Re: SSh Tunnel Over Squid
-----BEGIN PGP SIGNED MESSAGE-----
Pablo Navas escribió:
>> I have a GW that gives access to uncontrolled users by means of a proxy
>> SQUID that supports protocols HTTP and HTTPS. Beside this and the DHCPD
>> the rest is closed strictly.
>> A few days ago, I detected a SSH running on the port 80 of a remote
>> computer (on the Internet), which a very skilful user of my network was
>> accessing. I thought then that this user was making a tunnel over the
>> Meticulously controlling the traffic of this user's ip/mac, I am almost
>> sure that right now this user is making a tunnel over the SQUID with the
>> protocol HTTPS using the CONNECT method (since I have this method
>> deactivated on the SQUID for the HTTP.)
man-in-the-middle is the way. balabit.com has a product zorp, i think
this product should permit a tight control of ssl traffic.
>> I have thought of various ways to stop this traffic:
>> 1- Deny the user's IP from inside my network. However, I don?t think
>> this is the correct solution, because if the user wanted to, he could
>> just set another IP with another Mac if it?s necessary and start making
>> the tunnel again.
User Authentication with the proxy. But if he is so skilfull could guess
a valid user. Try to use certificate Authentication.
>> 2- Deny the external IP to which the user connects (even if it was only
>> association IP and port 443). However, I don?t think this is a good
>> solution either because he could just store the SSH daemon on a
>> different computer.
Right, matter of time.
>> 3- Deny the CONNECT method of the HTTPS, which as far as I know would
>> prevent making the tunnel. But, this option has the negative consequence
>> of not being able to use the HTTPS (which is essential).
Yes, bad idea.
>> 4- Detection of tunnels on HTTPS inside of the GW. I think this is the
>> correct option, because it is possible that more tunnels will be made,
>> and that I will not be aware of their existence.
>> Searching for methods or tools to detect tunnels, I found the
>> "tcpstatflow", which supposedly does what I need. However, in a reduced
>> testing environment I have not been able to detect some tunnels made
>> with PUTTY, and there are more ways to make them. Also, I have thought
>> about using the patch l7- filter and seeing if I detect the SSH traffic
>> in other strange ports, although according to the web, it consumes too
>> many resources because of the type of analysis that it makes of the
>> string "^ssh-\.[0-9]".
Evaluate if the risk require a an improvement of your resources.
Confidential Information leaks, etc... you can justify and find the need.
>> My question is: Have you ever had this problem? How did you solve it? Is
>> there an effective way to detect and deny SSH tunnels on HTTPS?
Talk with him and inform that you know his activities if he keep trying,
talk with human resources, your manager, security office, risk
manager... I don't know your organization but this could be a serious
risk and this should matter.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.1 (MingW32)
-----END PGP SIGNATURE-----