Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
767
Views
0
Helpful
5
Replies

IPS cannot see proxy traffic

pmacdanel
Level 1
Level 1

‎05-18-2006 06:32 AM - edited ‎03-10-2019 03:01 AM

Hello,

We have a customer who has an iprism web filter which I thought was only doing content filtering. After installing an IPS 4215 to monitor web traffic, the only alarms that generate are http connect alarms from the inside hosts to the iprism, it looks like it is acting as a proxy that is tunneling http. Is there any way to get the web traffic back in the clear? If anyone has experience with the iprism, is there some way to disable the http tunneling and still keep the functionality? On the IPS side, is there any solution that can be configured on it to see the traffic?

Thanks!

Labels:
0 Helpful
5 Replies 5

travis-dennis_2
Level 7
Level 7

‎05-18-2006 09:24 AM

Just an initial thought here. Why not SPAN or RSPAN the inside interface where the iprism is connected to? That gives you the traffic in the clear before it goes into the iprism for outbound and after it comes in for inbound. Probably not going to get you 100% what you want but it shold be a start.

Hope this helps.

Please remember to rate all replies

0 Helpful

pmacdanel
Level 1
Level 1
In response to travis-dennis_2

‎05-18-2006 09:54 AM

Hi, thanks... Unfortunately that's where the problem seems to be coming from. All ports are spanned on the 2950 including the one that connects the inside interface of the iprism. As best I can tell the hosts authenticate to the iprism web page which then starts some sort of tunneled connection for the remainder of the session. I have seen the same behavior with MS Proxy server too. I never did find a way around that one either. So far I know of no way to use the IPS and a proxy server on the same network and have the IPS see the web traffic.

0 Helpful

mhellman
Level 7
Level 7

‎05-22-2006 12:15 PM

Many content filtering solutions work by acting as a proxy. However, using an HTTP proxy doesn't normally have implications for whether the traffic is "clear text" or not. In fact, a normal proxied HTTP connection does not use a CONNECT tunnel at all. A CONNECT tunnel usually implies a non-HTTP or encrypted HTTP connection. Cisco IPS 5.x sensors inspect "proxied" HTTP just fine.

If you're seeing a CONNECT tunnel, it might be that the traffic is encrypted or is not HTTP at all.

0 Helpful

pmacdanel
Level 1
Level 1
In response to mhellman

‎05-22-2006 12:59 PM

Yes, its probably seeing an encrypted session to the proxy. I am hoping their IT guy can find a way to turn that off in the iprism. Interesting that I had the exact same problem before with an MS proxy environment too. Might be the default type of session for most proxy's?

0 Helpful

mhellman
Level 7
Level 7
In response to pmacdanel

‎05-22-2006 01:37 PM

What I'm suggesting is that perhaps the CONNECT tunnels you're seeing are actually just clients connecting to SSL sites on the Internet. network proxies and content filters RARELY mess with SSL connections between clients and origin servers. There are a few exceptions, like WebWasher and Bluecoat, that can proxy SSL (MITM) --if you're willing to throw some serious money at them. If what you're really seeing is just SSL-protected Internet traffic, then I don't think you'll be able to inspect it with IDS/IPS. I'm not sure you'd want to if you could...kind of defeats the purpose of SSL/TLS.

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card