Block SSH traffic coming from Putty with CONNECT request over port 443
Article ID: 176397
Updated On:
Products
Issue/Introduction
Block SSH traffic coming from Putty with CONNECT request over port 443
Environment
- Explicit Deployment
- Detect Protocol enabled on Explicit HTTP listener
Cause
By default, the ProxySG will deny any non-SSL CONNECT request with the following exception seen in a policy trace.
EXCEPTION(connect_method_denied): CONNECT with a protocol other than SSL is not permitted
If a rule to ALLOW is matched in Policy, this will override the default decision, and the CONNECT request will be allowed. The ProxySG will see this traffic as tunneled and as HTTP.
Resolution
There are a couple different ways to block the traffic:
Method 1 - Deny Tunneled Traffic
In order to block the traffic, CPL to block any tunneled traffic will need to be added so that it will be matched after the ALLOW rule that is being hit. In addition, this rule needs to be before any rule for traffic that is both being tunneled and should be allowed. In essence, policy will need to be created such that all non-tunneled traffic that is allowed is placed before the policy to block tunneled traffic, and all tunneled traffic that should be allowed is after the CPL to block.
The CPL rule to block would look something like this:
<Proxy>
http.method=(CONNECT) tunneled=yes DENY
This will block any tunneled traffic. After this, any traffic that is tunneled will need to have an allow statement as well.
For example, below, the category News/Media, and the domain "website.com" are not being tunneled, and are being allowed, and so the CPL to block is placed after that layer. As there is policy to tunnel example.com, and eicar.org, and the site is one that users will need to go to, the rule should be placed in a layer before those rules. In addition, if there is not already an ALLOW statement in the policy to tunnel, one is added.
<Proxy>
url.category="News/Media" ALLOW
. . .
url.domain=website.com ALLOW
<Proxy>
http.method=(CONNECT) tunneled=yes DENY
<Proxy>
url.domain=example.com detect_protocol(none) ALLOW
url.domain=eicar.org detect_protocol(none) ALLOW
Method 2 - Force Protocol
The ProxySG can be made to enforce protocol for requests destined to a certain port. When this happens, if non-protocol traffic is seen (such as the SSH handshake over port 443 instead of the SSL handshake), then the ProxySG will reset the connection. The CPL to use in this case is:
<proxy>
url.port=443 force_protocol(ssl)
Do note that a policy trace will still show this traffic as allowed, as it allows the CONNECT request. Once the Putty agent continues by sending the SSH Protocol version, from a packet capture, you will see the ProxySG reset the connection
Feedback
