional ISP (back to the privacy implications I mentioned
previously).
> Can anyone recommend such a product? Also, I should mention, I am not
> looking to spend alot of money.
Blue Coat street price starts at about $3K. Their ProxySG product
supports internet standards including ICAP and ICP, and should be
fully capable of participating in a Squid hierarchy (I haven't tested
this...yet) as an ICP parent/child/peer. The base license includes IM
controls and a 'Is this really SSL?' test, but SSL termination
requires an add-on license. Also, their URL categorization engine can
accept databases from many of the top censorware vendors (or their
own), licensed "per seat".
> Are their any plans on the roadmap to do
> this sort of traffic analysis within Squid?
I'm not aware of any.
ICAP doesn't support MITM "CONNECT" tunnel handling, though some ICAP
clients will forward the connect "URL" to an ICAP service to be
approved or denied, the ICAP standard doesn't allow for looking inside
the SSL/TLS conversation.
Personally, what I've done is configure Squid to hand off CONNECT
sessions to a "parent" proxy supporting SSL inspection:
cache_peer ssl1.intranet parent 8008 7 no-query
cache_peer ssl2.intranet parent 8008 7 no-query
acl CONNECT method CONNECT
http_access deny CONNECT !SSL_ports
cache_peer_access ssl1.intranet allow CONNECT
cache_peer_access ssl2.intranet allow CONNECT
cache_peer_access ssl1.intranet deny all
cache_peer_access ssl2.intranet deny all
never_direct allow CONNECT
Kevin
Received on Tue Jun 19 2007 - 15:13:33 MDT
This archive was generated by hypermail pre-2.1.9 : Sun Jul 01 2007 - 12:00:04 MDT