Bypassing app-ID

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements

Bypassing app-ID

L3 Networker

Hello,

Recently I deploy outbound policies to filter inside traffic to Internet, but I noticed that some application bypassing app-ID filter. Just to clarify my setup I allow some application to go out (dns, web-browsing, ssl...and couple more..) service default. In that pool isn't youtube and teamviewer, but somehow they went out bypassing explicit application filter. When I filter session browser by DNS addresses of youtube servers, I found that all streaming was flowing like SSL traffic which is allowed by policy.

For TeamViewer I can't catch how he went out, in explicit deny policy I filter logs and see that teamviewer was denied until 10:00AM, but after that time I'm using him without problem...?

Any ideas?

Tician

1 accepted solution

Accepted Solutions

L4 Transporter

Tician,

The above statement is correct. To fully utilize the App-ID inspection for SSL traffic, it has to be decrypted via the decryption policy. Otherwise how can we see what it inside the SSL traffic, besides source and destination?

Thanks!

View solution in original post

7 REPLIES 7

L4 Transporter

Hello Tician,

TeamViewer also uses SSL. You would need SSL decrypt in order to block it using app-id.

Regards,

Guillermo.

L4 Transporter

Tician,

The above statement is correct. To fully utilize the App-ID inspection for SSL traffic, it has to be decrypted via the decryption policy. Otherwise how can we see what it inside the SSL traffic, besides source and destination?

Thanks!

L3 Networker

that's my taught's also, to deploy SSL decryption policy...

Thanks guys...!

Please do not forget to mark this thread as 'Answered' or mark any 'Helpful' answers.

Thanks!

L3 Networker

another option is to create a custom app-id that can identify the ssl certs (common name

There are many options such as SSL-Req-Certificate , ssl-req-client-hello, ssl-rsp-cert-subjectpublickey, ssl-rsp-certicate, ssl-rsp-server-hello etc..

This will be more of a brute force approach blocking anything that matches the SSL SNI (Server name indication)

For example to block Adap.tv (advertisement)

user a custom pattern-match with context ssl-req-client-hello with a regex  :     .\.adap.\tv 

this will match the client hello for any character going to .adap.tv for sites that use wildcards may be a bit more difficult but then you can block the entire

Many of the built in apps also identify ssl applications such as facebook-video even though its not decrypted. Smiley Wink

Sure, this can work for some, but with websites certain websites, like Youtube, this would not.

Youtube is classified as google.com without SSL decryption and listed under the search-engines because of the certificate CN being listed as *.google.com

With no SSL decryption, we can't differentiate between the two (Youtube and Google).

I understand this is not always the case, but it is something to consider. Instead of creating custom applications, it may be easier to just go ahead and perform SSL decryption.

similar to the youtube thread. ..

if you create an app-id it'll take precedence over the built in apps

similar to if you create custom apps that are categorized as web-browsing they'll match the custom one

  • 1 accepted solution
  • 5426 Views
  • 7 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!