Filtering HTTP over SSL connections
Web traffic has posed one of the biggest security issues. And to overcome this, URL filtering solutions are
used. Filtering solution screens an incoming web page, checks the page against the set of rules and policies
to determine whether the page access is to be allowed or not.
Filtering solutions detect and block HTTP communication as per web filtering policies but because
enterprises keep port 443 (HTTPS) open, filtering policy cannot be applied when user visits secure
(HTTPS) sites as content is encrypted.
Hence the primary circumvention method used to evade these carefully crafted web filtering policies,
is the use of HTTPS connections. Clearly, HTTPS connections pose a serious threat as it provides
employees with an easy way to avoid the enterprise’s Internet Usage policy to conceal their activities.
Using Secure Proxy is the easiest way to make use of HTTPS connection. To use proxy, user simply
points his browser to the HTTPS proxy web site and makes a request to access the destination (blocked)
site to proxy. HTTPS proxy initiates its own request as opposed to actually passing the user’s request. It
fetches the page on behalf of the user and responds back to the user as if it was the destination. This
way user and the destination (blocked) site never actually interact directly. As HTTPS proxy returns the
encrypted content directly to the user, gateway only sees the SSL encrypted traffic. URL filtering solution
cannot sniff in the encrypted traffic to determine the correct URL making filtering policies ineffective.
How does Cyberoam solve this problem?
Cyberaom approach includes SSL certificate inspection along with the filtering policies to control SSL traffic.
Cyberoam parses SSL handshake (SSLv2, SSLv3, and TLS) and extracts “Common Name” (CN) from
the certificate. It applies control filters on common name. Based on the outcome of filters, user is either
served the page or the connection is terminated.
Apart from secure proxies, client-based proxies, HTTP proxies and open proxies are also used to evade
filtering policies. Cyberoam filters the usage of these proxies with the help of its keyword and URL filtering
techniques as well as Signature based detection technique.
Additionally, to control rogue employees, SSL traffic filtering can applied on individual user or group of
users, single URL, group of URLs or entire URL category.