cancel
Showing results for 
Search instead for 
Did you mean: 
dkalmaz
Level 7

MWG 7.2 - Any way to block http&https tunneling , (application control) block all applications that are unknown

Is there any way to control all tunneling applications including sslvpn and other than known(ktunnel,vtunnel) self prepared (linux ssl terminals) tunneling traffc and applications?

We want to write a rule that allows only (for ex google.com,mcafee.com) web traffic and not any other application/tunneling.

Message was edited by: dkalmaz on 6/27/12 4:57:29 AM CDT

Message was edited by: dkalmaz on 6/27/12 4:58:05 AM CDT
0 Kudos
4 Replies
McAfee Employee

Re: MWG 7.2 - Any way to block http&https tunneling , (application control) block all applications that are unknown

Hello,

essentially HTTP tunneling is using CONNECT on a proxy port. MWG uses this command to identify a tunnel and use SSL Scanner! In case SSL Scanner is triggered and enabled, the majority of applications will simply fail as they often use an encryption. In cae MWG is interception the connection, the key exchange won't be usccessful, as the keys used for identifying the parties won't be the expected one, as they are created by MWG. Therefore the application will fail and the tunnel will be stopped.

You can of course create a list of all applications, enable SSL SCanner and the have a rule that say If Application.Name is not in list All Applications, Block.

This will stop all unknown applications.

Michael

0 Kudos
dkalmaz
Level 7

Re: MWG 7.2 - Any way to block http&https tunneling , (application control) block all applications that are unknown

mwg.JPG

ssl inspection is on,not blocking

[03/Jul/2012:11:07:49 +0300] "" 10.x.x.x 500 "GET https://37.155.177.16/ HTTP/1.1" "" "-" "" 0 "Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; WOW64; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; InfoPath.3; .NET CLR 1.1.4322)" "" "0" ""

[03/Jul/2012:11:07:49 +0300] "" 10.x.x.x 500 "GET https://37.155.177.x/ HTTP/1.1" "" "-" "" 0 "Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; WOW64; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; InfoPath.3; .NET CLR 1.1.4322)" "" "0" ""

[03/Jul/2012:11:07:51 +0300] "" 10.x.x.x 200 "CONNECT 37.155.177.x:443 HTTP/1.1" "" "Unverified" "" 0 "Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; WOW64; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; InfoPath.3; .NET CLR 1.1.4322)" "" "0" "Test - Allow - Stop cycle"

[03/Jul/2012:11:07:53 +0300] "" 10.x.x.x 200 "CONNECT 37.155.177.x:443 HTTP/1.1" "" "Unverified" "" 0 "Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; WOW64; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; InfoPath.3; .NET CLR 1.1.4322)" "" "0" "Test - Allow - Stop cycle"

[03/Jul/2012:11:07:54 +0300] "" 10.x.x.x 200 "CONNECT 37.155.177.x:443 HTTP/1.1" "" "Unverified" "" 0 "Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; WOW64; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; InfoPath.3; .NET CLR 1.1.4322)" "" "0" "Test - Allow - Stop cycle"

[03/Jul/2012:11:08:02 +0300] "" 10.x.x.x 200 "CONNECT 37.155.177.x:443 HTTP/1.1" "" "Unverified" "" 0 "Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; WOW64; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; InfoPath.3; .NET CLR 1.1.4322)" "" "0" "Test - Allow - Stop cycle"

[03/Jul/2012:11:08:09 +0300] "" 10.x.x.x 200 "CONNECT 37.155.177.x:443 HTTP/1.1" "" "Unverified" "" 0 "Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; WOW64; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; InfoPath.3; .NET CLR 1.1.4322)" "" "0" "Test - Allow - Stop cycle"

[03/Jul/2012:11:08:30 +0300] "" 10.x.x.x 200 "CONNECT 37.155.177.x:443 HTTP/1.1" "" "Unverified" "" 0 "Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; WOW64; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; InfoPath.3; .NET CLR 1.1.4322)" "" "0" "Test - Allow - Stop cycle"

[03/Jul/2012:11:08:39 +0300] "" 10.x.x.x 200 "CONNECT 37.155.177.x:443 HTTP/1.1" "" "Unverified" "" 0 "Mozilla/4.0 (Windows 7 6.1) Java/1.7.0_05" "" "0" "Test - Allow - Stop cycle"

[03/Jul/2012:11:08:40 +0300] "" 10.x.x.x 200 "CONNECT 37.155.177.x:443 HTTP/1.1" "" "Unverified" "" 0 "Mozilla/4.0 (Windows 7 6.1) Java/1.7.0_05" "" "0" "Test - Allow - Stop cycle"

[03/Jul/2012:11:08:49 +0300] "" 10.x.x.x 200 "CONNECT 37.155.177.x:443 HTTP/1.1" "" "Unverified" "" 0 "Mozilla/4.0 (Windows 7 6.1) Java/1.7.0_05" "" "0" "Test - Allow - Stop cycle"

[03/Jul/2012:11:08:59 +0300] "" 10.x.x.x 200 "CONNECT 37.155.177.x:443 HTTP/1.1" "" "Unverified" "" 0 "Mozilla/4.0 (Windows 7 6.1) Java/1.7.0_05" "" "0" "Test - Allow - Stop cycle"

[03/Jul/2012:11:09:40 +0300] "" 10.x.x.x 200 "CONNECT 37.155.177.x:443 HTTP/1.1" "" "Unverified" "" 0 "Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; WOW64; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; InfoPath.3; .NET CLR 1.1.4322)" "" "0" "Test - Allow - Stop cycle"

[03/Jul/2012:11:09:40 +0300] "" 10.x.x.x 200 "CONNECT 37.155.177.x:443 HTTP/1.1" "" "Unverified" "" 0 "Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; WOW64; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; InfoPath.3; .NET CLR 1.1.4322)" "" "0" "Test - Allow - Stop cycle"

[03/Jul/2012:11:09:40 +0300] "" 10.x.x.x 200 "CONNECT 37.155.177.x:443 HTTP/1.1" "" "Unverified" "" 0 "Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; WOW64; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; InfoPath.3; .NET CLR 1.1.4322)" "" "0" "Test - Allow - Stop cycle"

[03/Jul/2012:11:09:45 +0300] "" 10.x.x.x 200 "CONNECT 37.155.177.x:443 HTTP/1.1" "" "Unverified" "" 0 "Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; WOW64; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; InfoPath.3; .NET CLR 1.1.4322)" "" "0" "Test - Allow - Stop cycle"

[03/Jul/2012:11:10:22 +0300] "" 10.x.x.x 200 "CONNECT 37.155.177.x:443 HTTP/1.1" "" "Unverified" "" 0 "Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; WOW64; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; InfoPath.3; .NET CLR 1.1.4322)" "" "0" "Test - Allow - Stop cycle"

[03/Jul/2012:11:10:22 +0300] "" 10.x.x.x 200 "CONNECT 37.155.177.x:443 HTTP/1.1" "" "Unverified" "" 0 "Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; WOW64; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; InfoPath.3; .NET CLR 1.1.4322)" "" "0" "Test - Allow - Stop cycle"

0 Kudos
dkalmaz
Level 7

Re: MWG 7.2 - Any way to block http&https tunneling , (application control) block all applications that are unknown

blocking all unknown applications,and the result,this is not working also

there has to be a way to distinguish normal http web and other apps running through the http

block_all.JPG

Message was edited by: dkalmaz on 7/3/12 3:43:21 AM CDT

Message was edited by: dkalmaz on 7/3/12 3:43:40 AM CDT
0 Kudos
asabban
Level 17

Re: MWG 7.2 - Any way to block http&https tunneling , (application control) block all applications that are unknown

Hello,

in the log you posted above there is a rule "Test - Allow - Stop cycle" that seems to allow the traffic. Is that what you wanted to do?

Probably you can tell us how you try to tunnel through MWG and we can have a look to find suitable rules for you. Please also provide some additional information about your requirements.

Best,

andre

0 Kudos