cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
2203
Views
0
Helpful
1
Replies

Prevent tunnel SSH through the WSA proxy.

sberenschot
Beginner
Beginner

Currently in our proxy deployment it is possible to tunnel SSH through our proxy.

It seems the WSA does not check on protocol level if the request is legitimate HTTP/HTTPS traffic.

 

Is there a way to configure the proxy so it will prevent SSH to be tunneled through HTTP proxy over ports  443/80? 

Currently the WSA is configured as HTTP explicit forwarding proxy. 

 

example log of tunneled SSH traffic 

1518797208.150 3030787 172.19.95.113 TCP_MISS/200 4712084 CONNECT tunnel://88.159.209.181:443/ "xxxx@GDS" DIRECT/88.159.209.181 - DEFAULT_CASE_12-POLICY_WRK_ALL_USERS-ID_WRK_AUTH-NONE-NONE-NONE-DefaultGroup <nc,-3.5,1,"-",-,-,-,1,"-",-,-,-,"-",1,-,"-","-",-,-,nc,-,"-","-","Unknown","Unknown","-","-",12.44,0,-,"-","-",1,"-",-,-,"-","-"> - Auth Method: NONE, Auth Wait: 0, DNS Wait: 0, RepScore: 0, Destination: 88.159.209.181 443, Time: 2018-02-16 16:06:48, DenialCode: TCP_MISS

1 Reply 1

Handy Putra
Cisco Employee
Cisco Employee

Hi,

 

WSA as per design only do HTTP/HTTPS/FTP only.

If HTTPS proxy is disable, all port 443 will still be able to pass through the box if in the access policy has listed to allow or performing CONNECT Tunnel using port 443.

 

From your access logs, looks like under access policy POLICY_WRK_ALL_USERS under "protocol and user agent" you have port 443 listed in the CONNECT Tunnel port therefore it still be able to process.

 

Unfortunately the appliance does not aware if the traffic is SSH or not if the request is using customise port such as 80 or 443 and the appliance will treat it based on the policy for those ports.

 

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Recognize Your Peers