Re: HTTP(S) tunnels used to violate firewall

From: Jim Harrison [MSFT] (jmharr_at_online.microsoft.com)
Date: 08/29/04

• Next message: Jim Harrison [MSFT]: "Re: How to remotely admin isa server?"
• Previous message: Jim Harrison [MSFT]: "Re: SUS downloading XP SP2 with error code 407"
• In reply to: Daniel A. Murray \(daniel.a.murray\): "HTTP(S) tunnels used to violate firewall"
• Next in thread: Phillip Windell: "Re: HTTP(S) tunnels used to violate firewall"
• Reply: Phillip Windell: "Re: HTTP(S) tunnels used to violate firewall"
• Messages sorted by: [ date ] [ thread ]

---

Date: Sun, 29 Aug 2004 08:53:06 -0700

The problem with many of these is that many of them are peer-peer setups, making destination filtering all but impossible.
The ones that do sit still can be blocked by using either black- or whitelist methods (your choice).

ISA 2000 can only block by destination if all web requests use the web proxy service, but ISA 2004 can block on destination
regardless.

-- 
 Jim Harrison [ISASE]
 Read the help, books and articles!
 This posting is provided "AS IS" with no warranties, and confers no rights.
"Daniel A. Murray (daniel.a.murray)" <daniel.a.murray(at)cox.net> wrote in message news:e4gOu5VjEHA.3348@TK2MSFTNGP12.phx.gbl...
HTTP(s) tunnels seem to be getting a bit more popular, and as they are true
tunnels, very diffucult to intercept and block.  In the 'old' days of IPSEC
tunnels, it was easy to block the required ports, but over 80 and 443,
almost impossible, it seems, unless we get very draconian and either block
all web traffic (a lot of which is required for legitimate business needs)
or get into a white-list scenario which could get to be an administrative
nightmare...
any thoughts on how to identify HTTP(S) tunnel traffic at the initial
negotiation phase and dynamically block both source and destination IPs?

---

• Next message: Jim Harrison [MSFT]: "Re: How to remotely admin isa server?"
• Previous message: Jim Harrison [MSFT]: "Re: SUS downloading XP SP2 with error code 407"
• In reply to: Daniel A. Murray \(daniel.a.murray\): "HTTP(S) tunnels used to violate firewall"
• Next in thread: Phillip Windell: "Re: HTTP(S) tunnels used to violate firewall"
• Reply: Phillip Windell: "Re: HTTP(S) tunnels used to violate firewall"
• Messages sorted by: [ date ] [ thread ]

---

Relevant Pages Re: HTTP(S) tunnels used to violate firewall ... making destination filtering all but impossible. ... > ISA 2000 can only block by destination if all web requests use the web ... > tunnels, very diffucult to intercept and block. ... > tunnels, it was easy to block the required ports, but over 80 and 443, ... (microsoft.public.isa) Re: HTTP(S) tunnels used to violate firewall ... It's the ones that operate as peer-peer that make it impossible to block on destination. ... invisible to ISA. ... > tunnels, very diffucult to intercept and block. ... (microsoft.public.isa) Re: SSH tunnel monitoring ... I can now see which tunnels are up or down, ... Ideally, it would track local port, destination ... (SSH) putty error: assertion failed ... On Win 2000 computers this error don't occure... ... I'm using tunnels with destination. ... host: blabla.com ... (comp.security.ssh) Re: Serious(ly weird) ISA 2004 problem ... Log Time Destination IP Destination Port Protocol Action Rule Client IP ... Information Original Client IP Server Name Referring Server Destination ... > ISA rule which routes them all internally to the same web server and same ... (microsoft.public.isa)

---

• Windows
• Science
• Usenet

• Archive
• About
• Privacy
• Search
• Imprint

www.tech-archive.net  > Archive  > ISA  > microsoft.public.isa  > 2004-08