4 Replies Latest reply on Jul 24, 2012 4:51 AM by asabban

    MWG 7.2 - Any way to block http&https tunneling , (application control) block all applications that are unknown

    dkalmaz

      Is there any way to control all tunneling applications including sslvpn and other than known(ktunnel,vtunnel) self prepared (linux ssl terminals) tunneling traffc and applications?

       

      We want to write a rule that allows only (for ex google.com,mcafee.com) web traffic and not any other application/tunneling.

       

      Message was edited by: dkalmaz on 6/27/12 4:57:29 AM CDT

       

      Message was edited by: dkalmaz on 6/27/12 4:58:05 AM CDT
        • 1. Re: MWG 7.2 - Any way to block http&https tunneling , (application control) block all applications that are unknown
          michael_schneider

          Hello,

           

          essentially HTTP tunneling is using CONNECT on a proxy port. MWG uses this command to identify a tunnel and use SSL Scanner! In case SSL Scanner is triggered and enabled, the majority of applications will simply fail as they often use an encryption. In cae MWG is interception the connection, the key exchange won't be usccessful, as the keys used for identifying the parties won't be the expected one, as they are created by MWG. Therefore the application will fail and the tunnel will be stopped.

           

          You can of course create a list of all applications, enable SSL SCanner and the have a rule that say If Application.Name is not in list All Applications, Block.

           

          This will stop all unknown applications.

           

          Michael

          • 2. Re: MWG 7.2 - Any way to block http&https tunneling , (application control) block all applications that are unknown
            dkalmaz

            mwg.JPG

             

            ssl inspection is on,not blocking

             

             

             

            [03/Jul/2012:11:07:49 +0300] "" 10.x.x.x 500 "GET https://37.155.177.16/ HTTP/1.1" "" "-" "" 0 "Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; WOW64; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; InfoPath.3; .NET CLR 1.1.4322)" "" "0" ""

            [03/Jul/2012:11:07:49 +0300] "" 10.x.x.x 500 "GET https://37.155.177.x/ HTTP/1.1" "" "-" "" 0 "Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; WOW64; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; InfoPath.3; .NET CLR 1.1.4322)" "" "0" ""

            [03/Jul/2012:11:07:51 +0300] "" 10.x.x.x 200 "CONNECT 37.155.177.x:443 HTTP/1.1" "" "Unverified" "" 0 "Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; WOW64; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; InfoPath.3; .NET CLR 1.1.4322)" "" "0" "Test - Allow - Stop cycle"

            [03/Jul/2012:11:07:53 +0300] "" 10.x.x.x 200 "CONNECT 37.155.177.x:443 HTTP/1.1" "" "Unverified" "" 0 "Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; WOW64; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; InfoPath.3; .NET CLR 1.1.4322)" "" "0" "Test - Allow - Stop cycle"

            [03/Jul/2012:11:07:54 +0300] "" 10.x.x.x 200 "CONNECT 37.155.177.x:443 HTTP/1.1" "" "Unverified" "" 0 "Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; WOW64; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; InfoPath.3; .NET CLR 1.1.4322)" "" "0" "Test - Allow - Stop cycle"

            [03/Jul/2012:11:08:02 +0300] "" 10.x.x.x 200 "CONNECT 37.155.177.x:443 HTTP/1.1" "" "Unverified" "" 0 "Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; WOW64; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; InfoPath.3; .NET CLR 1.1.4322)" "" "0" "Test - Allow - Stop cycle"

            [03/Jul/2012:11:08:09 +0300] "" 10.x.x.x 200 "CONNECT 37.155.177.x:443 HTTP/1.1" "" "Unverified" "" 0 "Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; WOW64; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; InfoPath.3; .NET CLR 1.1.4322)" "" "0" "Test - Allow - Stop cycle"

            [03/Jul/2012:11:08:30 +0300] "" 10.x.x.x 200 "CONNECT 37.155.177.x:443 HTTP/1.1" "" "Unverified" "" 0 "Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; WOW64; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; InfoPath.3; .NET CLR 1.1.4322)" "" "0" "Test - Allow - Stop cycle"

            [03/Jul/2012:11:08:39 +0300] "" 10.x.x.x 200 "CONNECT 37.155.177.x:443 HTTP/1.1" "" "Unverified" "" 0 "Mozilla/4.0 (Windows 7 6.1) Java/1.7.0_05" "" "0" "Test - Allow - Stop cycle"

            [03/Jul/2012:11:08:40 +0300] "" 10.x.x.x 200 "CONNECT 37.155.177.x:443 HTTP/1.1" "" "Unverified" "" 0 "Mozilla/4.0 (Windows 7 6.1) Java/1.7.0_05" "" "0" "Test - Allow - Stop cycle"

            [03/Jul/2012:11:08:49 +0300] "" 10.x.x.x 200 "CONNECT 37.155.177.x:443 HTTP/1.1" "" "Unverified" "" 0 "Mozilla/4.0 (Windows 7 6.1) Java/1.7.0_05" "" "0" "Test - Allow - Stop cycle"

            [03/Jul/2012:11:08:59 +0300] "" 10.x.x.x 200 "CONNECT 37.155.177.x:443 HTTP/1.1" "" "Unverified" "" 0 "Mozilla/4.0 (Windows 7 6.1) Java/1.7.0_05" "" "0" "Test - Allow - Stop cycle"

            [03/Jul/2012:11:09:40 +0300] "" 10.x.x.x 200 "CONNECT 37.155.177.x:443 HTTP/1.1" "" "Unverified" "" 0 "Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; WOW64; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; InfoPath.3; .NET CLR 1.1.4322)" "" "0" "Test - Allow - Stop cycle"

            [03/Jul/2012:11:09:40 +0300] "" 10.x.x.x 200 "CONNECT 37.155.177.x:443 HTTP/1.1" "" "Unverified" "" 0 "Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; WOW64; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; InfoPath.3; .NET CLR 1.1.4322)" "" "0" "Test - Allow - Stop cycle"

            [03/Jul/2012:11:09:40 +0300] "" 10.x.x.x 200 "CONNECT 37.155.177.x:443 HTTP/1.1" "" "Unverified" "" 0 "Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; WOW64; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; InfoPath.3; .NET CLR 1.1.4322)" "" "0" "Test - Allow - Stop cycle"

            [03/Jul/2012:11:09:45 +0300] "" 10.x.x.x 200 "CONNECT 37.155.177.x:443 HTTP/1.1" "" "Unverified" "" 0 "Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; WOW64; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; InfoPath.3; .NET CLR 1.1.4322)" "" "0" "Test - Allow - Stop cycle"

            [03/Jul/2012:11:10:22 +0300] "" 10.x.x.x 200 "CONNECT 37.155.177.x:443 HTTP/1.1" "" "Unverified" "" 0 "Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; WOW64; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; InfoPath.3; .NET CLR 1.1.4322)" "" "0" "Test - Allow - Stop cycle"

            [03/Jul/2012:11:10:22 +0300] "" 10.x.x.x 200 "CONNECT 37.155.177.x:443 HTTP/1.1" "" "Unverified" "" 0 "Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; WOW64; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; InfoPath.3; .NET CLR 1.1.4322)" "" "0" "Test - Allow - Stop cycle"

            • 3. Re: MWG 7.2 - Any way to block http&https tunneling , (application control) block all applications that are unknown
              dkalmaz

              blocking all unknown applications,and the result,this is not working also

               

              there has to be a way to distinguish normal http web and other apps running through the http

               

               

              block_all.JPG

               

              Message was edited by: dkalmaz on 7/3/12 3:43:21 AM CDT

               

              Message was edited by: dkalmaz on 7/3/12 3:43:40 AM CDT
              • 4. Re: MWG 7.2 - Any way to block http&https tunneling , (application control) block all applications that are unknown
                asabban

                Hello,

                 

                in the log you posted above there is a rule "Test - Allow - Stop cycle" that seems to allow the traffic. Is that what you wanted to do?

                 

                Probably you can tell us how you try to tunnel through MWG and we can have a look to find suitable rules for you. Please also provide some additional information about your requirements.

                 

                Best,

                andre