Preventing tunnels through HTTPS proxies

[Michal Ludvig <mludvig () logix net nz>]

Hi all,

as you probably know it's very easy to bypass egress filters on a
network as soon as there's an internal HTTPS proxy available. There are
many packages laying around for all kinds of operating systems that make
setting up a tunnel or VPN through such proxies a breeze.


I wonder how to prevent these abuses? Clearly the traffic pattern for a
VPN will be distinguishable from a genuine HTTPS traffic - but how to
detect it? Alternatively playing a man-in-the-middle on the proxy,
decrypting all the traffic, inspecting that it's indeed HTTP and
encrypting back with a key signed by a private CA that all the desktops
in the corporation would trust may be another option. Any other ideas?


It would, in fact, be enough to learn that it was a VPN traffic
afterwards, we don't necessarily need to kill the tunnel in realtime
(although it would be nice). Since this kind of proxy abuse is forbidden
by the company IT policy the trespasser's managers would deal with it at
the HR level anyway. However net ops will have to provide some evidence.


Does anyone know of any tools that can be used for this detection?
Ideally something open source (or commercial but not insanely expensive)
that could be used in conjunction with a Squid proxy? Other suggestions
are welcome as well.


Thanks

Michal

------------------------------------------------------------------------
This list is sponsored by: InfoSec Institute

Need to pass the CISSP? InfoSec Institute's CISSP Boot Camp in both Instructor-Led and Online formats is the most 
concentrated exam prep available. Comprehensive course materials and an expert instructor means you pass the exam. Gain 
a laser like insight into what is covered on the exam, with zero fluff! 

http://www.infosecinstitute.com/courses/cissp_bootcamp_training.html
------------------------------------------------------------------------