Solved

Block HTTPS uploads? TMG?

Posted on 2011-02-18
17
3,091 Views
Last Modified: 2013-11-16
I need to block file uploads to protect confidential data leaving the company network.  I am looking for a filewall solution or some kind of montoring software to do this.

I know with MS Forefront TMG can do a man in the middle attack, this could be use to block https uploads.  

I was intrested if there is any emplyee monotring software that could do the job of monotring and blocking https/http file uploads.  

Ideally a firewall that would limit the amount of uploaded https traffic (to avoid man in the middle attack).  For example to 100Kb a min before droping the connection.  This solution should allow enough data for page request but not file uploads (ot at least not large amount of data to be uploaded)?  

I would also consider a hardware firewall, intead of a software one.

Thanks,
James
0
Comment
Question by:James-Heard
  • 5
  • 4
  • 3
  • +2
17 Comments
 
LVL 6

Expert Comment

by:Bxoz
ID: 34924877
Web filtering whit the upload category should work  
All the UTM do that
0
 

Author Comment

by:James-Heard
ID: 34924955
Hi Bxoz, I want to allow access to gmail for example but only block file uploads (attachements) being sent with the email.  Blocking most file upload sites is easy as they do not use https however those that do are harder as can not inspect the data as easily.

As you can not easily DPI to check if file is being upload instead of other date being sent with a firewall inbetween the user and the server I would like to know if any local firewalls or montoring software could do this.  If you can give me some examples of software that does this that would be good.  

Alternativly a firewall between the user and the sever could DPI by using a man in the middle attack but I would rather not do this.  I would however be happy to limit the uploaded data to https site to limit the risk of large amounts of data leaving the company.   I would like to know if this is a rule that could be setup in TMG and if so how?  Also any suggestion of another firewall that would do as I ask that is affordable would be good.
Thanks,
James
0
 
LVL 10

Expert Comment

by:pand0ra_usa
ID: 34930669
You are going to have a bit of a time with that. HTTPS uses SSL certificates that are verified (typically but some do self sign the certs) and there is little chance you will be able to detect the type of traffic let alone detect a file upload with the traffic being encrypted. You would have to insert a proxy of some sort in between your users and the gateway so you can decrypt the traffic. Then you would be able to detect the file uploads. I'm not sure if what your asking to do is feasible but I do understand your intent.

0
 
LVL 6

Expert Comment

by:Bxoz
ID: 34931964
I try with my UTM, to filtering HTTP/S with a proxy. But blocking this category P2P/File Sharing and Personal Network Storage isn't blocking the upload on gmail.

I keep searching
0
 

Author Comment

by:James-Heard
ID: 34934794
Thanks for the replies so far.  I know it is possible using a proxy/man in the middle attack.  I even know how to set this up on some firewalls.  However the issue with man in the middle attack is some sites will detect it.  

I am interested on trying to setup a firewall rule that will not look at the traffic type but instead limit the amount of encrypted traffic that can be uploaded per min or second.  I know this still leaves a risk but is better than nothing.

 I believe http://www.spector360.com will cover the monitoring of https uploads to email but not the blocking if anyone else is interested.  
Thanks
0
 
LVL 6

Assisted Solution

by:Bxoz
Bxoz earned 166 total points
ID: 34935092
You can take a look for the Blue Coat Data Loss Prevention

http://www.bluecoat.com/products/data-loss-prevention

There is a video of the product http://www.bluecoat.com/flashnode/three-minutes-data-loss-prevention
0
 

Author Comment

by:James-Heard
ID: 35071659
As far as I can tell there firewall would work allong the lines of man in the middle attack.  I am currently looking at Trend DLP that is meant to monitor https but I assume though man in the middle attack but will let you know more once I have spoken to them.
0
 
LVL 8

Accepted Solution

by:
myramu earned 167 total points
ID: 35136108
Hello James,

You can try FortiGate devices which supports https,smtps,pop3s and imaps scanning (Man in the middle). Using DLP and custom IPS signatures you can restrict the traffic.

Demo: www.fortigate.com (U: demo P: fortigate).

Good Luck!
0
Give your grad a cloud of their own!

With up to 8TB of storage, give your favorite graduate their own personal cloud to centralize all their photos, videos and music in one safe place. They can save, sync and share all their stuff, and automatic photo backup helps free up space on their smartphone and tablet.

 
LVL 4

Expert Comment

by:degaray
ID: 35163136
I am no expert at this but I guess that for the  time being you could restrict the amount of outbound bandwith per server request. Let say that a user wants to send a file of 200kb then to restrict so for https sites.
0
 
LVL 4

Expert Comment

by:degaray
ID: 35163140
I am no expert at this but I guess that for the  time being you could restrict the amount of outbound bandwith per server request. Let say that a user wants to send a file of 200kb then to restrict so for https sites.
0
 
LVL 10

Expert Comment

by:pand0ra_usa
ID: 35182670
One thing I though you can do is with a proxy setup a script to specifically intercept the code that allows uploads of attachments. So, whenever that line of code is being sent to one of your users the proxy will strip the code out so the end user doesn't see it.


Possibilities to filter on:

window.attachEvent
https://mail-attachment.googleusercontent.com/attachment?
0
 

Author Comment

by:James-Heard
ID: 35182747
Hi Pand0ra,
I like the sound of that solution,  how hard/easy would it be to find these events for most of the commonly used mail sites?

Hi Degaray,
Indeed that is a posability for me,  I am not sure how easy that would be to setup though, with a proxy or software firewall?

Thanks for all your suggestions/help so far everyone.  Once I have an Ans I will of course share the point out for all the solutions that could have worked, not just the one that I decide to go with.  One solution I am currentent looking at is Trend DLP.  Has anyone used this trend product and have any idea if it any good?

Thanks,
0
 
LVL 10

Expert Comment

by:pand0ra_usa
ID: 35182878
Hummm..... Trend micro might be able to assist in some things but I'm not sure it can prevent the upload of file to gmail (at least not by default, it may be done through customization and you should ask them about it). As for my suggestion you should be able to do it on a proxy with a regex expression or whatever the proxy uses for configuring custom rules. You might also be able to filer some of it via DNS (127.0.0.1 mail-attachment.googleusercontent.com), though I have not tested this.  
0
 
LVL 10

Assisted Solution

by:pand0ra_usa
pand0ra_usa earned 167 total points
ID: 35183009
Actually, their endpoint solution might work. You may also want to start pushing to have your documents classified if you haven't already (sensitive, secret, public, etc). That will help if you down the road if you decide to go with a paid product.
0
 
LVL 8

Expert Comment

by:myramu
ID: 35188406
Hello James,

I am not sure on Trend. In our organization we use FortiGate and I am able to achieve this very easily using the additional feature called "DLP document fingerprinting" which is introduced recently.

We just need to copy the protected documents to a shared folder which are to be protected.

I tested only on http traffic and working very well(https scanning is not allowed in our organization).

I hope this may help you.

Cheers!
0
 

Author Closing Comment

by:James-Heard
ID: 35414604
None of the answere actually fully provided what I want, Scanning of uploads of attachemetn to https sites without a man in the middle attack.  However user did provided possible good solutions that still require man in the middle attack.  Trend still looks like a good options but I would need more infomation before deciding if it is viable
0

Featured Post

Is Your Active Directory as Secure as You Think?

More than 75% of all records are compromised because of the loss or theft of a privileged credential. Experts have been exploring Active Directory infrastructure to identify key threats and establish best practices for keeping data safe. Attend this month’s webinar to learn more.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

These are on the increase and getting more common these days. Users who use the Google search engine may complain of having their search redirected to unwanted sites, regardless of what browser is used. This happens when the system is infected with…
Large and small networks have one same need, Service monitoring. Service monitoring consists of watch services of the several servers in the network. To monitor means that the administrator will receive an alert when a service is down or it's state …
Here's a very brief overview of the methods PRTG Network Monitor (https://www.paessler.com/prtg) offers for monitoring bandwidth, to help you decide which methods you´d like to investigate in more detail.  The methods are covered in more detail in o…
This video gives you a great overview about bandwidth monitoring with SNMP and WMI with our network monitoring solution PRTG Network Monitor (https://www.paessler.com/prtg). If you're looking for how to monitor bandwidth using netflow or packet s…

919 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

14 Experts available now in Live!

Get 1:1 Help Now