Posted on Monday, 8th February 2010 by Michael
BlueCoat Web Proxy Bypass
Several months ago an organization I work for implemented BlueCoat Web Proxy but they did not purchase a SSL offload card (required for organizations of our size as a license alone would bog down the rest of the box) or a SSL License. This basically limited the ability for us to filter anything on port 443 unless we knew the IP to set in policy to block since the page was encrypted and we could not decrypt the packet to apply policy.
This limitation creates a security concern because it allows users to use secure protocols to bypass policies. For example most likely your organization has a policy that blocks you from going to internet based email such as Gmail, Yahoo and so on. Well thanks to Gmail for worrying about its user’s security and privacy we can now bypass the BlueCoat Web Proxy. If we go to https://mail.google.com the BlueCoat Web proxy will not see that as a mail site as the URL will be translated to an IP and the packets are encrypted. The other benefit of Gmail is that it will not redirect you to any http it makes sure if you choose https it will not redirect you back to http unlike Yahoo, who redirects you from https at the login to http once you get sent to your mailbox. You can use this method for any https site that does not any time redirect you to http. Side note many sites are not as big as Google so blocking their IP range to stop you from bypassing the BlueCoat web proxy may be easier.
The next issue is since https is required by most companies to be able to carry out a normal work day there is most likely a firewall rule in the organization that reads as follows: source: BlueCoat Web Proxy IP --> destination: Any --> service: http and https. This rule basically says anyone going out as the web proxy is allowed to any destination on either port 80 or 443. Since the BlueCoat does not act as application proxy meaning it does not analyze the protocols you can use open ports to tunnel any application over. For example since the BlueCoat our organization has (most schools and smaller shops don’t have this either) does not have a SSL offload card and a SSL license and port 443 is open I can take advantage of this to bypass security. For example I have altered my SSH daemon at home to listen on port 443 instead of the default port of 22. This allows me to circumvent both the Web Proxy and the Firewall. This happens for several reasons 1st because the BlueCoat web proxy cannot analyze the https request, 2nd the BlueCoat web proxy does not act as a application proxy and third since we are using port 443 and the proxy is configured to intercept port 443 our traffic is leaving the organization as that of the proxy hence making use of the firewall rule to allow us anywhere on the internet on that port. Many applications that connect to the internet on certain ports can be configured to use whatever port you want. For example it is possible to configure your favorite instant messenger application such as AIM or Yahoo to make connections outbound over port 443 hence bypassing the controls put in place.
Now if you are an administrator of the BlueCoat you can detect people doing this slightly by reviewing the BlueCoat reporter logs. These connections will show as IP addresses and have the category TCP Tunnel. If you look at the IP addresses closely you can get an idea of what they are being used for. To do this you can use tools like arin.net or even Google to search for information related to that IP. You can also check the employee’s machine for applications that are not installed by your organization. This is a manual process and may cost more man hours then it would cost to purchase a SSL License and if need be a SSL offload card.
This technique may be able to be used on other proxies though I have not tested it on any. As always if you have any comments or questions please feel free to contact me.
Edit Note: I want to thank Tim C: For the update and clarification on the card name and required license.
Posted in Papers | Comments (4)
February 8th, 2010 at 5:14 pm
I believe the card is only an SSL offload card, meaning you can still decrypt SSL without the card, but it will of course eat into your CPU resources. You may need an SSL license for your Blue Coat device to decrypt SSL, but that’s a different issue.
February 9th, 2010 at 7:43 am
Thanks for the clarification I have updated the article to match it.
February 9th, 2010 at 9:59 am
This is supposed to be a secret! why let managers know what we are doing?
February 9th, 2010 at 10:06 am
Because it is full disclosure.