[2 days left] What’s wrong with your cloud strategy? Learn why multicloud solutions matter with Nimble Storage.Register Now

x
?
Solved

block https tunnelling with squid

Posted on 2009-05-06
3
Medium Priority
?
2,915 Views
Last Modified: 2012-05-06
Hi, how can I block http & https Tunneling with squid? without stopping normal traffic.
Thanks
0
Comment
Question by:Dasdan
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
3 Comments
 
LVL 19

Expert Comment

by:Mal Osborne
ID: 24322980
You can't.  HTTPs is encrypted, Squid therefore cannot tell what is in each packet. If you can identify a lot of HTTPs traffic going to a particular site, you could block it by IP.  Kinda cat & mouse game with your users though.
0
 
LVL 7

Expert Comment

by:mchkorg
ID: 24323401
Hi, nice subject

Some things to do :
1) when you know someone is using a https server to tunnel some traffic, you might just want to block its IP. But he'll use another one...

2) If your user is tunneling with SSH on a SSH server running on port 443 (to make squid think it's just allowed https traffic), you have to detect the so-called https server is a SSH server. Just telnet to its IP on port 443, you'll see it (except if your user has recompiled the ssh server to make it answer like a web server... or if he managed to detect it's not coming from him but from someone else and is thus redirecting traffic to a real https server - this guy would be really boring), see :
telnet my.ssh.server 443
Trying 88.x.y.z...
Connected to my.ssh.server.
Escape character is '^]'.
SSH-2.0-OpenSSH_5.1p1 Debian-5

But again, you'll just have to block the IP.

3) depending on your company, you might remind everyone the rules of your company's internet access, particularily on tunneling stuff, for security concerns. He might stop, knowing he's being watched.

4) if it's a pure stunnel, I don't think you can detect anything. You'll just have some clues about the guy and then can discuss, see point 3

5) maybe an advanced sniffing technique might give the proof it's something tunneled... but what would be the cost of detecting this for every https traffic...

Just a tip: when someones uses internet a lot and just have a few CONNECT hits in squid's log, he's tunneling everything :) that might help analyzing the logs

GOOD LUCK
0
 

Accepted Solution

by:
Dasdan earned 0 total points
ID: 24351019
Hi I worked out a solution, I installed active wall from http://en.lanctrl.com/ on a dual interface pc put the interfaces in bridge mode and then setup the software to monitor one ip address from my proxy (the only ip allowed out on http/https).  In the filter section of the software it can detect https and http tunneling not sure how it does it, but it works.

A cheap solution to a sticky problem with a single ip licence only $25 and all I need to monitor is the proxy ip

Thanks for you help
0

Featured Post

What does it mean to be "Always On"?

Is your cloud always on? With an Always On cloud you won't have to worry about downtime for maintenance or software application code updates, ensuring that your bottom line isn't affected.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

If you thought ransomware was bad, think again! Doxware has the potential to be even more damaging.
The Cyber News Rundown brings you the latest happenings in cyber news weekly. Who am I? I’m Connor Madsen, a Webroot Threat Research Analyst, and a guy with a passion for all things security. Any more questions? Just ask.
Have you created a query with information for a calendar? ... and then, abra-cadabra, the calendar is done?! I am going to show you how to make that happen. Visualize your data!  ... really see it To use the code to create a calendar from a q…
Are you ready to place your question in front of subject-matter experts for more timely responses? With the release of Priority Question, Premium Members, Team Accounts and Qualified Experts can now identify the emergent level of their issue, signal…

656 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question