How to Block proxy over secure browser

smartin · ‎03-24-2011

Having some problems blocking users installing/using secure browsers proxy. Currently runing ASA 5520 ver. 8.3 & IPS SSM-20 7.0 (2) E4 & Websense web filtering. Able to block most proxy sites with Websense that use port 80 but recently found that some users using some products like Njutrino that use their own secure browser that use it's own proxy over SSL connection.

Jennifer Halim · ‎03-24-2011

Since Websense is providing web filtering, you would need to check with Websense why it is not being blocked.

My first guest, as the session is SSL encrypted, Websense will need to inspect the HTTPS packet before able to see the clear text packet. Please check with Websense if HTTPS inspection is configured to decrypt the SSL session.

smartin · ‎03-25-2011

Websense cannot inspect a HTTPS proxy connection, please it's impossible to block every proxy server (could be a home proxy), anyway for Cisco ASA to inspect HTTPS ?

Jennifer Halim · ‎03-25-2011

No, Cisco ASA firewall also does not inspect HTTPS because to inspect encrypted traffic, you would need to be performing man-in-the-middle to you can get the HTTPS connection decrypted.

You can take a look at Cisco Ironport WSA or Cisco ScanSafe web filtering solution that does provide HTTPS inspection capabilities.

Cisco Ironport WSA (appliance):

http://www.cisco.com/en/US/prod/collateral/vpndevc/ps10142/ps10164/data_sheet_c78-586408.html

Cisco Scansafe (cloud base):

http://www.cisco.com/en/US/prod/collateral/vpndevc/ps10142/ps11616/DS_web_security.pdf