
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
02-20-2008 12:33 PM - edited 03-10-2019 04:00 AM
I would like to monitor proxy bypass connections and report on them. We have MARS and IPS modules in our 2 ASA5520.
Solved! Go to Solution.
- Labels:
-
IPS and IDS
Accepted Solutions
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
03-17-2008 09:05 AM
You run the risk of false positives, but have you tried IPS sig ID 5188(and the subsignitures) or creating your own custom signiture. We use some IPS 4200s in my district and have had some false positives, but to date it was non-work related websites.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
02-20-2008 03:09 PM
What do you mean by "proxy bypass connection"? Do you mean attempts by users to bypass an HTTP proxy?

- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
02-21-2008 06:03 AM
I mean students who use anonymizer programs: surfcontrol, etc. to bypass our internet content filter software. i would think that the IPS could detect some of these and report on it.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
02-21-2008 06:36 AM
It is very difficult to detect such things effectively, even at the proxy. Many of them utilize HTTP CONNECT tunnels that look just like any other HTTPS connection to the Internet. The only thing the typical proxy sees is the "CONNECT
There are gateway(proxy) product that supports SSL inspection(MITM), like WebWasher or BlueCoat. These will be able to see the unencrypted HTTP data and will have a better chance at detection.

- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
02-21-2008 07:07 AM
Thanks. We are using 8e6 as our web content filter, but I was wondering if MARS or IPS could specifically help with monitoring/blocking proxy/anonymizer attempts. Multiple security layers are always a good thing. So MARS/IPS can't really help with stopping these?
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
02-21-2008 07:27 AM
IMHO, MARS/IPS can't do it well enough for it to be worth the effort. I'm not familiar with 8e6, but you might have a look at this:

- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
02-21-2008 08:43 AM
Thanks. That is what we currently have. I guess I continue to use what we have.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
03-17-2008 09:05 AM
You run the risk of false positives, but have you tried IPS sig ID 5188(and the subsignitures) or creating your own custom signiture. We use some IPS 4200s in my district and have had some false positives, but to date it was non-work related websites.
