Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
2827
Views
0
Helpful
3
Replies

Deep packet inspection port 443

Go to solution
Michael Gombos
Level 1
Level 1

‎08-31-2015 01:55 PM - edited ‎03-11-2019 11:31 PM

Hello!

We only have a handful of ports open to the internet on our guest wireless. Recently, our auditor dinged us for being able connect to an SSH server he had outside of our network running on port 443. He told us if we allow HTTPS traffic, we need to restrict non HTTPS traffic on that port. Is there a way to do deep packet inspection on encrypted, port 443 traffic and block packets that are not HTTPS? Our WLC connects to an ASA firewall before going out to the internet.

 

The only way I can think of doing this is to MITM all traffic on that network or setup an IP whitelist with only a small number of known safe internet sites on it. The MITM idea seems like a huge security issue for visiting clients and the whitelist seems miserable to manage as IPs change over time.

 

How have you managed this issue on your networks?

 

Thanks in advance.

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Richard Bradfield
Level 6
Level 6
In response to Michael Gombos

‎09-01-2015 04:25 PM

Michael,

do you have a Guest anchor WLC see this link

https://supportforums.cisco.com/document/11936816/cisco-guest-access-using-wlc-anchor-setup-%E2%80%93-release-70

This isolates the guests from the internal network. we have an old 4402 WLC sitting on our DMZ just for the guest access.

 

View solution in original post

0 Helpful
3 Replies 3

Go to solution
Richard Bradfield
Level 6
Level 6

‎08-31-2015 04:57 PM

If your guest users are isolated from your corporate users then what is the problem.

We had no restrictions on our guest users because they are not on our internal network.  and we have put a disclaimer on their logon page.

HTH

Richard.

0 Helpful

Go to solution
Michael Gombos
Level 1
Level 1
In response to Richard Bradfield

‎09-01-2015 08:05 AM

I agree, however our auditor says that a rogue employee can compromise internal data using port 443. Those laptops are locked down by group policy to use our corporate network. I was just wondering if there was some kind of header used before encryption by HTTPS traffic that we can filter traffic by? To the best of my knowledge, a packet sniffer would only get cyphertext from both SSH and SSL/TLS traffic.

 

Our guest wireless is routed through our ASA firewall just like our corporate wireless. Apparently, that's where the concern is, despite restrictive ACLs being in place at the WLC and the ASA. Is the only way around this to buy a new WAN line, WLC, and Access points so that there's no network overlap at all?

0 Helpful

Go to solution
Richard Bradfield
Level 6
Level 6
In response to Michael Gombos

‎09-01-2015 04:25 PM

Michael,

do you have a Guest anchor WLC see this link

https://supportforums.cisco.com/document/11936816/cisco-guest-access-using-wlc-anchor-setup-%E2%80%93-release-70

This isolates the guests from the internal network. we have an old 4402 WLC sitting on our DMZ just for the guest access.

 

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card