Search squid archive

Re: How Bad is CONNECT and Should I Prevent It?

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



On 6/21/07, Chuck Kollars <ckollars9@xxxxxxxxx> wrote:
I think what we really need is just the much simpler
blacklist/whitelist capability. If we can
transparently intercept, and give a
thumbs-up/thumbs-down to every destination IP address
(perhaps after doing a reverse DNS lookup on it),
that's all we need.

No need to transparently intercept for this, and no need for new code.
Just configure the client to proxy SSL via Squid, and use the existing
ACLs to set the policy for the 'CONNECT' method, similar to what I
showed in a previous post in this thread.


In my experience, fingerprinting the type of traffic
turns out to not be very useful  ...after all the
difficulty of implementing it. Why?

Fingerprinting is relatively easy, but is not nearly as effective (or
invasive) as doing true MITM where you actually break the end-to-end
encryption to inspect the payload.


 1) There's "legitimate" traffic on 443 that's not web
traffic (for example LogMeIn or SSH). Forbidding
everything that's non-web is just shooting yourself in
the foot.

I strongly disagree:  LogMeIn and SSH-over-443 are illegitimate, and
should be forbidden in any environment with real security policy (that
is, anywhere except a public ISP).


 2) A big problem is https: proxies, as they're real
easy to use and will completely bypass all filters.
But they _do_ look like web traffic, so they couldn't
be forbidden by reasonable fingerprinting.

True.  That's where a blacklist/whitelist for general HTTPS traffic comes in.

Or better yet, use real MITM interception, and the https: proxies no
longer bypass your filters, since no SSL/TLS traffic can make it out
of your network alive.


Kevin

[Index of Archives]     [Linux Audio Users]     [Samba]     [Big List of Linux Books]     [Linux USB]     [Yosemite News]

  Powered by Linux