topic Re: Bypassing app-ID in General Topics

Bypassing app-ID

Tician — Tue, 06 Jan 2015 10:14:03 GMT

Hello,

Recently I deploy outbound policies to filter inside traffic to Internet, but I noticed that some application bypassing app-ID filter. Just to clarify my setup I allow some application to go out (dns, web-browsing, ssl...and couple more..) service default. In that pool isn't youtube and teamviewer, but somehow they went out bypassing explicit application filter. When I filter session browser by DNS addresses of youtube servers, I found that all streaming was flowing like SSL traffic which is allowed by policy.

For TeamViewer I can't catch how he went out, in explicit deny policy I filter logs and see that teamviewer was denied until 10:00AM, but after that time I'm using him without problem...?

Any ideas?

Tician

Re: Bypassing app-ID

Retired Member — Tue, 06 Jan 2015 10:32:17 GMT

Hello Tician,

TeamViewer also uses SSL. You would need SSL decrypt in order to block it using app-id.

Regards,

Guillermo.

Re: Bypassing app-ID

mmmccorkle — Tue, 06 Jan 2015 18:51:03 GMT

Tician,

The above statement is correct. To fully utilize the App-ID inspection for SSL traffic, it has to be decrypted via the decryption policy. Otherwise how can we see what it inside the SSL traffic, besides source and destination?

Thanks!

Re: Bypassing app-ID

Tician — Wed, 07 Jan 2015 09:37:36 GMT

that's my taught's also, to deploy SSL decryption policy...

Thanks guys...!

Re: Bypassing app-ID

mmmccorkle — Wed, 07 Jan 2015 17:13:24 GMT

Please do not forget to mark this thread as 'Answered' or mark any 'Helpful' answers.

Thanks!

Re: Bypassing app-ID

jkim2 — Wed, 07 Jan 2015 20:37:26 GMT

another option is to create a custom app-id that can identify the ssl certs (common name

There are many options such as SSL-Req-Certificate , ssl-req-client-hello, ssl-rsp-cert-subjectpublickey, ssl-rsp-certicate, ssl-rsp-server-hello etc..

This will be more of a brute force approach blocking anything that matches the SSL SNI (Server name indication)

For example to block Adap.tv (advertisement)

user a custom pattern-match with context ssl-req-client-hello with a regex : .\.adap.\tv

this will match the client hello for any character going to .adap.tv for sites that use wildcards may be a bit more difficult but then you can block the entire

Many of the built in apps also identify ssl applications such as facebook-video even though its not decrypted.

Re: Bypassing app-ID

mmmccorkle — Wed, 07 Jan 2015 22:16:03 GMT

Sure, this can work for some, but with websites certain websites, like Youtube, this would not.

Youtube is classified as google.com without SSL decryption and listed under the search-engines because of the certificate CN being listed as *.google.com

With no SSL decryption, we can't differentiate between the two (Youtube and Google).

I understand this is not always the case, but it is something to consider. Instead of creating custom applications, it may be easier to just go ahead and perform SSL decryption.

Re: Bypassing app-ID

jkim2 — Thu, 08 Jan 2015 15:04:55 GMT

similar to the youtube thread. ..

if you create an app-id it'll take precedence over the built in apps

similar to if you create custom apps that are categorized as web-browsing they'll match the custom one