Results 1 to 8 of 8

Thread: SSL and Firewalls

  1. #1
    Senior Member
    Join Date
    Jan 2002
    Posts
    371

    SSL and Firewalls

    Im wondering if anyone can help me.

    We have recently found some applications that cannot be Firewalled. Some Chat apps can tunnel SSL traffic from a users workstation, directly through our firewall, to a server on the internet.

    We have also found a remote software device that transmits traffic in a similiar fashion, scary stuff!! (www.gotomypc.com)

    Can this be locked down, without disabling all SSL, http (might not go down too well!) other than blocking each and every IP address of the Server on the Internet?

    Any help would be appreciated.
    SoggyBottom.

    [glowpurple]There were so many fewer questions when the stars where still just the holes to heaven - JJ[/glowpurple] [gloworange]I sure could use a vacation from this bull$hit, three ringed circus side show of freaks. - Tool. [/gloworange]

  2. #2
    Senior Member
    Join Date
    Nov 2001
    Posts
    742
    You can always use strict user policy on the users workstation (lock them down via poledit for example).

    But it depends on what OS you use and what kind of written user policy and security documentation you have.

    I should start at the workstations and make sure they did not run any apps you not allow them to run. And then make sure that they not could install "forbiddden" applications on their workstations.

    You can read more about how to implement strict policies here.

  3. #3
    Senior Member
    Join Date
    Jan 2002
    Posts
    371

    SSL and Firewalls

    Thanks for the reply.

    We are using NT4, but rolling out to 2000 sometime this year I think.

    Its hard for us to police workstation apps as our employee base is in the 10's of thousands!

    We are thinking of blocking specific IP address of the chat servers on our router, but it is somewhat inefficient, and their are no guarantees that you have them all.
    SoggyBottom.

    [glowpurple]There were so many fewer questions when the stars where still just the holes to heaven - JJ[/glowpurple] [gloworange]I sure could use a vacation from this bull$hit, three ringed circus side show of freaks. - Tool. [/gloworange]

  4. #4
    Priapistic Monk KorpDeath's Avatar
    Join Date
    Dec 2001
    Posts
    2,628

    Lightbulb how about this?

    Why not give all your users non-internet-routable addresses and then proxy them and use WebSense to police the proxy.

    You are using DHCP ( with users in the 10 of thousands, I can only hope.)
    This would a large implementation but that's what we do and we've got around 100,000 use4rs currently (shrinking everyday)

    http://www.websense.com/index2.cfm

    I'll come up with more if this doesn't suit.
    Mankind have a great aversion to intellectual labor; but even supposing knowledge to be easily attainable, more people would be content to be ignorant than would take even a little trouble to acquire it.
    - Samuel Johnson

  5. #5
    Senior Member
    Join Date
    Nov 2001
    Posts
    472
    Sounds like you found the solution yourself, you got to block the IP's of the servers you don't want the employees to have access to. The programs you've mentioned probably uses some form of HTTP transfer, could be SOAP or HTTP/XML. Both designed to easily transmit through firewalls. Seems you admin guys don't like it as much as us programmers. BTW, the SOAP-headers are not the same as for regular HTTP, you maybe want to look into that.

    But you're solution is fine, I've seen it in use, blocking access to warez sites and porn sites. You just got to create (or buy?) a filter, and if anyone complains, just remove that certain IP from the list (if they got bussiness).
    ---
    proactive

  6. #6
    Senior Member
    Join Date
    Nov 2001
    Posts
    742
    When using NT4 you always can use poledit to create rules for "allowed" apps and other policys aswell.

    You can distribute one single register change to all workstations who points to a custom created policy on the network. That way you can have one single policy for all workstations, it makes it a bit easier to administrate that way.

    I don't remember the name of the key you have to change and I don't remember the default location were you should put the policy you have created. It's way over bedtime for me and my mind is more then confused and blank.

    I hope there is someone more awake then me who can tell what I failed to remember .

    Wish you good luck !

  7. #7
    Senior Member
    Join Date
    Jan 2002
    Posts
    458
    Trying to do this at the desktop level will be a management nightmare. KorpDeath is right. We also have over 100,000 users and the proxy method is the method we are using. Websense does work very well, and it will database the "chat" sites that can be enabled or disabled.

  8. #8
    Senior Member
    Join Date
    Nov 2001
    Posts
    742
    Sorry, I have to say that I agree with iNViCTuS and SoggyBottom.

    To use a policy based system at that level of users would be a living nightmare. Atleast to set it up as a quick solution.. It would never work out and would take far to long time !

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •