OPNsense Forum
English Forums => Web Proxy Filtering and Caching => Topic started by: gafrol on November 24, 2022, 03:06:43 pm
-
Is this somehow possible ?
Thanks
-
Apparently this is not possible which is a bit concerning as this attack vector is quite common.
-
It is possible, but you are barking at the wrong tree if you expect this to be the job of a firewall like OpnSense.
What you are asking for is clearly OSI level 7. What your firewall can inspect are usually isolated, probably out-of-order network packets, but not a whole "file" or "stream" that is being transferred via HTTP (or any other transport protocol, e.g. SMTP). Also, the firewall cannot even decrypt the TLS traffic, so there cannot be any introspection.
What you are asking for is an instance that can look at a received file that is being constructed from a sequence of encrypted TCP packets and then decode its content in order to see if it contains a ZIP file that is encrypted.
That instance must be located client-side or be implemented as an application-level gateway. Usually, antivirus software this will not prevent opening of encrypted ZIP files, but detect if there is malware contained. Some mail gateways can block file attachments.
-
The dirty things you need to do with encrypted traffic to get this ability is exactly what I would never do because I am afraid that I make things worse if I mess up SSL chain and try to be the more clever man in the middle...
I thought about all that but I think I open hells gate and more over I violate essential rights of people in the network, I try to protect.
A thin bridge to walk on in EU even if people know better how-to then I poor guy do
Marc
-
+1
And believe me, you cannot stop anybody with a decent background in IT to do whatever is neccessary to circumvent even such hellish measures.
I personally have defeated many of the more obvious things just by using company-supplied proxies. All it takes is a proxy software that covers up its traffic as legitimate HTTPS - mostly not even that is needed. And I have seen people trick 802.1x by virtualizing their locked-up Windows PC images and running those on their private PC. Being able to use arbritary software, you could even use DNS requests for any kind of traffic.
Also what good are measures like preventing copy-and-past in a Citrix environment if people are then only sending the same files as E-Mail attachments?
The more appropriate way of doing this is educating your users. While one is at that, the fellow colleagues should also be told never to use TO or CC on a customer list of several hundred recipients, which is something that may help avoiding big fines under EU law.