MSMVPS.COM
The Ultimate Destination for Blogs by Current and Former Microsoft Most Valuable Professionals.
Dr. Tom's ISA Server 2004 Firewall Blog » The Evils of SSL Tunneling
The Evils of SSL Tunneling

As a firewall administrator your primary concern is access control. You want to control exactly what services internal network users can access on other networks, and you want exact control over what services external users can access on the internal network. That’s the reason you have a firewall. If you don’t want someone to access a specific service on the Internet, then you either do not allow it (the preferred method) or you explicitly block it (the less preferred method). This isn’t a radical approach and is something inherent in all good firewall policies.

Get the New Book!

For example, you have created a firewall policy allowing a specific group of users outbound access to only HTTP and HTTPS. You do this because you want this group of users to have access to Web sites on the Internet, so that they can see Web content and connect to secure Web sites to get business done. You do not allow them access to other protocols such as IRC, FTP, SSH, VPN, Telnet or any others, because your organization has determined that these protocols can put your network at risk when used by these users you have given access to only HTTP and HTTPS.

So what happens when a user uses the HTTP protocol to "tunnel" other application protocols? The popular GoToMyPC is a remote access application that the vendor claims "does not compromise the integrity of your firewall" (https://www.gotomypc.com/ourTechnology.tmpl). Oh really?

As a firewall administrator, I open outbound HTTPS to selected users so that they can go to secure Web sites. I do not open outbound access to HTTPS (SSL) so that they can use remote access technologies that enable them to connect to their home computer and then transfer virus infected files from their home computer (which isn’t under our administrative control). And because the GoToMyPC application runs in an SSL tunnel, virtually no firewall on the market today (including the ISA firewall) can inspect the contents of the SSL stream once SSL session is negotiated.

GoToMyPC is just one example of HTTP tunneling of non-Web applications. If you do a Google search of "HTTP tunnel" and you’ll come up with a slew of applications that allow users to subvert firewall policy by tunneling dangerous applications through an HTTP connection.

For example, near the top of the list on the Google search is HTTP-Tunnel. You can see a list of applications your users can use with this software at http://www.http-tunnel.com/html/support/user_guides.asp. As a firewall administrator, you enable users access to applications they have permission to access and they should not be able to use applications that they are not permitted to access. The HTTP tunneling software subverts firewall policy and security, and potentially violates corporate network access policies.

ISA Firewall Alert
If your corporate network access policy does not include explicit guidelines forbidding use of this type of software, then you need to get such as policy in line now. Otherwise, you’re going to be blank-faced when the CEO wants to know how a user was able to introduce a destructive worm into the corporate network by using one of these applications.

So what does all this have to do with Terminal Services? Microsoft has announced that it intends to provide an HTTP tunneled RDP client and server in the R2 release of Windows Server 2003. This purportedly is done to allow for Access Anywhere, so that users can create RDP sessions through "restrictive firewalls". Maybe there’s a reason why those firewalls are restrictive! (you can find more information on this HTTPS tunneled RDP client over at http://www.brianmadden.com/content/content.asp?ID=61)

The next time you hear someone joke about TCP 80 and 443 being the "Universal Firewall Ports", you’ll know what they mean. This also points out that the future of firewalls moves far beyond the conventional stateful filtering firewall (like most so-called "hardware firewalls" on the market today).

The future of network firewalls is the stateful application layer inspection firewall. The good news is that the ISA firewall is the poster boy of the stateful application layer inspection firewall. Only a stateful application layer inspection firewall is going to be able to completely take apart the HTTP/HTTPS communications and then validate them against firewall policy. One thing is for sure: its not going to be easy.

ISA Firewall Wish List
Because of the serious risks HTTPS tunneling can pose to the network, on the top of my wish list right now is that the ISA firewall development team implements a mechanism allowing us to perform SSL to SSL bridging for outgoing connections. We can do it now with Web Publishing Rules, but we can’t do it for outbound connections at this time. Those outbound HTTPS connections containing data hiding in the outbound SSL tunnel continue to pose a serious risk to your network’s overall security posture.

Posted Tue, Aug 24 2004 8:28 by shinder
Filed under:

Comments

shinder wrote re: The Evils of SSL Tunneling
on Sun, Oct 10 2004 4:47
Hello,

I would be very interested in reading about ways to use ISA 2004 to prevent or at least monitor HTTP tunneling activity in my network.

Any comments on the subject would be greatly appreciated.

Sincerely,
Martin Ames
martin.ames@thewarehouse.co.nz
shinder wrote re: The Evils of SSL Tunneling
on Thu, Jan 20 2005 17:05
Actually, setting up a network access policy on the local client computers can go a long ways towards locking down your network. So can segmenting/VLans, ACLs, Firewalling/Proxying, Vlan assignment based on MAC address or machine Certificates, and local client firewall/network control software, and signed binaries go a long way. Relying on your ISA server to do all of this, or even being your main protection, probably isn't a good idea. I'd think of it as part of an overall plan for protection - also, how many users on your network need to go out over ssl and http, and what sites do they need to get at to do their job? Most businesses I've worked with only NEED a small subset of http/https connections to service their buiness needs; are you leaving all outbound http/https connections open? If users complain about the restriction than you could setup a kiosk(s) for them to use on their lunch break, etc, and put it on a different network with something like clean sweep to keep them sane.

The best security is much easier to circumvent if you allow your users to have the tools they need to do so.

Dan
shinder wrote re: The Evils of SSL Tunneling
on Tue, Feb 15 2005 5:56
There's a reason no outbound SSL bridging exists, and it's not lack of effort. When the Web server is controlled by some third party on the Internet, the ISA Server doesn't have access to its private SSL key.
shinder wrote re: The Evils of SSL Tunneling
on Tue, Feb 15 2005 5:58
Hi Blah,
No, it can be done. The ISA firewall can dynamically impersonate the Web server. But there are legal issues that so-called "privacy advocates" bring forth, which puts everyone at increased risk. Well, except for the attys who catch in on the scam :(
shinder wrote re: The Evils of SSL Tunneling
on Wed, Apr 27 2005 9:12
We used to call this a 'man-in-the-middle' attack, but now that ISA can SSL bridge those stuff and make sure that HTTPS means HTTP-over-SSL and not whatever-over-SSL, makes this okay? Apache with mod_ssl and mod_rewrite is already able to do this several years. As a client, how can I trust the server when ISA is in between? ISA seems to terminate my SSL connection so I'm using a scam-certificate...
shinder wrote re: The Evils of SSL Tunneling
on Wed, Apr 27 2005 9:16
Hi Mea Culpa,

Exactly! The Apache is unsecure becasue it only does SSL to HTTP bridging, in contrast to the ISA firewall's SSL to SSL bridging. Since the Web site certificate is installed on the ISA firewall, the client can trust the ISA firewall in the same way that it trusts the Web site. Very slick and secure. However, the ISA firewall solution doesn't perform outbound SSL to SSL bridging, which is a major problem, as you need to dynamically generate certificates on the fly to impersonate the destination SSL site. Hopefully we'll see this in a future version.
Thanks!
Tom
shinder wrote re: The Evils of SSL Tunneling
on Wed, Apr 27 2005 15:53
Tom,

IMHO, outbound SSL bridging cannot be done, at least not without actually being the 'man-in-the-middle'. The private key that belongs to the public key that is in the certificate of the destionation website obviously isn't known to ISA. 'Dynamically generating certificates' doesn't generate certificates with correct public keys. You can't just copy the public key from the original certificate, because ISA won't be able to decrypt it.

Correct?

Add a Comment

(optional)  
(optional)
(required)  
Remember Me?


Copyright © is the original authors. Blog site is an independent site not sponsored by Microsoft. The Yoda blog server and the Brianna SQL server would like to thank www.ownwebnow.com and www.exchangedefender.com. They wouldn't be here and broadcasting without the generosity of Vlad Mazek and his companies.

Powered by Community Server (Commercial Edition), by Telligent Systems