Prevent tunnel SSH through the WSA proxy.

sberenschot · ‎02-19-2018

Currently in our proxy deployment it is possible to tunnel SSH through our proxy.

It seems the WSA does not check on protocol level if the request is legitimate HTTP/HTTPS traffic.

Is there a way to configure the proxy so it will prevent SSH to be tunneled through HTTP proxy over ports 443/80?

Currently the WSA is configured as HTTP explicit forwarding proxy.

example log of tunneled SSH traffic

1518797208.150 3030787 172.19.95.113 TCP_MISS/200 4712084 CONNECT tunnel://88.159.209.181:443/ "xxxx@GDS" DIRECT/88.159.209.181 - DEFAULT_CASE_12-POLICY_WRK_ALL_USERS-ID_WRK_AUTH-NONE-NONE-NONE-DefaultGroup <nc,-3.5,1,"-",-,-,-,1,"-",-,-,-,"-",1,-,"-","-",-,-,nc,-,"-","-","Unknown","Unknown","-","-",12.44,0,-,"-","-",1,"-",-,-,"-","-"> - Auth Method: NONE, Auth Wait: 0, DNS Wait: 0, RepScore: 0, Destination: 88.159.209.181 443, Time: 2018-02-16 16:06:48, DenialCode: TCP_MISS

Handy Putra · ‎02-19-2018

Hi,

WSA as per design only do HTTP/HTTPS/FTP only.

If HTTPS proxy is disable, all port 443 will still be able to pass through the box if in the access policy has listed to allow or performing CONNECT Tunnel using port 443.

From your access logs, looks like under access policy POLICY_WRK_ALL_USERS under "protocol and user agent" you have port 443 listed in the CONNECT Tunnel port therefore it still be able to process.

Unfortunately the appliance does not aware if the traffic is SSH or not if the request is using customise port such as 80 or 443 and the appliance will treat it based on the policy for those ports.