Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements
Step-by-Step Configuration and Troubleshooting Best Practices for the NGFW, NGIPS and AMP Technologies A Visual Guide to the Cisco Firepower Threat Defense (FTD)
Community Member

IPS cannot see proxy traffic

Hello,

We have a customer who has an iprism web filter which I thought was only doing content filtering. After installing an IPS 4215 to monitor web traffic, the only alarms that generate are http connect alarms from the inside hosts to the iprism, it looks like it is acting as a proxy that is tunneling http. Is there any way to get the web traffic back in the clear? If anyone has experience with the iprism, is there some way to disable the http tunneling and still keep the functionality? On the IPS side, is there any solution that can be configured on it to see the traffic?

Thanks!

5 REPLIES

Re: IPS cannot see proxy traffic

Just an initial thought here. Why not SPAN or RSPAN the inside interface where the iprism is connected to? That gives you the traffic in the clear before it goes into the iprism for outbound and after it comes in for inbound. Probably not going to get you 100% what you want but it shold be a start.

Hope this helps.

Please remember to rate all replies

Community Member

Re: IPS cannot see proxy traffic

Hi, thanks... Unfortunately that's where the problem seems to be coming from. All ports are spanned on the 2950 including the one that connects the inside interface of the iprism. As best I can tell the hosts authenticate to the iprism web page which then starts some sort of tunneled connection for the remainder of the session. I have seen the same behavior with MS Proxy server too. I never did find a way around that one either. So far I know of no way to use the IPS and a proxy server on the same network and have the IPS see the web traffic.

Gold

Re: IPS cannot see proxy traffic

Many content filtering solutions work by acting as a proxy. However, using an HTTP proxy doesn't normally have implications for whether the traffic is "clear text" or not. In fact, a normal proxied HTTP connection does not use a CONNECT tunnel at all. A CONNECT tunnel usually implies a non-HTTP or encrypted HTTP connection. Cisco IPS 5.x sensors inspect "proxied" HTTP just fine.

If you're seeing a CONNECT tunnel, it might be that the traffic is encrypted or is not HTTP at all.

Community Member

Re: IPS cannot see proxy traffic

Yes, its probably seeing an encrypted session to the proxy. I am hoping their IT guy can find a way to turn that off in the iprism. Interesting that I had the exact same problem before with an MS proxy environment too. Might be the default type of session for most proxy's?

Gold

Re: IPS cannot see proxy traffic

What I'm suggesting is that perhaps the CONNECT tunnels you're seeing are actually just clients connecting to SSL sites on the Internet. network proxies and content filters RARELY mess with SSL connections between clients and origin servers. There are a few exceptions, like WebWasher and Bluecoat, that can proxy SSL (MITM) --if you're willing to throw some serious money at them. If what you're really seeing is just SSL-protected Internet traffic, then I don't think you'll be able to inspect it with IDS/IPS. I'm not sure you'd want to if you could...kind of defeats the purpose of SSL/TLS.

330
Views
0
Helpful
5
Replies
CreatePlease to create content