RE: [fw-wiz] Prohibiting SSL VPNs

From: Melson, Paul (PMelson_at_sequoianet.com)
Date: 05/21/04

  • Next message: Dana Nowell: "[fw-wiz] Re: Best Practices" 
    To: "John Kougoulos" <koug@intranet.gr>, <firewall-wizards@honor.icsalabs.com>
Date: Fri, 21 May 2004 15:04:04 -0400

    > -----Original Message-----
    > Does anybody have any ideas on how I could prohibit the usage
    > of SSL VPNs like the one offered by F5 (Firepass), since this
    > requires only the ability for the client to make an https
    > connection (bypassing any kind of firewall/proxy)? Since this
    > product (or any similar) creates some kind of PPP connection
    > over https, installs routes on the PC etc. it will create a
    > lot of problems. (see also: Worms, Air Gaps etc)

    access-list 101 deny tcp any any eq 443

    :-)

    > I know that I could possibly stop the downloading of
    > ActiveX/Java applets via some kind of web filtering software
    > but this also has a lot of side effects, or I could use some
    > kind of whitelist for https connections, but this is too
    > difficult to manage/maintain.

    Before you can intercept Java applets you'll need to terminate the SSL
    stream at some inspection point that you control. Easier said than
    done. Most proxies that "support" HTTPS/SSL just allow HTTP CONNECT
    sessions through the proxy for traffic destined for TCP/443. Also
    consider that if they are resourceful, your users can use SSL tunneling
    over nearly any port you allow out through your firewall that doesn't
    have some sort of application proxy to facilitate (and normalize)
    traffic.

    Realistically, your best bet is to set an organizational policy that
    forbids the use of such services/connections and to communicate that to
    users. This is similar to the GoToMyPC.com issue. You can block access
    to some IP addresses and hope they don't change or that your users don't
    find another service you don't know about. Or you can block all access
    to encrypted protocols, which is a big pain and may create other
    business problems, and probably still won't keep that 0.01% of your
    users from misbehaving.

    PaulM
    _______________________________________________
    firewall-wizards mailing list
    firewall-wizards@honor.icsalabs.com
    http://honor.icsalabs.com/mailman/listinfo/firewall-wizards

  • Next message: Dana Nowell: "[fw-wiz] Re: Best Practices"

    Relevant Pages

    • Re: Outlook wont connect locally when configured for HTTP
      ... the lan it connects via RPC over HTTPS perfectly. ... HTTPS connection it fails because our firewall won't allow an internal ... starts up the laptop until he can actually start working. ...
      (microsoft.public.windows.server.sbs)
    • Re: Issue with IE 6 on XP Home SP2.
      ... state would suppress that or at least change your symptom in some ... are you using the check for https: ... will be less informative than for a regular http: connection. ... > trusted sites and turned on the Windows firewall. ...
      (microsoft.public.windows.inetexplorer.ie6.browser)
    • Re: RPC over HTTPs
      ... and I did make the changes in the registry. ... on the server told me that store.exe was not actually listening on port 6001 ... THAT will break RPC over HTTPS for sure. ... I can see the 'mail' connection tries to ...
      (microsoft.public.exchange.connectivity)
    • Re: cannot login to support.microsoft.com page
      ... HTTP, HTTPS, FTP connectivity ... connection with the server was reset ... info HTTP: Successfully connected to www.microsoft.com. ...
      (microsoft.public.windowsxp.help_and_support)
    • Re: Cant connect to internet after reboot
      ... How to Setup Windows, Network, VPN & Remote Access on http://www.HowToNetworking.com ... info HTTPS: Successfully connected to www.microsoft.com. ... Wireless - User SSID ... info Using home Internet connection ...
      (microsoft.public.windowsxp.network_web)