Re: Preventing tunnels through HTTPS proxies
- From: Aarón Mizrachi <unmanarc@xxxxxxxxx>
- Date: Wed, 17 Jun 2009 16:34:18 -0430
On Martes 16 Junio 2009 20:18:17 Michal Ludvig escribió:
Hi all,
as you probably know it's very easy to bypass egress filters on a
network as soon as there's an internal HTTPS proxy available. There are
many packages laying around for all kinds of operating systems that make
setting up a tunnel or VPN through such proxies a breeze.
I wonder how to prevent these abuses? Clearly the traffic pattern for a
VPN will be distinguishable from a genuine HTTPS traffic - but how to
detect it? Alternatively playing a man-in-the-middle on the proxy,
decrypting all the traffic, inspecting that it's indeed HTTP and
encrypting back with a key signed by a private CA that all the desktops
in the corporation would trust may be another option. Any other ideas?
It would, in fact, be enough to learn that it was a VPN traffic
afterwards, we don't necessarily need to kill the tunnel in realtime
(although it would be nice). Since this kind of proxy abuse is forbidden
by the company IT policy the trespasser's managers would deal with it at
the HR level anyway. However net ops will have to provide some evidence.
Does anyone know of any tools that can be used for this detection?
Ideally something open source (or commercial but not insanely expensive)
that could be used in conjunction with a Squid proxy? Other suggestions
are welcome as well.
I know that some proxies could be used for mitm and filtering, (i don't
remember technical details now... its with MITM SSL technique and not with
"CONNECT" http proxy command as you said).
However... the main issue is: the SSL certificate management.
This will be extremely harmful for availability or security, or either.
Certificates of each page can't be handled by your browser now...
If you block every non-accepted certificate at proxy level, the availability of
many websites will be dramatically affected.
Otherwise, if you accept every certificate, secure sites like online banks and
webmails will be compromised. Bad enough to discard this method.
----------------------
And also, have in mind some things... i don't think that i will be so useful.
An attacker could even use undetectable covert channels over HTTPS using the
POST HTTP command.
with the "HTTP POST" command, the attacker could send encrypted packets over
it, acting as a website posting some info... and then... the endpoint could
call a tun/tap packet writer to put the packet on a tunnel virtual interface.
The returning packets comes from http post responce... All of this looks like
HTTP(s) legitim traffic.
The only pattern that you can detect is the frequency of http queries...
But... again, its also relative... an attacker could put a delay on his http
vpn system to avoid detections.
The attacker could also open two channels. One for posting packets and one
for receiving packets constantly. This connection could be a simulation of a
big download, but its a VPN.
Thanks
Michal
------------------------------------------------------------------------
This list is sponsored by: InfoSec Institute
Need to pass the CISSP? InfoSec Institute's CISSP Boot Camp in both
Instructor-Led and Online formats is the most concentrated exam prep
available. Comprehensive course materials and an expert instructor means
you pass the exam. Gain a laser like insight into what is covered on the
exam, with zero fluff!
http://www.infosecinstitute.com/courses/cissp_bootcamp_training.html
------------------------------------------------------------------------
--
Ing. Aaron G. Mizrachi P.
http://www.unmanarc.com
Mobil 1: + 58 416-6143543
Mobil 2: + 58 424-2412503
BBPIN: 0x 247066C1
Attachment:
signature.asc
Description: This is a digitally signed message part.
- References:
- Preventing tunnels through HTTPS proxies
- From: Michal Ludvig
- Preventing tunnels through HTTPS proxies
- Prev by Date: Re: Regarding Private key
- Next by Date: Re: Preventing tunnels through HTTPS proxies
- Previous by thread: RE: Preventing tunnels through HTTPS proxies
- Next by thread: Re: Preventing tunnels through HTTPS proxies
- Index(es):
Relevant Pages
|
