IPS cannot see proxy traffic

Unanswered Question

Hello,


We have a customer who has an iprism web filter which I thought was only doing content filtering. After installing an IPS 4215 to monitor web traffic, the only alarms that generate are http connect alarms from the inside hosts to the iprism, it looks like it is acting as a proxy that is tunneling http. Is there any way to get the web traffic back in the clear? If anyone has experience with the iprism, is there some way to disable the http tunneling and still keep the functionality? On the IPS side, is there any solution that can be configured on it to see the traffic?


Thanks!

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
travis-dennis_2 Thu, 05/18/2006 - 09:24
User Badges:
  • Gold, 750 points or more

Just an initial thought here. Why not SPAN or RSPAN the inside interface where the iprism is connected to? That gives you the traffic in the clear before it goes into the iprism for outbound and after it comes in for inbound. Probably not going to get you 100% what you want but it shold be a start.



Hope this helps.




Please remember to rate all replies

Hi, thanks... Unfortunately that's where the problem seems to be coming from. All ports are spanned on the 2950 including the one that connects the inside interface of the iprism. As best I can tell the hosts authenticate to the iprism web page which then starts some sort of tunneled connection for the remainder of the session. I have seen the same behavior with MS Proxy server too. I never did find a way around that one either. So far I know of no way to use the IPS and a proxy server on the same network and have the IPS see the web traffic.



mhellman Mon, 05/22/2006 - 12:15
User Badges:
  • Blue, 1500 points or more

Many content filtering solutions work by acting as a proxy. However, using an HTTP proxy doesn't normally have implications for whether the traffic is "clear text" or not. In fact, a normal proxied HTTP connection does not use a CONNECT tunnel at all. A CONNECT tunnel usually implies a non-HTTP or encrypted HTTP connection. Cisco IPS 5.x sensors inspect "proxied" HTTP just fine.


If you're seeing a CONNECT tunnel, it might be that the traffic is encrypted or is not HTTP at all.

mhellman Mon, 05/22/2006 - 13:37
User Badges:
  • Blue, 1500 points or more

What I'm suggesting is that perhaps the CONNECT tunnels you're seeing are actually just clients connecting to SSL sites on the Internet. network proxies and content filters RARELY mess with SSL connections between clients and origin servers. There are a few exceptions, like WebWasher and Bluecoat, that can proxy SSL (MITM) --if you're willing to throw some serious money at them. If what you're really seeing is just SSL-protected Internet traffic, then I don't think you'll be able to inspect it with IDS/IPS. I'm not sure you'd want to if you could...kind of defeats the purpose of SSL/TLS.

Actions

This Discussion