ISA Firewalls Now Support Outbound SSL Tunnel Inspection!
ClearTunnel: Close the SSL Hole!
Your ISA web filters are powerless to inspect your outbound (forward proxy) SSL connections for:
- Unauthorized browsing
- Viruses, trojan code, web exploits
- Prohibited content
All this and more can be going on right now right under your firewall’s nose, and since ISA can’t inspect forward SSL connections, you might not find out until too late!
Get the only solution for ISA Server that empowers ISA to see inside SSL tunnels. With ClearTunnel, ISA can leverage these powerful features:
- Contents of HTTPS connections are exposed to the web proxy as normal HTTP requests/responses.
- Apply HTTP filter rules to HTTPS connections.
- Cache forward proxied HTTPS responses, decreasing your external bandwidth usage.
- Automatically compatible with most third-party web filters, enabling them to see and secure HTTPS traffic as though it was normal HTTP.
More on ClearTunnel:
Collective is currently accepting requests to participate in a Limited Beta program for ClearTunnel. If you’ve got the vision, motivation, and real-world needs to help us make this the best product possible, then we want you! Please drop us a line to sign up.
Collective Software’s ClearTunnel is a earth shaking event for the ISA firewall’s competition. For several month’s Blue Coat had advertised outbound SSL inspection as the major differentiator between itself and the ISA firewall. Now that ISA firewalls support outbound SSL tunnel inspection, only someone with money to burn would even consider an overpriced and underpowered Blue Coat box.
HTH,
Tom
Thomas W Shinder, M.D.
Site: www.isaserver.org
Blog: http://blogs.isaserver.org/shinder/
Book: http://tinyurl.com/3xqb7
MVP — ISA Firewalls
Oren Says:
June 20th, 2006 at 7:12 pm
The only way this kind of filtering can work is if it’s a MITM that generates valid SSL certs on the fly from a CA trusted by the browser.
It’s very easy to detect this though since looking at the certificte would show that it’s signed by a corporate CA instead of an external one (like VeriSign).
I’m also wondering about the legal implications of this with regards to the secure transmittal of healthcare information. If an employee is submitting HIPAA protected information through a proxy that’s decrpyting and inspecting it, that could be construed as a violation of privacy rights. Granted, it’s accessed through an employers network, but there are still things that are subject to extra-stringent safegaurds.
Thomas Shinder Says:
June 20th, 2006 at 7:17 pm
Hi Oren,
Yes, the ISA firewall is acting as a man in the middle, but unlike a MITM attack, the ISA firewall is a TRUSTED middle man.
It is possible that it might be interpreted this way, as a privacy issue. However, HIPAA also requires that you protect your networks from intrusion. By enabling SSL inspection, you can stop the downloading of privacy invading software that would otherwise be hidden inside an SSL tunnel. Since SSL tunnels are become a major vector of attack, I would argue that since only the ISA firewall admins and domain admins can potentially access the data, that the overall security and privacy posture is vastly superior to allowing attackers steal private information over an uninspected SSL tunnel.
Tom
Narayanan B Nair Says:
September 10th, 2006 at 8:58 am
Could you please explain how to block Skype through ISA2004 firewall ?Is it possible ?.Please explain to me.
Thanks a lot
With Regards,
Narayanan B Nair