zlacker

BlueCoat makes me cry. We have an application running inside the firewall of one of our clients that communicates with a HTTPS REST API hosted by a server in our datacenter. The connection must be encrypted because it handles confidential information, but when it passes through BlueCoat's TLS proxy, the Authorization header gets mangled and it can't authenticate against our backend. Higher-ups decided that it would be better to try to convince the client to let our app bypass their proxy than to implement a custom workaround for BlueCoat users, but the client never let us through, so the only solution we could implement involved manually SCPing the required data between client and server.

>>rossy+(OP)
Ssh is almost often available to connect through the firewall. Do IT people understand how easily you can work around proxy using ssh ? Just start a vm in the cloud (like a C1 at scaleway for 3.6€ per month), install squid (with default options). On your PC, run portable applications: putty connected to your vm with a forward of proxy port and portable firefox configured to use your forwarded proxy.

>>reacwe+Gp
There's not even a need for installing a proxy! SSH has native SOCKS proxy support, so all you need to do is set up an SSH connection and set the browser connection to a dynamic SSH port forward. This also prevents leaking DNS requests : with a standard proxy your computer might be trying to look up domains using the company DNS system. With a SOCKS proxy, you can forward all DNS traffic as well!

>>jeroen+3t
How do you "set the browser connection to a dynamic SSH port forward"?

>>avodon+PA
Like this: http://i.imgur.com/VXomB7p.png

>>reacwe+Gp
Why would anyone competent allow unrestricted ssh through the corporate firewall?

>>jamesp+yD
In my experience many companies simply filter based on port number. Run your external sshd/openvpn on port 80 and you're good to go. But of course that's going off topic since TFA is obviously about middleboxes actually intercepting and analyzing the traffic.

In truth though if you start considering your employees like the enemy it's just a never ending upwards battle, especially if your employees are comp-sci folks. You could tunnel SSH over HTTP or even DNS if you cared enough.

>>avodon+PA
> ssh -D 4242 user@host

Then in firefox (or other), the socks proxy is on localhost port 4242.

>>jamesp+yD
Ask what goal they're trying to solve: is it really because the IT people want to monitor everyone's web surfing or do they have something like an audit requirement? There are a LOT of people in the latter camp who need to check the box to say they comply with some policy, regulation, etc.

Similarly, good security people know that port filtering is a losing game unless you are willing to restrict everything to a known-safe whitelist – the malware authors do work full-time on tunneling techniques, after all – and may be focusing their efforts on endpoint protection or better isolation between users/groups.

>>reacwe+Gp
The problem is middleboxes like fortigate also do MITM on ssh connections. Assuming you are not bringing home devices into work and don't have your ssh server's fingerprint memorized you might be tempted to just type 'yes' when prompted.

In any case you are left with no SSH, or somebody watching your ssh and have control over your ability to tunnel.

The best you can do with these boxes is make a sub tunnel over one of the protocols that they do allow through, you just can't rely on the primary encryption provided by the protocol that the middle box is executing MITM on. If somebody actually looks at the traffic they will see that you are not transferring plain text at the middle box, so that might raise some eyebrows.

>>simias+MF
How does the threat model where employees are the enemy differ from the threat model where malware running inside the network is the enemy?

>>daxelr+He1
You want your employees to collaborate with you avoiding and tracking down malware and potential leaks. If everybody is used to working around your restrictions you just make it harder for you to figure out what's happening when something goes wrong.

For instance if your policies are too restrictive people will use their smartphones more and more to access the internet. Then some will start doing work stuff on their smartphones and you lose all control. What do you do then? Forbid smartphones within the company? Fire everybody you catch using one? It's just an arms race at this point.

Sane security measures and some pedagogy go a long way. Easier said than done though, it's a tough compromise to make.

>>mbruml+I31
From what I've read (http://www.gremwell.com/ssh-mitm-public-key-authentication), if you use public key authentication with SSH, the MITM will break the authentication (forcing ssh to ask for a password). It's the same as with TLS client certificate authentication: in the same way the server certificate authenticates the server to your browser, the client certificate authenticates your browser to the server, and the server will reject MITM connections as unauthenticated.

While unfortunately for TLS client certificates are not a solution against MITM due to their awful user experience and privacy concerns, for SSH public key authentication has a good user experience, and is very common.