Is it possible to create firewall that only allows legitimate webserver traffic on port 443 and not any other service?

19

4

I always used the simple trick to bypass most firewalls which prevented me from using any ports. I simply opened ssh on one of my servers on port 443 and tunneled all traffic through there.

However I am now on a network which got firewall that I never saw in before and I didn't even know it's possible.

On this network you can use 443 port only for legitimate webserver traffic. If I open ssh, or anything else on port 443 and try to connect there from this network, it gets killed immediately. If I start apache on that server, it works.

How is this even possible? Are there some super sophisticated firewalls that are even able to analyze encrypted traffic to verify it is legitimate https traffic? How?

Petr

Posted 2016-01-11T11:58:26.947

Reputation: 1 453

4Its called SPI, higher end equipment can do more advanced inspection and terminate unwanted connections. – Linef4ult – 2016-01-11T12:15:44.283

You could create a whitelist and only allow that traffic the problem is that legitimate webserver traffic is subject to change in that, ip addresses can reassigned, so what might be Microsoft today might be Google tomorrow. You are better off using a secure tunnel to communicate with your servers, and creating a whitelist of clients that are allowed, then determine the procedure to add additional clients int he future (because that list will change). – Ramhound – 2016-01-11T12:56:54.530

You could use e.g. Obfsproxy to obfuscate the SSH traffic as harmless HTTP(S) traffic. – Michael – 2016-01-11T19:37:35.530

Answers

26

Yes, and they don't need any magic here, just trivial matching on the TCP packet contents. Even though SSH and TLS (SSL) encrypt their payloads, the protocol headers themselves are still distinguishable and very different from each other. For example, a SSHv2 connection always starts with the client sending SSH-2.0-(client name and version). Similarly, even though your firewall cannot really know whether the TLS connection carries HTTP inside, it can recognize TLS itself.

Such inspecting of layers above TCP generally falls under "Deep Packet Inspection", a relatively common feature.

One obvious way to bypass this is to tunnel SSH inside TLS – for example, using stunnel, haproxy, or sniproxy. (In addition to plain tunneling, where port 443 is dedicated to SSH-over-TLS, they can also multiplex SSH / HTTP / other protocols over the same port based on SNI and ALPN.)

While this wouldn't always defeat really sophisticated traffic analysis, it would still bypass most filters which merely check "does this look like a TLS header".

And then there's the annoying kind of firewalls – the ones which intercept TLS to decrypt and re-encrypt all traffic. These can actually see inside TLS, and can pass HTTP requests while blocking everything else. (Note that some antivirus programs also do the same thing.) You can recognize this kind by looking at the server certificates; all proxy-generated certificates look the same, and often don't pass validation, while real certificates are issued by various different CAs.

user1686

Posted 2016-01-11T11:58:26.947

Reputation: 283 655

1So SSH does its own, application-level security, rather than being just another protocol over TLS (which by default, it doesn't use)? – Medinoc – 2016-01-11T16:09:17.053

2

@Medinoc: Yes, it implements similar features (in the SSHv2 "transport" and "authentication" layers) and doesn't need TLS for anything.

– user1686 – 2016-01-11T16:26:12.657

Is there any reliable way to recognize these sniffing firewalls? I don't like the idea that someone intercept my passwords while using https. I didn't even know it's possible until now. – Petr – 2016-01-11T17:24:53.937

@Petr: Which kind – the ones that perform actual MITM attacks? These are simple: just visit a website via HTTPS and check its certificate. (You could write down the details at home, then compare against what you see on the unknown network.) Usually the browser warns loudly about those, and in some cases (e.g. Google or Facebook) won't even let you bypass the mismatch warning. (Unless you went with the network admin's "kind suggestion" to "install our company's certificate for security", in which case you let them in yourself...) – user1686 – 2016-01-11T18:44:23.543

2POST / HTTP/1.0 base64garbage HTTP/200 200 OK base64garbage makes a transport protocol – Joshua – 2016-01-11T18:51:21.390

3@Petr Extending grawity's remarks, if it's an employer owned computer the certs were probably installed before they gave it to you; and the MITM firewall will be configured so that if you're not using their cert no https traffic will be allowed so your choices are comply with policy or have no https. OTOH in that case checking the cert will probably say something like "verified by Employer Name" and something similar in the CA name if you drill deeper. eg on my work computer it's bluecoat.companyname.com (where bluecoat is the brand of the firewall being used). – Dan is Fiddling by Firelight – 2016-01-11T21:27:47.400

Asked: 2016-01-11T11:58:26.947

Viewed: 1 707 times

Active: 2016-01-11T13:18:46.307