Re: [squid-users] How Bad is CONNECT and Should I Prevent It?

From: K K <kkadow@dont-contact.us>
Date: Mon, 18 Jun 2007 16:10:22 -0500

On 6/18/07, Vadim Pushkin <wiskbroom@hotmail.com> wrote:
> I've gone ahead and modified my squid.conf to prevent connections using the
> method CONNECT to just an allowed list, all via port 443 only.

Whitelisting is hard work, but effective when done right.

> I am seeing lots of DENY messages, mostly for webmail.*, mail.*,
> these include logins into Google mail as well.

These logged DENY events are probably all legitimate SSL/TLS sessions.
CONNECT is used to proxy legitimate encrypted sessions, and also used
by P2P (Limewire, Skype, etc) and tunneling and trojans to open up
paths out of (and back in to) the network.

Some of these "evil" uses of CONNECT run on TCP/443, and conversely,
some legitimate HTTPS web sites run on seemingly arbitrary ports.

> My question is if I've opened myself up to an
> admin nightmare or am I being smart by preventing
> some really bad stuff into my network?

Yes, and yes -- you've opened yourself up to an admin nightmare, but
you are also preventing some really bad stuff :)

> Has anyone else blocked CONNECT in a better way?

Well, you could expand your whitelist to include known webmail
servers, online banking, and other "good" destinations, but that is an
admin nightmare.

Blue Coat just bought me lunch today, so I feel oddly compelled to
mention that their ProxySG appliance can perform various levels of
CONNECT enforcement and even offers SSL interception to inspect the
contents of HTTPS sessions.

There are other products in that same space, generally more expensive.

Kevin
Received on Mon Jun 18 2007 - 15:10:26 MDT

This archive was generated by hypermail pre-2.1.9 : Sun Jul 01 2007 - 12:00:04 MDT