Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

Proxy Monitoring with IPS / MARS

I would like to monitor proxy bypass connections and report on them. We have MARS and IPS modules in our 2 ASA5520.

1 ACCEPTED SOLUTION

Accepted Solutions
New Member

Re: Proxy Monitoring with IPS / MARS

You run the risk of false positives, but have you tried IPS sig ID 5188(and the subsignitures) or creating your own custom signiture. We use some IPS 4200s in my district and have had some false positives, but to date it was non-work related websites.

7 REPLIES
Gold

Re: Proxy Monitoring with IPS / MARS

What do you mean by "proxy bypass connection"? Do you mean attempts by users to bypass an HTTP proxy?

New Member

Re: Proxy Monitoring with IPS / MARS

I mean students who use anonymizer programs: surfcontrol, etc. to bypass our internet content filter software. i would think that the IPS could detect some of these and report on it.

Gold

Re: Proxy Monitoring with IPS / MARS

It is very difficult to detect such things effectively, even at the proxy. Many of them utilize HTTP CONNECT tunnels that look just like any other HTTPS connection to the Internet. The only thing the typical proxy sees is the "CONNECT :443". The network IDS sees even less...it only sees the SSL handshake and then encrypted data (so it has andst IP address, but that's it). Many URL filters have a category for anonymous proxies, but don't count on them stopping a determined user. They may stop the casual user from using an anonymizing service though. A network IDS/IPS is not going to do this effectively. IMHO, the proxy is the place to do this.

There are gateway(proxy) product that supports SSL inspection(MITM), like WebWasher or BlueCoat. These will be able to see the unencrypted HTTP data and will have a better chance at detection.

http://www.securecomputing.com/index.cfm?skey=1536

New Member

Re: Proxy Monitoring with IPS / MARS

Thanks. We are using 8e6 as our web content filter, but I was wondering if MARS or IPS could specifically help with monitoring/blocking proxy/anonymizer attempts. Multiple security layers are always a good thing. So MARS/IPS can't really help with stopping these?

Gold

Re: Proxy Monitoring with IPS / MARS

IMHO, MARS/IPS can't do it well enough for it to be worth the effort. I'm not familiar with 8e6, but you might have a look at this:

http://www.8e6.com/anonymous_proxies.html

New Member

Re: Proxy Monitoring with IPS / MARS

Thanks. That is what we currently have. I guess I continue to use what we have.

New Member

Re: Proxy Monitoring with IPS / MARS

You run the risk of false positives, but have you tried IPS sig ID 5188(and the subsignitures) or creating your own custom signiture. We use some IPS 4200s in my district and have had some false positives, but to date it was non-work related websites.

246
Views
0
Helpful
7
Replies