cancel
Showing results for 
Search instead for 
Did you mean: 

HTTP,HTTPS tunnel tool

Dear,

My company use MGW 7.0 to url filtering. But when some users use http tunnel tool (ex: fgate.exe, ultrasurf.exe ,... ), they can access to web sites which be block by policy.

Please tell me solution for block the tunnel tools.

Thanks

0 Kudos
2 Replies
McAfee Employee

Re: HTTP,HTTPS tunnel tool

Hi,

generally a tunnel through a proxy is indicated  as a CONNECT request, see 9.9 on  http://www.w3.org/Protocols/rfc2616/rfc2616-sec9.html.

A rule in MWG for tunnels over port 80, which are VERY uncommen can look like:

If Command.Name equals CONNECT(

     If URL.Port equals 80

)

then

BLOCK

For ultrasurf and others, I suggest to use SSL Scanner. SSL Scanner will

  • block access to unwanted ssl ports
  • detect that a handshake can't be fullfilled
  • will block the traffic

If you don't use SSL Scanner, URL Filtering is a solution. I just traced ultrasurf and found that it does CONNECT to IP rather than names.

In an explicit proxy only deployment you could simply disallow CONNECTs to to IPs. In a transparent deployment ALL CONNECTS will be to IPs, so be careful there!!

If Command.Name equals CONNECT(

     If URL.Port equals 443

     AND

     If URL matches regex(^[0-9]+\.[0-9]+\.[0-9]+\.[0-9]+

)

then

BLOCK

Sample rule is attached.

Important: You might need to whitelist several servers when blocking CONNECTs to IPs.

best,

Michael

Message was edited by: Michael Schneider on 19/08/2010 09:57:32 CEST
0 Kudos
smalldog
Level 12

Re: HTTP,HTTPS tunnel tool

Hi All, i can not block ultrasurf, skype, bittorent with this rule. Im using transparent bridge mode. Any ideas? Thanks!

0 Kudos