Solved

Block HTTPS uploads? TMG?

Posted on 2011-02-18
17
3,078 Views
Last Modified: 2013-11-16
I need to block file uploads to protect confidential data leaving the company network.  I am looking for a filewall solution or some kind of montoring software to do this.

I know with MS Forefront TMG can do a man in the middle attack, this could be use to block https uploads.  

I was intrested if there is any emplyee monotring software that could do the job of monotring and blocking https/http file uploads.  

Ideally a firewall that would limit the amount of uploaded https traffic (to avoid man in the middle attack).  For example to 100Kb a min before droping the connection.  This solution should allow enough data for page request but not file uploads (ot at least not large amount of data to be uploaded)?  

I would also consider a hardware firewall, intead of a software one.

Thanks,
James
0
Comment
Question by:James-Heard
  • 5
  • 4
  • 3
  • +2
17 Comments
 
LVL 6

Expert Comment

by:Bxoz
ID: 34924877
Web filtering whit the upload category should work  
All the UTM do that
0
 

Author Comment

by:James-Heard
ID: 34924955
Hi Bxoz, I want to allow access to gmail for example but only block file uploads (attachements) being sent with the email.  Blocking most file upload sites is easy as they do not use https however those that do are harder as can not inspect the data as easily.

As you can not easily DPI to check if file is being upload instead of other date being sent with a firewall inbetween the user and the server I would like to know if any local firewalls or montoring software could do this.  If you can give me some examples of software that does this that would be good.  

Alternativly a firewall between the user and the sever could DPI by using a man in the middle attack but I would rather not do this.  I would however be happy to limit the uploaded data to https site to limit the risk of large amounts of data leaving the company.   I would like to know if this is a rule that could be setup in TMG and if so how?  Also any suggestion of another firewall that would do as I ask that is affordable would be good.
Thanks,
James
0
 
LVL 10

Expert Comment

by:pand0ra_usa
ID: 34930669
You are going to have a bit of a time with that. HTTPS uses SSL certificates that are verified (typically but some do self sign the certs) and there is little chance you will be able to detect the type of traffic let alone detect a file upload with the traffic being encrypted. You would have to insert a proxy of some sort in between your users and the gateway so you can decrypt the traffic. Then you would be able to detect the file uploads. I'm not sure if what your asking to do is feasible but I do understand your intent.

0
 
LVL 6

Expert Comment

by:Bxoz
ID: 34931964
I try with my UTM, to filtering HTTP/S with a proxy. But blocking this category P2P/File Sharing and Personal Network Storage isn't blocking the upload on gmail.

I keep searching
0
 

Author Comment

by:James-Heard
ID: 34934794
Thanks for the replies so far.  I know it is possible using a proxy/man in the middle attack.  I even know how to set this up on some firewalls.  However the issue with man in the middle attack is some sites will detect it.  

I am interested on trying to setup a firewall rule that will not look at the traffic type but instead limit the amount of encrypted traffic that can be uploaded per min or second.  I know this still leaves a risk but is better than nothing.

 I believe http://www.spector360.com will cover the monitoring of https uploads to email but not the blocking if anyone else is interested.  
Thanks
0
 
LVL 6

Assisted Solution

by:Bxoz
Bxoz earned 166 total points
ID: 34935092
You can take a look for the Blue Coat Data Loss Prevention

http://www.bluecoat.com/products/data-loss-prevention

There is a video of the product http://www.bluecoat.com/flashnode/three-minutes-data-loss-prevention
0
 

Author Comment

by:James-Heard
ID: 35071659
As far as I can tell there firewall would work allong the lines of man in the middle attack.  I am currently looking at Trend DLP that is meant to monitor https but I assume though man in the middle attack but will let you know more once I have spoken to them.
0
 
LVL 8

Accepted Solution

by:
myramu earned 167 total points
ID: 35136108
Hello James,

You can try FortiGate devices which supports https,smtps,pop3s and imaps scanning (Man in the middle). Using DLP and custom IPS signatures you can restrict the traffic.

Demo: www.fortigate.com (U: demo P: fortigate).

Good Luck!
0
How your wiki can always stay up-to-date

Quip doubles as a “living” wiki and a project management tool that evolves with your organization. As you finish projects in Quip, the work remains, easily accessible to all team members, new and old.
- Increase transparency
- Onboard new hires faster
- Access from mobile/offline

 
LVL 4

Expert Comment

by:degaray
ID: 35163136
I am no expert at this but I guess that for the  time being you could restrict the amount of outbound bandwith per server request. Let say that a user wants to send a file of 200kb then to restrict so for https sites.
0
 
LVL 4

Expert Comment

by:degaray
ID: 35163140
I am no expert at this but I guess that for the  time being you could restrict the amount of outbound bandwith per server request. Let say that a user wants to send a file of 200kb then to restrict so for https sites.
0
 
LVL 10

Expert Comment

by:pand0ra_usa
ID: 35182670
One thing I though you can do is with a proxy setup a script to specifically intercept the code that allows uploads of attachments. So, whenever that line of code is being sent to one of your users the proxy will strip the code out so the end user doesn't see it.


Possibilities to filter on:

window.attachEvent
https://mail-attachment.googleusercontent.com/attachment?
0
 

Author Comment

by:James-Heard
ID: 35182747
Hi Pand0ra,
I like the sound of that solution,  how hard/easy would it be to find these events for most of the commonly used mail sites?

Hi Degaray,
Indeed that is a posability for me,  I am not sure how easy that would be to setup though, with a proxy or software firewall?

Thanks for all your suggestions/help so far everyone.  Once I have an Ans I will of course share the point out for all the solutions that could have worked, not just the one that I decide to go with.  One solution I am currentent looking at is Trend DLP.  Has anyone used this trend product and have any idea if it any good?

Thanks,
0
 
LVL 10

Expert Comment

by:pand0ra_usa
ID: 35182878
Hummm..... Trend micro might be able to assist in some things but I'm not sure it can prevent the upload of file to gmail (at least not by default, it may be done through customization and you should ask them about it). As for my suggestion you should be able to do it on a proxy with a regex expression or whatever the proxy uses for configuring custom rules. You might also be able to filer some of it via DNS (127.0.0.1 mail-attachment.googleusercontent.com), though I have not tested this.  
0
 
LVL 10

Assisted Solution

by:pand0ra_usa
pand0ra_usa earned 167 total points
ID: 35183009
Actually, their endpoint solution might work. You may also want to start pushing to have your documents classified if you haven't already (sensitive, secret, public, etc). That will help if you down the road if you decide to go with a paid product.
0
 
LVL 8

Expert Comment

by:myramu
ID: 35188406
Hello James,

I am not sure on Trend. In our organization we use FortiGate and I am able to achieve this very easily using the additional feature called "DLP document fingerprinting" which is introduced recently.

We just need to copy the protected documents to a shared folder which are to be protected.

I tested only on http traffic and working very well(https scanning is not allowed in our organization).

I hope this may help you.

Cheers!
0
 

Author Closing Comment

by:James-Heard
ID: 35414604
None of the answere actually fully provided what I want, Scanning of uploads of attachemetn to https sites without a man in the middle attack.  However user did provided possible good solutions that still require man in the middle attack.  Trend still looks like a good options but I would need more infomation before deciding if it is viable
0

Featured Post

Free Trending Threat Insights Every Day

Enhance your security with threat intelligence from the web. Get trending threat insights on hackers, exploits, and suspicious IP addresses delivered to your inbox with our free Cyber Daily.

Join & Write a Comment

For those of you actively in the Malware fightling business, we now have available an amazing new tool in the malware wars (first recommended to me by rpggamergirl (http://www.experts-exchange.com/M_3598771.html), the Zone Advisor for the Virus and …
Introduction Many times we come across a slowness or instability between two hosts, and almost always we blame the poor networking guys, just because they're an easy target.  Sometimes we forget that other factors including disk bottlenecks, CPU …
Here's a very brief overview of the methods PRTG Network Monitor (https://www.paessler.com/prtg) offers for monitoring bandwidth, to help you decide which methods you´d like to investigate in more detail.  The methods are covered in more detail in o…
This video gives you a great overview about bandwidth monitoring with SNMP and WMI with our network monitoring solution PRTG Network Monitor (https://www.paessler.com/prtg). If you're looking for how to monitor bandwidth using netflow or packet s…

744 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

10 Experts available now in Live!

Get 1:1 Help Now