Bypassing app-ID

Reply
Highlighted
L3 Networker

Bypassing app-ID

Hello,

Recently I deploy outbound policies to filter inside traffic to Internet, but I noticed that some application bypassing app-ID filter. Just to clarify my setup I allow some application to go out (dns, web-browsing, ssl...and couple more..) service default. In that pool isn't youtube and teamviewer, but somehow they went out bypassing explicit application filter. When I filter session browser by DNS addresses of youtube servers, I found that all streaming was flowing like SSL traffic which is allowed by policy.

For TeamViewer I can't catch how he went out, in explicit deny policy I filter logs and see that teamviewer was denied until 10:00AM, but after that time I'm using him without problem...?

Any ideas?

Tician


Accepted Solutions
Highlighted
L4 Transporter

Re: Bypassing app-ID

Tician,

The above statement is correct. To fully utilize the App-ID inspection for SSL traffic, it has to be decrypted via the decryption policy. Otherwise how can we see what it inside the SSL traffic, besides source and destination?

Thanks!

View solution in original post


All Replies
Highlighted
L4 Transporter

Re: Bypassing app-ID

Hello Tician,

TeamViewer also uses SSL. You would need SSL decrypt in order to block it using app-id.

Regards,

Guillermo.

Highlighted
L4 Transporter

Re: Bypassing app-ID

Tician,

The above statement is correct. To fully utilize the App-ID inspection for SSL traffic, it has to be decrypted via the decryption policy. Otherwise how can we see what it inside the SSL traffic, besides source and destination?

Thanks!

View solution in original post

Highlighted
L3 Networker

Re: Bypassing app-ID

that's my taught's also, to deploy SSL decryption policy...

Thanks guys...!

Highlighted
L4 Transporter

Re: Bypassing app-ID

Please do not forget to mark this thread as 'Answered' or mark any 'Helpful' answers.

Thanks!

Highlighted
L3 Networker

Re: Bypassing app-ID

another option is to create a custom app-id that can identify the ssl certs (common name

There are many options such as SSL-Req-Certificate , ssl-req-client-hello, ssl-rsp-cert-subjectpublickey, ssl-rsp-certicate, ssl-rsp-server-hello etc..

This will be more of a brute force approach blocking anything that matches the SSL SNI (Server name indication)

For example to block Adap.tv (advertisement)

user a custom pattern-match with context ssl-req-client-hello with a regex  :     .\.adap.\tv 

this will match the client hello for any character going to .adap.tv for sites that use wildcards may be a bit more difficult but then you can block the entire

Many of the built in apps also identify ssl applications such as facebook-video even though its not decrypted. :smileywink:

Highlighted
L4 Transporter

Re: Bypassing app-ID

Sure, this can work for some, but with websites certain websites, like Youtube, this would not.

Youtube is classified as google.com without SSL decryption and listed under the search-engines because of the certificate CN being listed as *.google.com

With no SSL decryption, we can't differentiate between the two (Youtube and Google).

I understand this is not always the case, but it is something to consider. Instead of creating custom applications, it may be easier to just go ahead and perform SSL decryption.

Highlighted
L3 Networker

Re: Bypassing app-ID

similar to the youtube thread. ..

if you create an app-id it'll take precedence over the built in apps

similar to if you create custom apps that are categorized as web-browsing they'll match the custom one

Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the Live Community as a whole!

The Live Community thanks you for your participation!