topic Re: How to Block proxy over secure browser in Network Security

How to Block proxy over secure browser

smartin — Mon, 11 Mar 2019 20:12:09 GMT

Having some problems blocking users installing/using secure browsers proxy. Currently runing ASA 5520 ver. 8.3 & IPS SSM-20 7.0 (2) E4 & Websense web filtering. Able to block most proxy sites with Websense that use port 80 but recently found that some users using some products like Njutrino that use their own secure browser that use it's own proxy over SSL connection.

Re: How to Block proxy over secure browser

Jennifer Halim — Fri, 25 Mar 2011 06:12:12 GMT

Since Websense is providing web filtering, you would need to check with Websense why it is not being blocked.

My first guest, as the session is SSL encrypted, Websense will need to inspect the HTTPS packet before able to see the clear text packet. Please check with Websense if HTTPS inspection is configured to decrypt the SSL session.

Re: How to Block proxy over secure browser

smartin — Fri, 25 Mar 2011 12:02:08 GMT

Websense cannot inspect a HTTPS proxy connection, please it's impossible to block every proxy server (could be a home proxy), anyway for Cisco ASA to inspect HTTPS ?

Re: How to Block proxy over secure browser

Jennifer Halim — Fri, 25 Mar 2011 21:23:31 GMT

No, Cisco ASA firewall also does not inspect HTTPS because to inspect encrypted traffic, you would need to be performing man-in-the-middle to you can get the HTTPS connection decrypted.

You can take a look at Cisco Ironport WSA or Cisco ScanSafe web filtering solution that does provide HTTPS inspection capabilities.

Cisco Ironport WSA (appliance):

http://www.cisco.com/en/US/prod/collateral/vpndevc/ps10142/ps10164/data_sheet_c78-586408.html

Cisco Scansafe (cloud base):

http://www.cisco.com/en/US/prod/collateral/vpndevc/ps10142/ps11616/DS_web_security.pdf