Search squid archive

Re: How Bad is CONNECT and Should I Prevent It?

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



On 6/18/07, Vadim Pushkin <wiskbroom@xxxxxxxxxxx> wrote:
I've gone ahead and modified my squid.conf to prevent connections using the
method CONNECT to just an allowed list, all via port 443 only.

Whitelisting is hard work, but effective when done right.


I am seeing  lots of DENY messages, mostly for webmail.*, mail.*,
these include logins into Google mail as well.

These logged DENY events are probably all legitimate SSL/TLS sessions.
CONNECT is used to proxy legitimate encrypted sessions, and also used
by P2P (Limewire, Skype, etc) and tunneling and trojans to open up
paths out of (and back in to) the network.

Some of these "evil" uses of CONNECT run on TCP/443, and conversely,
some legitimate HTTPS web sites run on seemingly arbitrary ports.


My question is if I've opened myself up to an
admin nightmare or am I being smart by preventing
some really bad stuff into my network?

Yes, and yes -- you've opened yourself up to an admin nightmare, but
you are also preventing some really bad stuff :)


Has anyone else blocked CONNECT in a better way?

Well, you could expand your whitelist to include known webmail
servers, online banking, and other "good" destinations, but that is an
admin nightmare.

Blue Coat just bought me lunch today, so I feel oddly compelled to
mention that their ProxySG appliance can perform various levels of
CONNECT enforcement and even offers SSL interception to inspect the
contents of HTTPS sessions.

There are other products in that same space, generally more expensive.

Kevin

[Index of Archives]     [Linux Audio Users]     [Samba]     [Big List of Linux Books]     [Linux USB]     [Yosemite News]

  Powered by Linux