Re: Fortigate Bypass

["Mario Platt" <mplatt () gmail com>]

If the appliance is not designed to keep *real* traffic logged, I
don't mind if my router/firewall/gateway sees my traffic. What I do
mind, is people going totally against my security policy, by
establishing SSH connections through an SSL tunnel on 443. If you have
a few dozen workers, I don't think there's a problem in choosing and
analyzing some https websites, but if your gateway protects thousands
of users, this is quite impossible, or you have the best and bigger
helpdesk team in the world ;)

just my 2 cents

On 7/20/06, Louis Wang <bill.louis () gmail com> wrote:
> hi there
>     https is born to make connection keep secret between two peers.
> Only the two end of a connection can see the clear text, gateways and
> router can not see clear text. so technically, Fortigate or other
> gateways can not deal with https content text. And more, if FortiGate
> can know your https connect content, FortiGate administartor can see
> your credit card account and password when you logon bank website
> throught FortiGate by https, would you like to see this thing? :)
>
>
> ----
> homepage:http://www.lwang.org
> mailto:abryson () bytefocus com
>
> 19 Jul 2006 06:14:12 -0000, digicrimes () gmail com <digicrimes () gmail com>:
> > Today when I was trying to see how strong the fortiguard filters where I had stepped upon some thing interesting .
> >
> >
> > Note : fortiguard clearly says that none of their filters work on HTTPS ;) so you guys need to decide if its worth 
> the money u shell in hehe
> >
> >
> >
> > Scenario 1
> >
> >
> > Say you have blocked Web based email in your fortiguard policy and you check it by going to http://www.gamil.com . you see that you could have 
> access to the login page of gamil in spite   of blocking it. So you try to log in and see its it blocks and once you log in it block perfectly 
> saying it�s a Webbased email site.  And you url would read " 
> Http://mail.google.com/mail/?auth=DQAAAG0AAADkxf81BT4k5Q_dw7zQsGO2RuHEQ55IOMzbimKF8Ia7WbQZHvXuVo7o5smHQGg9C_nC4SQz2ofiC3hhc8q4Ar14V-PqgtawN>>>>>>>
>  � in your browser. But if a user prefix the same url with a https instead of Http he can get into his Gmail account. The firewall is unable to even 
> log this activity ( memory logging).
> >
> >
> > Scenario 2
> >
> >
> > Let�s take an example of Proxy avoidance ( I know it�s a nightmare for admin�s) . say a user tries to access 
> http://www.kproxy.com  . Fortiguard beautifully blocks it under the Proxy avoidance category. But if the user prefix a 
> https then he can get into the site and from there he is virtually un stoppable form accessing any shit he wants ( no logs 
> again).
> >
> >
> > Solution 1
> >
> >
> > You need to input a policy that Block all the Https protocols. Well if you do this all the ligament sites such as ( 
> MSDN just an example ) or say your Im�s  would get blocked. If you want to exclude suck secure sites you need to go and 
> find all the ip�s they would use ( that�s not really easy)  and then allow then Https access.
> >
> >
> > Solution 2
> >
> >
> > Find all the sites that allow Https Proxy and block them. Just a reminder that each of the would have tone of ips and 
> most of them keep changing frequently.
> >
> >
> > Solution 3
> >
> >
> > Fortiguard makes the filters work with https :D
> >
> >
> >
> > Tried on
> >
> > Fortinet OS 3 Mr1
> >
> > Fortinet OS 3 Mr2
> >
> > hardware
> >
> >
> > FG60
> >
> > FG60A
> >
> > FG100A
> >
> > Fg200A
> >
> >
> >
> > remote-exploit.org
> >
>
>
> --
> Have a Good Day