Re: large campus network ... sugestions
Hello Roman,
Thanks for the clarification. Indeed, if an SSL tunnel is made
through port 443, then anything could go in there, and it would be
impossible to inspect. I don''t know of any Open Source or Free
software that can solve this. Bluecoat does have this kind of product
in appliances, which act as SSL ends, inspecting all traffic, and
generating on the fly SSL certificates... Of course, they are not
cheap at all... (maybe around $20.000 each).
Best regards,
Jonas.
On Dec 15, 2007 8:53 AM, Roman Medina-Heigl Hernandez <roman@rs-labs.com> wrote:
> Hi Jonas,
>
> I didn't explain well... L7 filtering is easily defeated by SSL-wrapping
> any TCP-service on 443 port so you can install a SSL'rized SSH or Squid
> server (for instance) on that port and use it to freely surf the net :)
> Your firewall will only see aparently-legit SSL connections to an
> aparently-legit destination port (443). Hacker win, admin loose :-)
>
> I repeat it: I don't know of any solution able to defeat this and would
> like to know if you have some idea to detect these more-or-less "advanced"
> bypass cases.
>
> Kind regards.
>
>
> Jonas Andradas escribió:
> > For Layer-7 filtering, you could check
> >
> > Application Layer Packet Classifier for Linux:
> > http://l7-filter.sourceforge.net/
> >
> > Kernel Iptables Layer 7: http://l7-filter.sourceforge.net/HOWTO-kernel
> >
>
> >
> >
> > On Dec 14, 2007 6:53 PM, Roman Medina-Heigl Hernandez <roman@rs-labs.com> wrote:
> >> Willi Mann escribió:
> >>
>
>
> >> If you want to permit HTTPS, you have to allow CONNECT to (at least)
> >> 443/tcp. So it's easy to tunnel through that port and get a "clean"
> >> internet connection.
> >>
> >> I don't know of any solution (level 7 filtering, etc) able to defeat this
> >> kind of tricks.
>
>
> --
>
> Saludos,
> -Roman
>
> PGP Fingerprint:
> 09BB EFCD 21ED 4E79 25FB 29E1 E47F 8A7D EAD5 6742
> [Key ID: 0xEAD56742. Available at KeyServ]
>
Reply to: