RE: Prohibiting SSL VPNs

["Melson, Paul" <PMelson () sequoianet com>]

> -----Original Message-----
> Does anybody have any ideas on how I could prohibit the usage 
> of SSL VPNs like the one offered by F5 (Firepass), since this 
> requires only the ability for the client to make an https 
> connection (bypassing any kind of firewall/proxy)? Since this 
> product (or any similar) creates some kind of PPP connection 
> over https, installs routes on the PC etc. it will create a 
> lot of problems. (see also: Worms, Air Gaps etc)

access-list 101 deny tcp any any eq 443

:-)


> I know that I could possibly stop the downloading of 
> ActiveX/Java applets via some kind of web filtering software 
> but this also has a lot of side effects, or I could use some 
> kind of whitelist for https connections, but this is too 
> difficult to manage/maintain.

Before you can intercept Java applets you'll need to terminate the SSL
stream at some inspection point that you control.  Easier said than
done.  Most proxies that "support" HTTPS/SSL just allow HTTP CONNECT
sessions through the proxy for traffic destined for TCP/443.  Also
consider that if they are resourceful, your users can use SSL tunneling
over nearly any port you allow out through your firewall that doesn't
have some sort of application proxy to facilitate (and normalize)
traffic.

Realistically, your best bet is to set an organizational policy that
forbids the use of such services/connections and to communicate that to
users.  This is similar to the GoToMyPC.com issue.  You can block access
to some IP addresses and hope they don't change or that your users don't
find another service you don't know about.  Or you can block all access
to encrypted protocols, which is a big pain and may create other
business problems, and probably still won't keep that 0.01% of your
users from misbehaving.

PaulM
_______________________________________________
firewall-wizards mailing list
firewall-wizards () honor icsalabs com
http://honor.icsalabs.com/mailman/listinfo/firewall-wizards