Home page logo
/

basics logo Security Basics mailing list archives

RE: Avoiding tunnels
From: "Baker, Richard" <RBaker () stcbus com>
Date: Thu, 2 Mar 2006 13:27:16 -0600

 
I believe the Cisco PIX running v7.0 can enforce RFC Compliant http
protocol usage on port 80.... If I understand it right it means nothing
but standard http on port 80 can be mandated (no more p2p, ftp and
everything else tunneled on port 80).

Richard

-----Original Message-----
From: David Gillett [mailto:gillettdavid () fhda edu] 
Sent: Thursday, March 02, 2006 12:13 PM
To: 'Javier Hijas'; security-basics () securityfocus com
Subject: RE: Avoiding tunnels

  Blue Coat's new "SG" appliance line are SSL proxies (with hardware
assist); one of their intended uses is as an SSL Man-in-the-Middle to
catch stuff trying to sneak in over 443.
(They already did 80 without the encryption hardware.)
  [They retain full proxy server functionality, or can be used as a
reverse proxy/SSL accelerator in front of your servers, too.]

David Gillett
 

-----Original Message-----
From: Javier Hijas [mailto:jhijas () germinus com]
Sent: Thursday, March 02, 2006 3:51 AM
To: security-basics () securityfocus com
Subject: Re: Avoiding tunnels

Thanks all, It's clear that to inspect http protocol I need an 
application level firewall. I know about netfilter add-ons and 
comercial firewalls like ISA and checkpoint (with "application 
intelligence" ;-) implementing this osi level inspection, but I see no

way to check ssl
traffic: opening navigation traffic for users means opening at least 
80 and 443 ports. I can open a ssh tunel troght 443 port even with 
"ssl inspection".

Access lists has no reason to be implemented when you deal with 
"shrewd"
users?


Ansgar -59cobalt- Wiechers wrote:
On 2006-02-28 Javier Hijas wrote:

 I wonder if there is a way to avoid tunnels via fw (v.g. 
netfilter).
How can I control that an opened port 80 is not used to
tunel to a ssh
server listening at port 80?


You need to filter on layer 7 instead of layer 3/4, e.g. by
proxying
the traffic.

Regards
Ansgar Wiechers


--------------------------------------------------------------
-------------
EARN A MASTER OF SCIENCE IN INFORMATION ASSURANCE - ONLINE The Norwich

University program offers unparalleled Infosec management education 
and the case study affords you unmatched consulting experience.
Tailor your education to your own professional goals with degree 
customizations including Emergency Management, Business Continuity 
Planning, Computer Emergency Response Teams, and Digital 
Investigations.

http://www.msia.norwich.edu/secfocus
--------------------------------------------------------------
-------------



------------------------------------------------------------------------
---
EARN A MASTER OF SCIENCE IN INFORMATION ASSURANCE - ONLINE The Norwich
University program offers unparalleled Infosec management education and
the case study affords you unmatched consulting experience. 
Tailor your education to your own professional goals with degree
customizations including Emergency Management, Business Continuity
Planning, Computer Emergency Response Teams, and Digital Investigations.


http://www.msia.norwich.edu/secfocus
------------------------------------------------------------------------
---


---------------------------------------------------------------------------
EARN A MASTER OF SCIENCE IN INFORMATION ASSURANCE - ONLINE
The Norwich University program offers unparalleled Infosec management
education and the case study affords you unmatched consulting experience.
Tailor your education to your own professional goals with degree
customizations including Emergency Management, Business Continuity Planning,
Computer Emergency Response Teams, and Digital Investigations.

http://www.msia.norwich.edu/secfocus
---------------------------------------------------------------------------


  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]