SSL and Firewalls

Im wondering if anyone can help me.

We have recently found some applications that cannot be Firewalled. Some Chat apps can tunnel SSL traffic from a users workstation, directly through our firewall, to a server on the internet.

We have also found a remote software device that transmits traffic in a similiar fashion, scary stuff!!:eek: (www.gotomypc.com)

Can this be locked down, without disabling all SSL, http (might not go down too well!) other than blocking each and every IP address of the Server on the Internet?:confused:

Any help would be appreciated.

You can always use strict user policy on the users workstation (lock them down via poledit for example).

But it depends on what OS you use and what kind of written user policy and security documentation you have.

I should start at the workstations and make sure they did not run any apps you not allow them to run. And then make sure that they not could install "forbiddden" applications on their workstations.

You can read more about how to implement strict policies here.

Thanks for the reply.

We are using NT4, but rolling out to 2000 sometime this year I think.

Its hard for us to police workstation apps as our employee base is in the 10's of thousands!

We are thinking of blocking specific IP address of the chat servers on our router, but it is somewhat inefficient, and their are no guarantees that you have them all.

Why not give all your users non-internet-routable addresses and then proxy them and use WebSense to police the proxy.

You are using DHCP ( with users in the 10 of thousands, I can only hope.)
This would a large implementation but that's what we do and we've got around 100,000 use4rs currently (shrinking everyday)

http://www.websense.com/index2.cfm

I'll come up with more if this doesn't suit.

Sounds like you found the solution yourself, you got to block the IP's of the servers you don't want the employees to have access to. The programs you've mentioned probably uses some form of HTTP transfer, could be SOAP or HTTP/XML. Both designed to easily transmit through firewalls. Seems you admin guys don't like it as much as us programmers. BTW, the SOAP-headers are not the same as for regular HTTP, you maybe want to look into that.

But you're solution is fine, I've seen it in use, blocking access to warez sites and porn sites. You just got to create (or buy?) a filter, and if anyone complains, just remove that certain IP from the list (if they got bussiness).

When using NT4 you always can use poledit to create rules for "allowed" apps and other policys aswell.

You can distribute one single register change to all workstations who points to a custom created policy on the network. That way you can have one single policy for all workstations, it makes it a bit easier to administrate that way.

I don't remember the name of the key you have to change and I don't remember the default location were you should put the policy you have created. It's way over bedtime for me and my mind is more then confused and blank.

I hope there is someone more awake then me who can tell what I failed to remember :).

Wish you good luck !

Trying to do this at the desktop level will be a management nightmare. KorpDeath is right. We also have over 100,000 users and the proxy method is the method we are using. Websense does work very well, and it will database the "chat" sites that can be enabled or disabled.

Sorry, I have to say that I agree with iNViCTuS and SoggyBottom.

To use a policy based system at that level of users would be a living nightmare. Atleast to set it up as a quick solution.. It would never work out and would take far to long time !