Overclock.net › Forums › Software, Programming and Coding › Networking & Security › Blocking SSL Connections
New Posts  All Forums:Forum Nav:

Blocking SSL Connections - Page 2

post #11 of 16
Quote:
Originally Posted by Tweak17emon View Post
the issue with blocking the Connect command is that we do use SSL for some programs we that the brokers use.

Im thinking that we are going to just use port spanning to allow Websense to control SSL connections.
then block it everything except the ones your using. If you do that and just whitelist your business addresses a person can try to connect from any other port or try whatever it will be blocked
post #12 of 16
Quote:
Originally Posted by bratas View Post
@ Spoony Really, I mean seriously really? doing so would kill all SSL connections which is not what they are trying to do. For Gods Sake I wish you would know what the hell you are really talking about before you just toss the misinformation to the masses then having them wonder why the hell they came to OCN.

Tweak17emon, the problem with just using a Span or Mirror port is it will by pass the firewall entirely. What you have here is why Layer 4-7 Switches were created to begin with. All you have to do is have it redirect all 80 and 443 traffic to the websense.

For those that do not know what a Layer 4-7 switch (aka content switch) does, it is used for load balancing and redirects. The load balancing can be for Firewall load balancing or Server load balancing.

If your company does not already have a Layer 4-7 switch, I would highly recommend 1st Brocade (formerly Foundry Networks) ServerIron series, or a F5 load-balancer. The ServerIron would be my first choice. Cisco does a crap job at Layer 4-7.
have you ever heard of a whitelist or can't you think for yourself? I mean you do know the addys your connecting to. Better yet just block the connect command for those two addys he wanted.
post #13 of 16
Quote:
Originally Posted by Spooony View Post
have you ever heard of a whitelist or can't you think for yourself? I mean you do know the addys your connecting to. Better yet just block the connect command for those two addys he wanted.
Yes I have heard of a white list. Now tell me exactly where you will apply a white list on a Cisco PIX???
What you are proposing will not work on a Cisco Pix.
The Raven
(16 items)
 
  
CPUMotherboardGraphicsGraphics
i7-2600K Gigabyte GA-P67A-UD5-B3 EVGA GTX 570 SC EVGA GTX 570 SC 
RAMHard DriveOptical DriveCooling
16GB G.SKILL Ripjaws X 1866 Samsung 840 Pro  iHAS324 - Lite-On DVD-RW Noctua NH-D14 
OSMonitorMonitorKeyboard
Windows 10 ASUS VN248 ASUS VN248 Logitech G510 
PowerCaseMouse
XFX 850W BE SILVERSTONE RV02B-EW Logitech MX518 
  hide details  
Reply
The Raven
(16 items)
 
  
CPUMotherboardGraphicsGraphics
i7-2600K Gigabyte GA-P67A-UD5-B3 EVGA GTX 570 SC EVGA GTX 570 SC 
RAMHard DriveOptical DriveCooling
16GB G.SKILL Ripjaws X 1866 Samsung 840 Pro  iHAS324 - Lite-On DVD-RW Noctua NH-D14 
OSMonitorMonitorKeyboard
Windows 10 ASUS VN248 ASUS VN248 Logitech G510 
PowerCaseMouse
XFX 850W BE SILVERSTONE RV02B-EW Logitech MX518 
  hide details  
Reply
post #14 of 16
Quote:
Originally Posted by bratas View Post
Yes I have heard of a white list. Now tell me exactly where you will apply a white list on a Cisco PIX???
What you are proposing will not work on a Cisco Pix.
he does have a operating system doesn't he. He is a admin which got access to thousands of logs and gritty stuff. Did we become so dependant that we only see and rely on the hardware standing there to do it. Its a layer of security it doesn't mean all the other methods are useless.
I mean let me show you a example. This took my ISP almost 5 months to block this one
muppet@runabout:/home/muppet $ telnetsome-proxy 8080
Trying 136.232.33.11...
Connected to some-proxy.
CONNECT www.verisign.com:443 HTTP/1.0
HTTP/1.0 200 Connection established Proxy-agent: Netscape-Proxy/3.52

Thats one method

Wait how about this one
Connect mms.myisp.com.somesslserver.net/mms/cache :8080

I mean can you see what i used to bypass filtering etc etc. My requests are going through the proxie but I'm getting encrypted data back via the ssl tunnel. Now tell me if I got a point or am I just being plain stupid?

Quote:
Originally Posted by bratas View Post
A PIX doesn't have that feature, where as the ASA there is a license that would have to be purchased.



What does each Cisco® ASA 5500 Series Content Security Edition license entitle you
to?
Depending on the license type, customers are entitled to the following:
● Base licenses: Antivirus and antispyware functionality for the number of users licensed;
pattern file, scan engine updates, and software updates for the first year.
● Plus licenses: URL filtering and blocking, antispam, antiphishing, and content filtering
functionality for the number of users licensed; pattern file, scan engine updates, and major
and minor software updates for the first year.
● User licenses: The right to perform the Base and Plus (if applicable) functionality for the
number of users licensed. For licensing purposes, users are considered to be the total
number of nonconcurrent users whose traffic is being scanned and/or protected by the
module.

source
^this
This is the problem with Cisco. First of all they have a aging firewall with a lot of short comings.
Then they give you two options where you can only choose 1. Its antivirus or host intrusion. You must pick 1. You can't have both which is pathetic.
Another thing when you choose the antivirus package you get updates once a week from Trend Micro. That means your 6 out of 7 days exposed to malware.
They're solutions was designed around the old web and not web 2.0. The old web as you can remember was Irc bots and p2p malware etc. Web 2.0 everything is based around port 80 and 443. What people are doing they use those protocols with encryption and thanks to the russians for kits like Mpak, Icepack and Fiesta just to name a few systems are being compromised easily with just a simple email.
Cisco decrypt Voip traffic so that it can go thru its firewall but it doesn't inspect it.
Further more connection with a browser it doesn't inspect or decrypt at all. It can't! It will break the rules of Ssl. Ssl connection are a secure encrypted tunnel that can't be opened up and inspected. That defeats the purpose and the protocol rule of it. So when someone types https://www.someserver.com in his browser then all bets are off. Cisco can't do much. That's why the op is running Websense for the content filtering. But websense is to keep people of facebook and such snot. Now google online proxy servers. Just check how many addys your getting of online proxies. There's hundreds of thousands of them. Firewall management isn't done in one day. It takes some time of sitting back and doing log inspections and seeing how your security measures are being circumvented. You can block a path now tomorrow they will have another and then start changing patterns. sit back for a month or so and just do inspections and identify who is doing what and how they do it. If they notice they're not block they would also think they got something that can't be blocked. Then based on your observations start putting rules in place to stop them from abusing the network for personal use. You may need another security solution running to place further restrictions. I'm certain the company must have a enterprise solution firewall. That's great for applying rules on protocols and how the connections are being made. And those solutions can decrypt ssl traffic from a browser.
That's my 2 cents
Edited by Spooony - 6/1/11 at 9:10pm
post #15 of 16
Actually with the ASA you can use IPS and Antivirus together.

In part you are right the OP's company is using a dated firewall with IOS 7.x Where as the ASA utilize IOS 8.4 (8.4.2 is currently in beta and due to be release within the next couple of weeks, least what Cisco told me while I was at their office last Tue., I'll be at Cisco Herdon Office again next week I'll verify).

There are a number of ways the OP can accomplish the task. One is utilize a Layer 4-7 switch (which can redirect all 80, 443, 8080, 8088 traffic) in conjunction with a content filter i.e. Websense, BlueCoat and so on. Two utilize a UTM such as Cisco's ASA or Juniper's SRX. However in an enterprise environment this should be done by some type of appliance, and also why there is typically a full time position dedicated for this. This effort is not a static set it once and forget it type of deal and anyone thinking otherwise should understand that things constantly evolve requiring tweaks and updates.
The Raven
(16 items)
 
  
CPUMotherboardGraphicsGraphics
i7-2600K Gigabyte GA-P67A-UD5-B3 EVGA GTX 570 SC EVGA GTX 570 SC 
RAMHard DriveOptical DriveCooling
16GB G.SKILL Ripjaws X 1866 Samsung 840 Pro  iHAS324 - Lite-On DVD-RW Noctua NH-D14 
OSMonitorMonitorKeyboard
Windows 10 ASUS VN248 ASUS VN248 Logitech G510 
PowerCaseMouse
XFX 850W BE SILVERSTONE RV02B-EW Logitech MX518 
  hide details  
Reply
The Raven
(16 items)
 
  
CPUMotherboardGraphicsGraphics
i7-2600K Gigabyte GA-P67A-UD5-B3 EVGA GTX 570 SC EVGA GTX 570 SC 
RAMHard DriveOptical DriveCooling
16GB G.SKILL Ripjaws X 1866 Samsung 840 Pro  iHAS324 - Lite-On DVD-RW Noctua NH-D14 
OSMonitorMonitorKeyboard
Windows 10 ASUS VN248 ASUS VN248 Logitech G510 
PowerCaseMouse
XFX 850W BE SILVERSTONE RV02B-EW Logitech MX518 
  hide details  
Reply
post #16 of 16
Quote:
Originally Posted by bratas View Post
Actually with the ASA you can use IPS and Antivirus together.

In part you are right the OP's company is using a dated firewall with IOS 7.x Where as the ASA utilize IOS 8.4 (8.4.2 is currently in beta and due to be release within the next couple of weeks, least what Cisco told me while I was at their office last Tue., I'll be at Cisco Herdon Office again next week I'll verify).

There are a number of ways the OP can accomplish the task. One is utilize a Layer 4-7 switch (which can redirect all 80, 443, 8080, 8088 traffic) in conjunction with a content filter i.e. Websense, BlueCoat and so on. Two utilize a UTM such as Cisco's ASA or Juniper's SRX. However in an enterprise environment this should be done by some type of appliance, and also why there is typically a full time position dedicated for this. This effort is not a static set it once and forget it type of deal and anyone thinking otherwise should understand that things constantly evolve requiring tweaks and updates.
The problem is that the SPI firewall with basic stateful application-layer inspection mechanisms is unable to inspect what happens in the encrypted channel. When the user connects to the secure Web site behind the corporate SPI firewall, the firewall can inspect only the initial CONNECT request. Once the SSL session is established between the user and the secure Web server, all application-layer information is completely hidden from the firewall.

You need a firewall that can do SSL to SSL bridging to look inside those. The ASA can do those. I think its called SSL VPN with network extension by them. But you only get two out the box. You need a different liscence for more. Dunno if it changed.
New Posts  All Forums:Forum Nav:
  Return Home
  Back to Forum: Networking & Security
Overclock.net › Forums › Software, Programming and Coding › Networking & Security › Blocking SSL Connections