Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
693
Views
0
Helpful
7
Replies

Proxy Monitoring with IPS / MARS

Go to solution
daniel.litwin
Level 1
Level 1

‎02-20-2008 12:33 PM - edited ‎03-10-2019 04:00 AM

I would like to monitor proxy bypass connections and report on them. We have MARS and IPS modules in our 2 ASA5520.

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
meltonnoel
Level 1
Level 1
In response to daniel.litwin

‎03-17-2008 09:05 AM

You run the risk of false positives, but have you tried IPS sig ID 5188(and the subsignitures) or creating your own custom signiture. We use some IPS 4200s in my district and have had some false positives, but to date it was non-work related websites.

View solution in original post

0 Helpful
7 Replies 7

Go to solution
mhellman
Level 7
Level 7

‎02-20-2008 03:09 PM

What do you mean by "proxy bypass connection"? Do you mean attempts by users to bypass an HTTP proxy?

0 Helpful

Go to solution
daniel.litwin
Level 1
Level 1

‎02-21-2008 06:03 AM

I mean students who use anonymizer programs: surfcontrol, etc. to bypass our internet content filter software. i would think that the IPS could detect some of these and report on it.

0 Helpful

Go to solution
mhellman
Level 7
Level 7
In response to daniel.litwin

‎02-21-2008 06:36 AM

It is very difficult to detect such things effectively, even at the proxy. Many of them utilize HTTP CONNECT tunnels that look just like any other HTTPS connection to the Internet. The only thing the typical proxy sees is the "CONNECT :443". The network IDS sees even less...it only sees the SSL handshake and then encrypted data (so it has andst IP address, but that's it). Many URL filters have a category for anonymous proxies, but don't count on them stopping a determined user. They may stop the casual user from using an anonymizing service though. A network IDS/IPS is not going to do this effectively. IMHO, the proxy is the place to do this.

There are gateway(proxy) product that supports SSL inspection(MITM), like WebWasher or BlueCoat. These will be able to see the unencrypted HTTP data and will have a better chance at detection.

http://www.securecomputing.com/index.cfm?skey=1536

0 Helpful

Go to solution
daniel.litwin
Level 1
Level 1
In response to mhellman

‎02-21-2008 07:07 AM

Thanks. We are using 8e6 as our web content filter, but I was wondering if MARS or IPS could specifically help with monitoring/blocking proxy/anonymizer attempts. Multiple security layers are always a good thing. So MARS/IPS can't really help with stopping these?

0 Helpful

Go to solution
mhellman
Level 7
Level 7
In response to daniel.litwin

‎02-21-2008 07:27 AM

IMHO, MARS/IPS can't do it well enough for it to be worth the effort. I'm not familiar with 8e6, but you might have a look at this:

http://www.8e6.com/anonymous_proxies.html

0 Helpful

Go to solution
daniel.litwin
Level 1
Level 1
In response to mhellman

‎02-21-2008 08:43 AM

Thanks. That is what we currently have. I guess I continue to use what we have.

0 Helpful

Go to solution
meltonnoel
Level 1
Level 1
In response to daniel.litwin

‎03-17-2008 09:05 AM

You run the risk of false positives, but have you tried IPS sig ID 5188(and the subsignitures) or creating your own custom signiture. We use some IPS 4200s in my district and have had some false positives, but to date it was non-work related websites.

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card