• Sign in to Neowin Faster!

    Create an account on Neowin to contribute and support the site.

  • 0
Sign in to follow this  

Firewalls to block HTTPS downloads

Question

Bitstreams    1

I'm looking for an elegant way to solve a problem for several customers. I need to block downloads of various file types by extension (e.g. .zip, .exe, .scr, .class, .com) in any browser on a Windows client.

This needs to be from both HTTP and HTTPS sites. HTTP is relatively easy and varous router/firewalls such as Draytek or Netgear allow this, but HTTPS needs the download/site to unpacked and so requires a certificate on the client. That's not a problem, but I'm struggling to find a solution that isn't a mix of several different approaches.

 

So far I've found that Sophos Web Gateway can do it - not particularly cheap. Smoothwall can also do it (I think) but I don't have any hardware to test with. As far as I know cheaper routers do not (Draytek for example).

All of the Antivirus packages seem to rely on URL filtering (i.e. blocking the URL string with .EXE at the end) - this is obviously useless for .COM and doesn't work on HTTPS sites.

 

I understand that Squidguard Proxy can do this and I have played with the Diladele VM appliance with some success, but it's a bit hit and miss and I don't feel that it's something I can recommend to customers.

Finally - I know that you can do some blocking/prompting in Group Policy for IE and Chrome but I need something that is universal.

 

Anyone else doing this ?

 

Simon

 

 

Share this post


Link to post
Share on other sites

6 answers to this question

Recommended Posts

  • 0
farmeunit    658

Not an answer specifically for that, but some AV packages have application control and you can use that to block applications.  We use F-Secure here.  So maybe something to consider.  Or you could use Software Restriction Policies/AppLocker.

 

I'm sure someone else will have a good answer.  We use Lightspeed, but it's geared towards education.

  • Like 1

Share this post


Link to post
Share on other sites
  • 0
+BudMan    3,465

Man in the middle of https is a whole can of worms I would not suggest you open, nor the customer your looking to do it with unless they fully understand the implications.

 

Your better off just blocking users from using the freaking internet other than specific whitelisted sites other than opening the can of worms of MITM on their https connections.  If you want to block or allow specific https domains you can do that with blocking specifics.  But wanting to block download of specifics your not decrypting their https stream.  This breaks hipaa, this breaks pci etc. etc.  Let a lone you could not for example get username and passwords of users bank accounts and or medial sites, etc.

 

If your going to do this better be ready to open up the purse strings for loads and loads of auditing that your only doing mitm on specific sites, etc..

 

And you better make sure you let all your users know that your now monitoring all their traffic even inside a https stream, or your going to open yourself up to possible lawsuits from users that want to claim their bank account got emptied because you sniffed their password, etc.

Share this post


Link to post
Share on other sites
  • 0
Bitstreams    1

Thanks Budman, but the organisations that need this actually need it for compliance reasons. We're implementing the UK Iasme standard and Cyber Essentials Plus certifications and his download blocking is a compliance requirement.

 

Farmeunit - thanks for replying. F-Secure is quite flexible and we've had some luck with E-Set I suspect this is just advanced URL filtering rather than properly unpacking the traffic. I'm just downloaded the latest VM of Diladele and will try that as it suggests it'll do what I need, but was hoping for a more off-the-shelf approach.

 

thanks for the replies

 

Simon

  • Like 1

Share this post


Link to post
Share on other sites
  • 0
goretsky    1,035

Hello,

 

Have you checked with tech support for your existing anti-malware software?  Some of them may have this type of functionality built in to them.

 

Regards,

 

Aryeh Goretsky

 

Share this post


Link to post
Share on other sites
  • 0
+BudMan    3,465

^ exactly that should be done on the client!!!  Not in the middle breaking the end to end https that is the whole point of https security.

 

Any standard that says its ok to break the end to end of https is completely and utterly BORKED!!!

 

You run software on the endclient that says nope can not download .xyz sort of files.. Since on the client side those can be blocked before it enters the the https tunnel and is encrypted to the end machine.

 

You can not do advanced url filtering in https since the proxy never sees this, it only sees the host in the connect statement..  So you can not block say https://www.domain.xyz/something/file.xyz  - but you can block www.domain.xyz without breaking the https security since you block that before the end to end encryption has been setup.

 

The only way to do advanced url filtering with https is to MITM it where the proxy sees the full stream - which is breaks the whole point of https which is end to end.

 

Any enterprise grade antivirus/security software you put on the client will allow the company to set policy that the user can not override that could prevent stuff before it enters the https stream.

 

Please point to where your reading that you have to do in the man in the middle attack on your own users to protect them...

 

https://www.cyberessentials.ncsc.gov.uk/requirements-for-it-infrastructure.html

Share this post


Link to post
Share on other sites
  • 0
xendrome    5,360

You are going to need at a minimum some type of firewall appliance like a Sonicwall to do DPI-SSL, but you'll still need a 3rd party cert install on it and client machines to control the MITM stream scanning.

Share this post


Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
Sign in to follow this  

  • Recently Browsing   0 members

    No registered users viewing this page.