We have a customer who has an iprism web filter which I thought was only doing content filtering. After installing an IPS 4215 to monitor web traffic, the only alarms that generate are http connect alarms from the inside hosts to the iprism, it looks like it is acting as a proxy that is tunneling http. Is there any way to get the web traffic back in the clear? If anyone has experience with the iprism, is there some way to disable the http tunneling and still keep the functionality? On the IPS side, is there any solution that can be configured on it to see the traffic?
Just an initial thought here. Why not SPAN or RSPAN the inside interface where the iprism is connected to? That gives you the traffic in the clear before it goes into the iprism for outbound and after it comes in for inbound. Probably not going to get you 100% what you want but it shold be a start.
Hi, thanks... Unfortunately that's where the problem seems to be coming from. All ports are spanned on the 2950 including the one that connects the inside interface of the iprism. As best I can tell the hosts authenticate to the iprism web page which then starts some sort of tunneled connection for the remainder of the session. I have seen the same behavior with MS Proxy server too. I never did find a way around that one either. So far I know of no way to use the IPS and a proxy server on the same network and have the IPS see the web traffic.
Many content filtering solutions work by acting as a proxy. However, using an HTTP proxy doesn't normally have implications for whether the traffic is "clear text" or not. In fact, a normal proxied HTTP connection does not use a CONNECT tunnel at all. A CONNECT tunnel usually implies a non-HTTP or encrypted HTTP connection. Cisco IPS 5.x sensors inspect "proxied" HTTP just fine.
If you're seeing a CONNECT tunnel, it might be that the traffic is encrypted or is not HTTP at all.
Yes, its probably seeing an encrypted session to the proxy. I am hoping their IT guy can find a way to turn that off in the iprism. Interesting that I had the exact same problem before with an MS proxy environment too. Might be the default type of session for most proxy's?
What I'm suggesting is that perhaps the CONNECT tunnels you're seeing are actually just clients connecting to SSL sites on the Internet. network proxies and content filters RARELY mess with SSL connections between clients and origin servers. There are a few exceptions, like WebWasher and Bluecoat, that can proxy SSL (MITM) --if you're willing to throw some serious money at them. If what you're really seeing is just SSL-protected Internet traffic, then I don't think you'll be able to inspect it with IDS/IPS. I'm not sure you'd want to if you could...kind of defeats the purpose of SSL/TLS.
We have configured the outside and inside Interface with official ipv6 adresses, set a default route on outside Interface to our router, we also have definied a rule , which also gets hits, to permit tcp from inside Interface to any6.
In Syslog I also se...