OPNsense Forum

Archive => 19.1 Legacy Series => Topic started by: nycaleksey on July 08, 2019, 03:08:10 pm

Title: Plugin or solution to prevent tunneling that mimics HTTPS traffic
Post by: nycaleksey on July 08, 2019, 03:08:10 pm
Hi,

One of the networks I administer has a requirement to try and prevent tunneling out. I know that it is impossible to do reliably, but there must be some "best effort" solutions. This net has all ports besides 80 and 443 blocked for connecting out. I can't require everyone on the inside to use web proxy, so forcing everyone through the proxy is not an option.

Does anyone know of a plugin or an easily scripted solution that would terminate "suspicious" TLS sessions - ones lasting long time and exhibiting other "suspected tunneling" characteristics?

Thank you,

Aleksey
Title: Re: Plugin or solution to prevent tunneling that mimics HTTPS traffic
Post by: mimugmail on July 08, 2019, 03:32:22 pm
Have you tried Sensei plugin?
Title: Re: Plugin or solution to prevent tunneling that mimics HTTPS traffic
Post by: nycaleksey on July 08, 2019, 04:38:11 pm
Looks very promising, thank you.

Can anyone in the community vouch for the authors? I'm a bit wary of installing such fresh code on production firewalls for both security and stability reasons.
Title: Re: Plugin or solution to prevent tunneling that mimics HTTPS traffic
Post by: mimugmail on July 08, 2019, 04:58:29 pm
1.0 should be released in the next few months ... but testing first on a separate machine is always better ;)
Title: Re: Plugin or solution to prevent tunneling that mimics HTTPS traffic
Post by: fabian on July 08, 2019, 06:42:16 pm
Why not just open the TLS using a transparent squid (web proxy). If it cannot read the data, it will reject the connection.
Title: Re: Plugin or solution to prevent tunneling that mimics HTTPS traffic
Post by: nycaleksey on July 08, 2019, 08:57:28 pm
There's another limitation I did not mention - I can't touch the endpoints, the solution has to be implemented on the firewall only. My understanding is that transparent proxying of HTTPS requires deploying custom trusted certificate on the endpoints that connect through it, isn't it the case?
Title: Re: Plugin or solution to prevent tunneling that mimics HTTPS traffic
Post by: fabian on July 08, 2019, 09:22:21 pm
There's another limitation I did not mention - I can't touch the endpoints, the solution has to be implemented on the firewall only. My understanding is that transparent proxying of HTTPS requires deploying custom trusted certificate on the endpoints that connect through it, isn't it the case?

sure, but that's the only way to know what is really transferred (except when you look at the TLS metadata and find something suspicious  there)
Title: Re: Plugin or solution to prevent tunneling that mimics HTTPS traffic
Post by: nycaleksey on July 09, 2019, 02:38:16 pm
I know that this is a cat&mouse game with no guarantee of reliable 100% detection.

I was looking for something that would flag obviously suspicious TLS sessions - long running, low traffic with sporadic traffic bursts, weird metadata, and other characteristics of a tunnel. Normal HTTPS connections look very different on the wire as opposed to the pseudo-VPN over TLS, and most of these VPN/tunnel solutions take no measures to disguise themselves, they are using TCP 443 only because it's almost always guaranteed to be allowed out.

Obviously, detecting malware/backdoor/APT traffic is a totally different game, and I understand that no easy or cheap solutions exist for that. This is about preventing low tech users from circumventing "no tunnels" policy.
Title: Re: Plugin or solution to prevent tunneling that mimics HTTPS traffic
Post by: mimugmail on July 09, 2019, 04:01:50 pm
ETA from Cisco can do this, but it's not cheap :)
Have a Talk to Sensei guys ....
Title: Re: Plugin or solution to prevent tunneling that mimics HTTPS traffic
Post by: nycaleksey on July 09, 2019, 04:27:54 pm
Yeah, ETA is like a Bentley, and I'm looking for an aftermarket Accord that does the same thing but cheaper, or, ideally for free :)

Thanks for the tip, I'll play with Sensei and may be reach out to the team that works on it.
Title: Re: Plugin or solution to prevent tunneling that mimics HTTPS traffic
Post by: mimugmail on July 09, 2019, 04:32:17 pm
Aftermarket Accord .. made my das  :D ;D