Thread Info
  • State Not Answered
  • Locked Locked
  • Replies 16 replies
  • Subscribers 1 subscriber
  • Views 10808 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Users bypassing content filtering and virus scanning using PuTTY

FN-Eagle
I’m still using version 6 but have a problem with users tunnelling connection via SSL and bypassing content filtering and virus scanning. ASL is configured like this:
HTTP Proxy (allowed target services HTTPS), user authentication, surf protection on, virus scanning on.

I discovered that internal users bypassing the security architecture while using PuTTY. They have a squid proxy server and SSH server running at home. They are using PuTTY from the internal network to tunnel a connection via SSL to their Squid box at home. All traffic goes out without content and virus checks via SSL.

Do I have a change to block this traffic? How to configure ASL to stop the users?


This thread was automatically locked due to age.
Parents
  • 0
    I am trying to remember my v6.x stuff.

    I think you would need to put everything through a profile and specifically block the site in the blacklist. They have either fixed IP or a domain name from dyns to locate their home box.



    Ian M
  • 0 in reply to RFCat_vk_01
    if they are tunneling ssh you can't do any kind of filtering on it as ssh is encrypted.  The best you can try is ips filtering the protocol..the best thing is to make a policy saying that behavior is against policy and make the consequences harsh and then ENFORCE them.  After a couple of folks either get fired or have their computers pulled that behavior will stop right quick.

    Owner:  Emmanuel Technology Consulting

    http://etc-md.com

    Former Sophos SG(Astaro) advocate/researcher/Silver Partner

    PfSense w/Suricata, ntopng, 

    Other addons to follow

  • 0 in reply to William Warren
    " .... The best you can try is ips filtering the protocol..the best ...."

    Thanks for the suggestions. Who is already using the IDS to block this traffic?  Can I write my own rule?
    Does somebody have other experiences?
  • 0 in reply to FN-Eagle
    If you are using Version 7, you're out of luck (can't add a custom rule as of yet) ... if you're using Version 6.x, check out http://www.bleedingsnort.com ... they may have a rule there that you can add to your custom IPS rule list in Webadmin.

    CTO, Convergent Information Security Solutions, LLC

    https://www.convergesecurity.com

    Advice given as posted on this forum does not construe a support relationship or other relationship with Convergent Information Security Solutions, LLC or its subsidiaries.  Use the advice given at your own risk.

  • 0 in reply to BrucekConvergent
    Hello,

    Can you not block port 80/443 in the firewall rules?  This should stop users accessing these ports via SSH.  I haven't experienced the issue first hand to know if this will resolve the issue.

    Cheers,

    Gary
Reply Children
No Data