Plugin or solution to prevent tunneling that mimics HTTPS traffic

[nycaleksey]

Hi,

One of the networks I administer has a requirement to try and prevent tunneling out. I know that it is impossible to do reliably, but there must be some "best effort" solutions. This net has all ports besides 80 and 443 blocked for connecting out. I can't require everyone on the inside to use web proxy, so forcing everyone through the proxy is not an option.

Does anyone know of a plugin or an easily scripted solution that would terminate "suspicious" TLS sessions - ones lasting long time and exhibiting other "suspected tunneling" characteristics?

Thank you,

Aleksey

[mimugmail]

Have you tried Sensei plugin?

[nycaleksey]

Looks very promising, thank you.

Can anyone in the community vouch for the authors? I'm a bit wary of installing such fresh code on production firewalls for both security and stability reasons.

[mimugmail]

1.0 should be released in the next few months ... but testing first on a separate machine is always better

[fabian]

Why not just open the TLS using a transparent squid (web proxy). If it cannot read the data, it will reject the connection.

[nycaleksey]

There's another limitation I did not mention - I can't touch the endpoints, the solution has to be implemented on the firewall only. My understanding is that transparent proxying of HTTPS requires deploying custom trusted certificate on the endpoints that connect through it, isn't it the case?

[fabian]

There's another limitation I did not mention - I can't touch the endpoints, the solution has to be implemented on the firewall only. My understanding is that transparent proxying of HTTPS requires deploying custom trusted certificate on the endpoints that connect through it, isn't it the case?

sure, but that's the only way to know what is really transferred (except when you look at the TLS metadata and find something suspicious  there)

[nycaleksey]

I know that this is a cat&mouse game with no guarantee of reliable 100% detection.

I was looking for something that would flag obviously suspicious TLS sessions - long running, low traffic with sporadic traffic bursts, weird metadata, and other characteristics of a tunnel. Normal HTTPS connections look very different on the wire as opposed to the pseudo-VPN over TLS, and most of these VPN/tunnel solutions take no measures to disguise themselves, they are using TCP 443 only because it's almost always guaranteed to be allowed out.

Obviously, detecting malware/backdoor/APT traffic is a totally different game, and I understand that no easy or cheap solutions exist for that. This is about preventing low tech users from circumventing "no tunnels" policy.

[mimugmail]

ETA from Cisco can do this, but it's not cheap
Have a Talk to Sensei guys ....

[nycaleksey]

Yeah, ETA is like a Bentley, and I'm looking for an aftermarket Accord that does the same thing but cheaper, or, ideally for free

Thanks for the tip, I'll play with Sensei and may be reach out to the team that works on it.

[mimugmail]

Aftermarket Accord .. made my das