Security Basics mailing list archives
Preventing tunnels through HTTPS proxies
From: Michal Ludvig <mludvig () logix net nz>
Date: Wed, 17 Jun 2009 12:48:17 +1200
Hi all, as you probably know it's very easy to bypass egress filters on a network as soon as there's an internal HTTPS proxy available. There are many packages laying around for all kinds of operating systems that make setting up a tunnel or VPN through such proxies a breeze. I wonder how to prevent these abuses? Clearly the traffic pattern for a VPN will be distinguishable from a genuine HTTPS traffic - but how to detect it? Alternatively playing a man-in-the-middle on the proxy, decrypting all the traffic, inspecting that it's indeed HTTP and encrypting back with a key signed by a private CA that all the desktops in the corporation would trust may be another option. Any other ideas? It would, in fact, be enough to learn that it was a VPN traffic afterwards, we don't necessarily need to kill the tunnel in realtime (although it would be nice). Since this kind of proxy abuse is forbidden by the company IT policy the trespasser's managers would deal with it at the HR level anyway. However net ops will have to provide some evidence. Does anyone know of any tools that can be used for this detection? Ideally something open source (or commercial but not insanely expensive) that could be used in conjunction with a Squid proxy? Other suggestions are welcome as well. Thanks Michal ------------------------------------------------------------------------ This list is sponsored by: InfoSec Institute Need to pass the CISSP? InfoSec Institute's CISSP Boot Camp in both Instructor-Led and Online formats is the most concentrated exam prep available. Comprehensive course materials and an expert instructor means you pass the exam. Gain a laser like insight into what is covered on the exam, with zero fluff! http://www.infosecinstitute.com/courses/cissp_bootcamp_training.html ------------------------------------------------------------------------
Current thread:
- Preventing tunnels through HTTPS proxies Michal Ludvig (Jun 17)
- Re: Preventing tunnels through HTTPS proxies Mariusz Kruk (Jun 17)
- RE: Preventing tunnels through HTTPS proxies Erik Soosalu (Jun 17)
- Re: Preventing tunnels through HTTPS proxies Morgan Reed (Jun 18)
- RE: Preventing tunnels through HTTPS proxies Erik Soosalu (Jun 18)
- RE: Preventing tunnels through HTTPS proxies Mariusz Kruk (Jun 19)
- RE: Preventing tunnels through HTTPS proxies Erik Soosalu (Jun 17)
- Re: Preventing tunnels through HTTPS proxies Mariusz Kruk (Jun 17)
- RE: Preventing tunnels through HTTPS proxies Ken Kousky (Jun 18)
- Message not available
- Re: Preventing tunnels through HTTPS proxies Aarón Mizrachi (Jun 18)