Proxy Monitoring with IPS / MARS

Answered Question
Feb 20th, 2008

I would like to monitor proxy bypass connections and report on them. We have MARS and IPS modules in our 2 ASA5520.

I have this problem too.
0 votes
Correct Answer by meltonnoel about 8 years 8 months ago

You run the risk of false positives, but have you tried IPS sig ID 5188(and the subsignitures) or creating your own custom signiture. We use some IPS 4200s in my district and have had some false positives, but to date it was non-work related websites.

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (1 ratings)
Loading.
mhellman Wed, 02/20/2008 - 15:09

What do you mean by "proxy bypass connection"? Do you mean attempts by users to bypass an HTTP proxy?

daniel.litwin Thu, 02/21/2008 - 06:03

I mean students who use anonymizer programs: surfcontrol, etc. to bypass our internet content filter software. i would think that the IPS could detect some of these and report on it.

mhellman Thu, 02/21/2008 - 06:36

It is very difficult to detect such things effectively, even at the proxy. Many of them utilize HTTP CONNECT tunnels that look just like any other HTTPS connection to the Internet. The only thing the typical proxy sees is the "CONNECT :443". The network IDS sees even less...it only sees the SSL handshake and then encrypted data (so it has andst IP address, but that's it). Many URL filters have a category for anonymous proxies, but don't count on them stopping a determined user. They may stop the casual user from using an anonymizing service though. A network IDS/IPS is not going to do this effectively. IMHO, the proxy is the place to do this.

There are gateway(proxy) product that supports SSL inspection(MITM), like WebWasher or BlueCoat. These will be able to see the unencrypted HTTP data and will have a better chance at detection.

http://www.securecomputing.com/index.cfm?skey=1536

daniel.litwin Thu, 02/21/2008 - 07:07

Thanks. We are using 8e6 as our web content filter, but I was wondering if MARS or IPS could specifically help with monitoring/blocking proxy/anonymizer attempts. Multiple security layers are always a good thing. So MARS/IPS can't really help with stopping these?

daniel.litwin Thu, 02/21/2008 - 08:43

Thanks. That is what we currently have. I guess I continue to use what we have.

Correct Answer
meltonnoel Mon, 03/17/2008 - 09:05

You run the risk of false positives, but have you tried IPS sig ID 5188(and the subsignitures) or creating your own custom signiture. We use some IPS 4200s in my district and have had some false positives, but to date it was non-work related websites.

Actions

This Discussion