Overclock.net › Forums › Software, Programming and Coding › Networking & Security › Blocking SSL Connections
New Posts  All Forums:Forum Nav:

Blocking SSL Connections

post #1 of 16
Thread Starter 
Hello,

Recently we have been having trouble with blocking SSL connections like https://encrypted.google.com/ which then can be used to browse to https://sslbrowser.com/ . we never had issues before until google decided to launch that search engine. We use Websense and are having a rough time trying to deny access to the sites. We have placed policies which should deny from the url and IP address, and we can still gain access to them (and the policies were put in place early last week).

I was wondering about conflicts on the entire network if I specified in the pix configuration to send https traffic to websense, since traffic hits the pix first then sends urls to the websense server for filtering...

Any help would be wonderful, so that we can continue to keep our work network safe.
M8 Chameleon
(18 items)
 
Macbook Pro 15"
(5 items)
 
 
CPUMotherboardGraphicsRAM
Intel i7 3930K Asus Rampage IV Extreme SLI Evga 480GTX Corsair Dominator 32gb (8x4gb) DDR3 1866mhz 
Hard DriveHard DriveHard DriveHard Drive
OCZ Vertex 2 90GB Western Digital 1TB Black Sata 6 Seagate Barracuda 1.5TB Samsung Spinpoint 1TB 
Hard DriveHard DriveOptical DriveCooling
Samsung Spinpoint 500GB 2x Hitachi 2TB Asus DVD+RW Prototype Danger Den Socket 2011 CPU Waterblock 
OSMonitorKeyboardPower
Windows 7 x64 Professional Achieva Shimian QH270 2560x1440p Razer Blackwidow Ultimate Kingwin Lazer 1000w 
CaseMouse
CaseLabs M8 Razer Mamba 
CPURAMHard DriveOS
2.4GHz Quad-core Intel Core i7  4GB 1333MHz DDR3 SDRAM — 2x2GB  750GB Serial ATA Drive @ 7200 rpm OSX Lion 
Monitor
MacBook Pro 15-inch Hi-Res Glossy Widescreen Di... 
CPUMotherboardGraphicsRAM
Intel i7 950 @ 4.2ghz Asus Rampage IV Formula EVGA 480GTX SLI Kingston HyperX 6GB (3x2gb) DDR3 1066 
Hard DriveOptical DriveOSMonitor
OCZ Vertex 2 90gb/1.5tb/WD Black 1tb Sata III Asus DVD-RW Win7 Pro x64 27" LED Viewsonic 1920x1080 
KeyboardPowerCaseMouse
Saitek Cyborg v2 1000w Kingwin Lazer Modular Danger Den Waterbox Razer Mamba 
  hide details  
Reply
M8 Chameleon
(18 items)
 
Macbook Pro 15"
(5 items)
 
 
CPUMotherboardGraphicsRAM
Intel i7 3930K Asus Rampage IV Extreme SLI Evga 480GTX Corsair Dominator 32gb (8x4gb) DDR3 1866mhz 
Hard DriveHard DriveHard DriveHard Drive
OCZ Vertex 2 90GB Western Digital 1TB Black Sata 6 Seagate Barracuda 1.5TB Samsung Spinpoint 1TB 
Hard DriveHard DriveOptical DriveCooling
Samsung Spinpoint 500GB 2x Hitachi 2TB Asus DVD+RW Prototype Danger Den Socket 2011 CPU Waterblock 
OSMonitorKeyboardPower
Windows 7 x64 Professional Achieva Shimian QH270 2560x1440p Razer Blackwidow Ultimate Kingwin Lazer 1000w 
CaseMouse
CaseLabs M8 Razer Mamba 
CPURAMHard DriveOS
2.4GHz Quad-core Intel Core i7  4GB 1333MHz DDR3 SDRAM — 2x2GB  750GB Serial ATA Drive @ 7200 rpm OSX Lion 
Monitor
MacBook Pro 15-inch Hi-Res Glossy Widescreen Di... 
CPUMotherboardGraphicsRAM
Intel i7 950 @ 4.2ghz Asus Rampage IV Formula EVGA 480GTX SLI Kingston HyperX 6GB (3x2gb) DDR3 1066 
Hard DriveOptical DriveOSMonitor
OCZ Vertex 2 90gb/1.5tb/WD Black 1tb Sata III Asus DVD-RW Win7 Pro x64 27" LED Viewsonic 1920x1080 
KeyboardPowerCaseMouse
Saitek Cyborg v2 1000w Kingwin Lazer Modular Danger Den Waterbox Razer Mamba 
  hide details  
Reply
post #2 of 16
if your layer 4 switch is redirecting all port 80 traffic to the websense, you may be able to redirect all 443 traffic there also. I can not say for certain if websense can or does manage filtering of 443. If it does not you may want to look into BlueCoat.
The Raven
(16 items)
 
  
CPUMotherboardGraphicsGraphics
i7-2600K Gigabyte GA-P67A-UD5-B3 EVGA GTX 570 SC EVGA GTX 570 SC 
RAMHard DriveOptical DriveCooling
16GB G.SKILL Ripjaws X 1866 Samsung 840 Pro  iHAS324 - Lite-On DVD-RW Noctua NH-D14 
OSMonitorMonitorKeyboard
Windows 10 ASUS VN248 ASUS VN248 Logitech G510 
PowerCaseMouse
XFX 850W BE SILVERSTONE RV02B-EW Logitech MX518 
  hide details  
Reply
The Raven
(16 items)
 
  
CPUMotherboardGraphicsGraphics
i7-2600K Gigabyte GA-P67A-UD5-B3 EVGA GTX 570 SC EVGA GTX 570 SC 
RAMHard DriveOptical DriveCooling
16GB G.SKILL Ripjaws X 1866 Samsung 840 Pro  iHAS324 - Lite-On DVD-RW Noctua NH-D14 
OSMonitorMonitorKeyboard
Windows 10 ASUS VN248 ASUS VN248 Logitech G510 
PowerCaseMouse
XFX 850W BE SILVERSTONE RV02B-EW Logitech MX518 
  hide details  
Reply
post #3 of 16
If you have something like an ASA you can enable deep packet inspection and disallow any kind of encrypted traffic.
Das Rig, Ja?
(12 items)
 
  
CPUMotherboardGraphicsRAM
AMD Ryzen 1700 Asus Crosshair VI EVGA 1080Ti SC2 2x16G GSkill RGB 3200 
Hard DriveCoolingOSMonitor
500 GB 960 EVO Enermax T50A-BVT Windows 10 Pro 27" Asus 
KeyboardPowerCaseMouse
Logitech K350 EVGA 1600G2 Fractal Define C Rosewill M55 RGB 
  hide details  
Reply
Das Rig, Ja?
(12 items)
 
  
CPUMotherboardGraphicsRAM
AMD Ryzen 1700 Asus Crosshair VI EVGA 1080Ti SC2 2x16G GSkill RGB 3200 
Hard DriveCoolingOSMonitor
500 GB 960 EVO Enermax T50A-BVT Windows 10 Pro 27" Asus 
KeyboardPowerCaseMouse
Logitech K350 EVGA 1600G2 Fractal Define C Rosewill M55 RGB 
  hide details  
Reply
post #4 of 16
Quote:
Originally Posted by Tweak17emon View Post
Hello,
I was wondering about conflicts on the entire network if I specified in the pix configuration to send https traffic to websense, since traffic hits the pix first then sends urls to the websense server for filtering...


A PIX doesn't have that feature, where as the ASA there is a license that would have to be purchased.



What does each Cisco® ASA 5500 Series Content Security Edition license entitle you
to?
Depending on the license type, customers are entitled to the following:
● Base licenses: Antivirus and antispyware functionality for the number of users licensed;
pattern file, scan engine updates, and software updates for the first year.
● Plus licenses: URL filtering and blocking, antispam, antiphishing, and content filtering
functionality for the number of users licensed; pattern file, scan engine updates, and major
and minor software updates for the first year.
● User licenses: The right to perform the Base and Plus (if applicable) functionality for the
number of users licensed. For licensing purposes, users are considered to be the total
number of nonconcurrent users whose traffic is being scanned and/or protected by the
module.

source
Edited by bratas - 5/31/11 at 11:38am
The Raven
(16 items)
 
  
CPUMotherboardGraphicsGraphics
i7-2600K Gigabyte GA-P67A-UD5-B3 EVGA GTX 570 SC EVGA GTX 570 SC 
RAMHard DriveOptical DriveCooling
16GB G.SKILL Ripjaws X 1866 Samsung 840 Pro  iHAS324 - Lite-On DVD-RW Noctua NH-D14 
OSMonitorMonitorKeyboard
Windows 10 ASUS VN248 ASUS VN248 Logitech G510 
PowerCaseMouse
XFX 850W BE SILVERSTONE RV02B-EW Logitech MX518 
  hide details  
Reply
The Raven
(16 items)
 
  
CPUMotherboardGraphicsGraphics
i7-2600K Gigabyte GA-P67A-UD5-B3 EVGA GTX 570 SC EVGA GTX 570 SC 
RAMHard DriveOptical DriveCooling
16GB G.SKILL Ripjaws X 1866 Samsung 840 Pro  iHAS324 - Lite-On DVD-RW Noctua NH-D14 
OSMonitorMonitorKeyboard
Windows 10 ASUS VN248 ASUS VN248 Logitech G510 
PowerCaseMouse
XFX 850W BE SILVERSTONE RV02B-EW Logitech MX518 
  hide details  
Reply
post #5 of 16
Quote:
PIX 7.0 introduces very flexible scrutiny of web-based traffic using HTTP. For example, you can configure security policies that make sure HTTP packets conform to the relevant RFCs and standards. In addition, the security appliance can enforce the use of TCP port 80 for any non-HTTP applications.

Security policies can also be defined to inspect and act on instant messaging, peer-to-peer file sharing, and tunneling applications. As well, a firewall can perform deep packet inspection on applications like FTP, ESMTP, and 3G mobile wireless tunneling traffic.
???

http://www.ciscopress.com/articles/article.asp?p=379751
Das Rig, Ja?
(12 items)
 
  
CPUMotherboardGraphicsRAM
AMD Ryzen 1700 Asus Crosshair VI EVGA 1080Ti SC2 2x16G GSkill RGB 3200 
Hard DriveCoolingOSMonitor
500 GB 960 EVO Enermax T50A-BVT Windows 10 Pro 27" Asus 
KeyboardPowerCaseMouse
Logitech K350 EVGA 1600G2 Fractal Define C Rosewill M55 RGB 
  hide details  
Reply
Das Rig, Ja?
(12 items)
 
  
CPUMotherboardGraphicsRAM
AMD Ryzen 1700 Asus Crosshair VI EVGA 1080Ti SC2 2x16G GSkill RGB 3200 
Hard DriveCoolingOSMonitor
500 GB 960 EVO Enermax T50A-BVT Windows 10 Pro 27" Asus 
KeyboardPowerCaseMouse
Logitech K350 EVGA 1600G2 Fractal Define C Rosewill M55 RGB 
  hide details  
Reply
post #6 of 16
That's 80, not 443.

OP, Best Practices is to have your Layer 4-7 switch and content filter outside the firewall for web redirects prior to traffic hitting the firewall.


If you are utilizing the content filter on a PIX (which I would not recommend on a PIX unless a 535 or a Module), the filter does not work with SSL/SSH traffic, normal web traffic yes.
Edited by bratas - 5/31/11 at 11:58am
The Raven
(16 items)
 
  
CPUMotherboardGraphicsGraphics
i7-2600K Gigabyte GA-P67A-UD5-B3 EVGA GTX 570 SC EVGA GTX 570 SC 
RAMHard DriveOptical DriveCooling
16GB G.SKILL Ripjaws X 1866 Samsung 840 Pro  iHAS324 - Lite-On DVD-RW Noctua NH-D14 
OSMonitorMonitorKeyboard
Windows 10 ASUS VN248 ASUS VN248 Logitech G510 
PowerCaseMouse
XFX 850W BE SILVERSTONE RV02B-EW Logitech MX518 
  hide details  
Reply
The Raven
(16 items)
 
  
CPUMotherboardGraphicsGraphics
i7-2600K Gigabyte GA-P67A-UD5-B3 EVGA GTX 570 SC EVGA GTX 570 SC 
RAMHard DriveOptical DriveCooling
16GB G.SKILL Ripjaws X 1866 Samsung 840 Pro  iHAS324 - Lite-On DVD-RW Noctua NH-D14 
OSMonitorMonitorKeyboard
Windows 10 ASUS VN248 ASUS VN248 Logitech G510 
PowerCaseMouse
XFX 850W BE SILVERSTONE RV02B-EW Logitech MX518 
  hide details  
Reply
post #7 of 16
Are you redirecting secure traffic for accounting? Can your just drop it without redirrecting the requests to websense? Have you tried adding an ACE to your forward facing PIX interface do just drop it? Or employ a URL based ACL on the PIX?
My System
(13 items)
 
  
CPUMotherboardGraphicsRAM
Cisco Cisco Cisco Cisco 
  hide details  
Reply
My System
(13 items)
 
  
CPUMotherboardGraphicsRAM
Cisco Cisco Cisco Cisco 
  hide details  
Reply
post #8 of 16
What the hell?
Block the CONNECT command to the sites.
Ssl needs the Connect command
post #9 of 16
Thread Starter 
the issue with blocking the Connect command is that we do use SSL for some programs we that the brokers use.

Im thinking that we are going to just use port spanning to allow Websense to control SSL connections.
M8 Chameleon
(18 items)
 
Macbook Pro 15"
(5 items)
 
 
CPUMotherboardGraphicsRAM
Intel i7 3930K Asus Rampage IV Extreme SLI Evga 480GTX Corsair Dominator 32gb (8x4gb) DDR3 1866mhz 
Hard DriveHard DriveHard DriveHard Drive
OCZ Vertex 2 90GB Western Digital 1TB Black Sata 6 Seagate Barracuda 1.5TB Samsung Spinpoint 1TB 
Hard DriveHard DriveOptical DriveCooling
Samsung Spinpoint 500GB 2x Hitachi 2TB Asus DVD+RW Prototype Danger Den Socket 2011 CPU Waterblock 
OSMonitorKeyboardPower
Windows 7 x64 Professional Achieva Shimian QH270 2560x1440p Razer Blackwidow Ultimate Kingwin Lazer 1000w 
CaseMouse
CaseLabs M8 Razer Mamba 
CPURAMHard DriveOS
2.4GHz Quad-core Intel Core i7  4GB 1333MHz DDR3 SDRAM — 2x2GB  750GB Serial ATA Drive @ 7200 rpm OSX Lion 
Monitor
MacBook Pro 15-inch Hi-Res Glossy Widescreen Di... 
CPUMotherboardGraphicsRAM
Intel i7 950 @ 4.2ghz Asus Rampage IV Formula EVGA 480GTX SLI Kingston HyperX 6GB (3x2gb) DDR3 1066 
Hard DriveOptical DriveOSMonitor
OCZ Vertex 2 90gb/1.5tb/WD Black 1tb Sata III Asus DVD-RW Win7 Pro x64 27" LED Viewsonic 1920x1080 
KeyboardPowerCaseMouse
Saitek Cyborg v2 1000w Kingwin Lazer Modular Danger Den Waterbox Razer Mamba 
  hide details  
Reply
M8 Chameleon
(18 items)
 
Macbook Pro 15"
(5 items)
 
 
CPUMotherboardGraphicsRAM
Intel i7 3930K Asus Rampage IV Extreme SLI Evga 480GTX Corsair Dominator 32gb (8x4gb) DDR3 1866mhz 
Hard DriveHard DriveHard DriveHard Drive
OCZ Vertex 2 90GB Western Digital 1TB Black Sata 6 Seagate Barracuda 1.5TB Samsung Spinpoint 1TB 
Hard DriveHard DriveOptical DriveCooling
Samsung Spinpoint 500GB 2x Hitachi 2TB Asus DVD+RW Prototype Danger Den Socket 2011 CPU Waterblock 
OSMonitorKeyboardPower
Windows 7 x64 Professional Achieva Shimian QH270 2560x1440p Razer Blackwidow Ultimate Kingwin Lazer 1000w 
CaseMouse
CaseLabs M8 Razer Mamba 
CPURAMHard DriveOS
2.4GHz Quad-core Intel Core i7  4GB 1333MHz DDR3 SDRAM — 2x2GB  750GB Serial ATA Drive @ 7200 rpm OSX Lion 
Monitor
MacBook Pro 15-inch Hi-Res Glossy Widescreen Di... 
CPUMotherboardGraphicsRAM
Intel i7 950 @ 4.2ghz Asus Rampage IV Formula EVGA 480GTX SLI Kingston HyperX 6GB (3x2gb) DDR3 1066 
Hard DriveOptical DriveOSMonitor
OCZ Vertex 2 90gb/1.5tb/WD Black 1tb Sata III Asus DVD-RW Win7 Pro x64 27" LED Viewsonic 1920x1080 
KeyboardPowerCaseMouse
Saitek Cyborg v2 1000w Kingwin Lazer Modular Danger Den Waterbox Razer Mamba 
  hide details  
Reply
post #10 of 16
@ Spoony Really, I mean seriously really? doing so would kill all SSL connections which is not what they are trying to do. For Gods Sake I wish you would know what the hell you are really talking about before you just toss the misinformation to the masses then having them wonder why the hell they came to OCN.

Tweak17emon, the problem with just using a Span or Mirror port is it will by pass the firewall entirely. What you have here is why Layer 4-7 Switches were created to begin with. All you have to do is have it redirect all 80 and 443 traffic to the websense.

For those that do not know what a Layer 4-7 switch (aka content switch) does, it is used for load balancing and redirects. The load balancing can be for Firewall load balancing or Server load balancing.

If your company does not already have a Layer 4-7 switch, I would highly recommend 1st Brocade (formerly Foundry Networks) ServerIron series, or a F5 load-balancer. The ServerIron would be my first choice. Cisco does a crap job at Layer 4-7.
The Raven
(16 items)
 
  
CPUMotherboardGraphicsGraphics
i7-2600K Gigabyte GA-P67A-UD5-B3 EVGA GTX 570 SC EVGA GTX 570 SC 
RAMHard DriveOptical DriveCooling
16GB G.SKILL Ripjaws X 1866 Samsung 840 Pro  iHAS324 - Lite-On DVD-RW Noctua NH-D14 
OSMonitorMonitorKeyboard
Windows 10 ASUS VN248 ASUS VN248 Logitech G510 
PowerCaseMouse
XFX 850W BE SILVERSTONE RV02B-EW Logitech MX518 
  hide details  
Reply
The Raven
(16 items)
 
  
CPUMotherboardGraphicsGraphics
i7-2600K Gigabyte GA-P67A-UD5-B3 EVGA GTX 570 SC EVGA GTX 570 SC 
RAMHard DriveOptical DriveCooling
16GB G.SKILL Ripjaws X 1866 Samsung 840 Pro  iHAS324 - Lite-On DVD-RW Noctua NH-D14 
OSMonitorMonitorKeyboard
Windows 10 ASUS VN248 ASUS VN248 Logitech G510 
PowerCaseMouse
XFX 850W BE SILVERSTONE RV02B-EW Logitech MX518 
  hide details  
Reply
New Posts  All Forums:Forum Nav:
  Return Home
  Back to Forum: Networking & Security
Overclock.net › Forums › Software, Programming and Coding › Networking & Security › Blocking SSL Connections