Enhanced Security Measures in Place: To ensure a safer experience, we’ve implemented additional, temporary security measures for all users.
01-06-2015 02:14 AM
Hello,
Recently I deploy outbound policies to filter inside traffic to Internet, but I noticed that some application bypassing app-ID filter. Just to clarify my setup I allow some application to go out (dns, web-browsing, ssl...and couple more..) service default. In that pool isn't youtube and teamviewer, but somehow they went out bypassing explicit application filter. When I filter session browser by DNS addresses of youtube servers, I found that all streaming was flowing like SSL traffic which is allowed by policy.
For TeamViewer I can't catch how he went out, in explicit deny policy I filter logs and see that teamviewer was denied until 10:00AM, but after that time I'm using him without problem...?
Any ideas?
Tician
01-06-2015 10:51 AM
Tician,
The above statement is correct. To fully utilize the App-ID inspection for SSL traffic, it has to be decrypted via the decryption policy. Otherwise how can we see what it inside the SSL traffic, besides source and destination?
Thanks!
01-06-2015 02:32 AM
Hello Tician,
TeamViewer also uses SSL. You would need SSL decrypt in order to block it using app-id.
Regards,
Guillermo.
01-06-2015 10:51 AM
Tician,
The above statement is correct. To fully utilize the App-ID inspection for SSL traffic, it has to be decrypted via the decryption policy. Otherwise how can we see what it inside the SSL traffic, besides source and destination?
Thanks!
01-07-2015 01:37 AM
that's my taught's also, to deploy SSL decryption policy...
Thanks guys...!
01-07-2015 09:13 AM
Please do not forget to mark this thread as 'Answered' or mark any 'Helpful' answers.
Thanks!
01-07-2015 12:37 PM
another option is to create a custom app-id that can identify the ssl certs (common name
There are many options such as SSL-Req-Certificate , ssl-req-client-hello, ssl-rsp-cert-subjectpublickey, ssl-rsp-certicate, ssl-rsp-server-hello etc..
This will be more of a brute force approach blocking anything that matches the SSL SNI (Server name indication)
For example to block Adap.tv (advertisement)
user a custom pattern-match with context ssl-req-client-hello with a regex : .\.adap.\tv
this will match the client hello for any character going to .adap.tv for sites that use wildcards may be a bit more difficult but then you can block the entire
Many of the built in apps also identify ssl applications such as facebook-video even though its not decrypted. 
01-07-2015 02:16 PM
Sure, this can work for some, but with websites certain websites, like Youtube, this would not.
Youtube is classified as google.com without SSL decryption and listed under the search-engines because of the certificate CN being listed as *.google.com
With no SSL decryption, we can't differentiate between the two (Youtube and Google).
I understand this is not always the case, but it is something to consider. Instead of creating custom applications, it may be easier to just go ahead and perform SSL decryption.
01-08-2015 07:04 AM
similar to the youtube thread. ..
if you create an app-id it'll take precedence over the built in apps
similar to if you create custom apps that are categorized as web-browsing they'll match the custom one
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!
