Re: large campus network ... sugestions

Hello Roman,

Thanks for the clarification. Indeed, if an SSL tunnel is made through port 443, then anything could go in there, and it would be impossible to inspect. I don''t know of any Open Source or Free software that can solve this. Bluecoat does have this kind of product in appliances, which act as SSL ends, inspecting all traffic, and generating on the fly SSL certificates... Of course, they are not cheap at all... (maybe around $20.000 each).

Best regards,

Jonas.

On Dec 15, 2007 8:53 AM, Roman Medina-Heigl Hernandez <roman@rs-labs.com> wrote:
> Hi Jonas,
>
> I didn't explain well... L7 filtering is easily defeated by SSL-wrapping
> any TCP-service on 443 port so you can install a SSL'rized SSH or Squid
> server (for instance) on that port and use it to freely surf the net :)
> Your firewall will only see aparently-legit SSL connections to an
> aparently-legit destination port (443). Hacker win, admin loose :-)
>
> I repeat it: I don't know of any solution able to defeat this and would
> like to know if you have some idea to detect these more-or-less "advanced"
> bypass cases.
>
> Kind regards.
>
>
> Jonas Andradas escribió:
> > For Layer-7 filtering, you could check
> >
> > Application Layer Packet Classifier for Linux:
> > http://l7-filter.sourceforge.net/
> >
> > Kernel Iptables Layer 7: http://l7-filter.sourceforge.net/HOWTO-kernel
> >
>
> >
> >
> > On Dec 14, 2007 6:53 PM, Roman Medina-Heigl Hernandez <roman@rs-labs.com> wrote:
> >> Willi Mann escribió:
> >>
>
>
> >> If you want to permit HTTPS, you have to allow CONNECT to (at least)
> >> 443/tcp. So it's easy to tunnel through that port and get a "clean"
> >> internet connection.
> >>
> >> I don't know of any solution (level 7 filtering, etc) able to defeat this
> >> kind of tricks.
>
>
> --
>
> Saludos,
> -Roman
>
> PGP Fingerprint:
> 09BB EFCD 21ED 4E79 25FB 29E1 E47F 8A7D EAD5 6742
> [Key ID: 0xEAD56742. Available at KeyServ]
>
Received on Sat Dec 15 09:47:59 2007