RE: [fw-wiz] Prohibiting SSL VPNs

From: Desai, Ashish (Ashish.Desai_at_fmr.com)
Date: 05/21/04

  • Next message: Dana Nowell: "Re: [fw-wiz] Re: Best Practices" 
    To: "John Kougoulos" <koug@intranet.gr>
Date: Fri, 21 May 2004 15:19:41 -0400

    You would have to disable the "CONNECT" http verb in your
    web proxy. This will also disable all SSL access to legitimate web
    sites.

    The other option is to have your web proxy timeout SSL connections after

    a certain time. Not sure if this be enough to break(hamper) SSL VPN's.

    Ashish

    -----Original Message-----
    From: John Kougoulos [mailto:koug@intranet.gr]
    Sent: Thursday, May 20, 2004 6:41 AM
    To: firewall-wizards@honor.icsalabs.com
    Subject: [fw-wiz] Prohibiting SSL VPNs

    Hello all,

    Does anybody have any ideas on how I could prohibit the usage of SSL
    VPNs
    like the one offered by F5 (Firepass), since this requires only the
    ability for the client to make an https connection (bypassing any kind
    of
    firewall/proxy)? Since this product (or any similar) creates some kind
    of
    PPP connection over https, installs routes on the PC etc. it will create
    a
    lot of problems. (see also: Worms, Air Gaps etc)

    I know that I could possibly stop the downloading of ActiveX/Java
    applets
    via some kind of web filtering software but this also has a lot of
    side effects, or I could use some kind of whitelist for https
    connections,
    but this is too difficult to manage/maintain.

    Thanks,
    John

    _______________________________________________
    firewall-wizards mailing list
    firewall-wizards@honor.icsalabs.com
    http://honor.icsalabs.com/mailman/listinfo/firewall-wizards
    _______________________________________________
    firewall-wizards mailing list
    firewall-wizards@honor.icsalabs.com
    http://honor.icsalabs.com/mailman/listinfo/firewall-wizards

  • Next message: Dana Nowell: "Re: [fw-wiz] Re: Best Practices"

    Relevant Pages

    • RE: ISA 2006 and SSL
      ... same user can access the site in question by creating an SSL-Tunnel and is ... Microsoft Online Partner Support ... | Subject: RE: ISA 2006 and SSL ... | | rule to allow HTTPS to local host, instead of all http and https ...
      (microsoft.public.isa)
    • Re: RWW with no https
      ... I do not consider a:8080 a url that is appropriate for a SSL end user connection. ... So just so we are all clear, RWW HAS to go over HTTPS. ... Even if I do https but port 8080 would not matter ...
      (microsoft.public.windows.server.sbs)
    • Re: Cannot Access Includes Above Current Directory if using SSL
      ... I'm new to your list and configuring Apache with the SSL module enabled ... similar nested levels in directory tree but not SSL). ... within the https directory tree. ... The SSI is mostly for testing trying to figure out why my PHP scripts ...
      (php.general)
    • Cannot Access Includes Above Current Directory if using SSL
      ... I'm new to your list and configuring Apache with the SSL module enabled ... similar nested levels in directory tree but not SSL). ... within the https directory tree. ... The SSI is mostly for testing trying to figure out why my PHP scripts ...
      (php.general)
    • Cannot Access Includes Above Current Directory if using SSL
      ... I'm new to your list and configuring Apache with the SSL module enabled ... similar nested levels in directory tree but not SSL). ... within the https directory tree. ... The SSI is mostly for testing trying to figure out why my PHP scripts ...
      (php.general)