cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
2044
Views
0
Helpful
3
Replies

How to Block proxy over secure browser

smartin
Level 1
Level 1

Having some problems blocking users installing/using secure browsers proxy. Currently runing ASA 5520 ver. 8.3 & IPS SSM-20 7.0 (2) E4 & Websense web filtering. Able to block most proxy sites with Websense that use port 80 but recently found that some users using some products like Njutrino that use their own secure browser that use it's own proxy over SSL connection.

3 Replies 3

Jennifer Halim
Cisco Employee
Cisco Employee

Since Websense is providing web filtering, you would need to check with Websense why it is not being blocked.

My first guest, as the session is SSL encrypted, Websense will need to inspect the HTTPS packet before able to see the clear text packet. Please check with Websense if HTTPS inspection is configured to decrypt the SSL session.

Websense cannot inspect a HTTPS proxy connection, please it's impossible to block every proxy server (could be a home proxy), anyway for Cisco ASA to inspect HTTPS ?

No, Cisco ASA firewall also does not inspect HTTPS because to inspect encrypted traffic, you would need to be performing man-in-the-middle to you can get the HTTPS connection decrypted.

You can take a look at Cisco Ironport WSA or Cisco ScanSafe web filtering solution that does provide HTTPS inspection capabilities.

Cisco Ironport WSA (appliance):

http://www.cisco.com/en/US/prod/collateral/vpndevc/ps10142/ps10164/data_sheet_c78-586408.html

Cisco Scansafe (cloud base):

http://www.cisco.com/en/US/prod/collateral/vpndevc/ps10142/ps11616/DS_web_security.pdf

Review Cisco Networking for a $25 gift card