On 6/18/07, Vadim Pushkin <wiskbroom@xxxxxxxxxxx> wrote:
I've gone ahead and modified my squid.conf to prevent connections using the method CONNECT to just an allowed list, all via port 443 only.
Whitelisting is hard work, but effective when done right.
I am seeing lots of DENY messages, mostly for webmail.*, mail.*, these include logins into Google mail as well.
These logged DENY events are probably all legitimate SSL/TLS sessions. CONNECT is used to proxy legitimate encrypted sessions, and also used by P2P (Limewire, Skype, etc) and tunneling and trojans to open up paths out of (and back in to) the network. Some of these "evil" uses of CONNECT run on TCP/443, and conversely, some legitimate HTTPS web sites run on seemingly arbitrary ports.
My question is if I've opened myself up to an admin nightmare or am I being smart by preventing some really bad stuff into my network?
Yes, and yes -- you've opened yourself up to an admin nightmare, but you are also preventing some really bad stuff :)
Has anyone else blocked CONNECT in a better way?
Well, you could expand your whitelist to include known webmail servers, online banking, and other "good" destinations, but that is an admin nightmare. Blue Coat just bought me lunch today, so I feel oddly compelled to mention that their ProxySG appliance can perform various levels of CONNECT enforcement and even offers SSL interception to inspect the contents of HTTPS sessions. There are other products in that same space, generally more expensive. Kevin