What is HTTP Tunnel?
HTTP Tunnel is not HTTPS; it is a separate program used to
tunnel non-HTTP traffic over HTTP use by individual or
corporation to tunnel network connections using HTTP/s to bypass filtering by
firewall. Think of it as an anonymizer programs that user can use in order to
have internet access on a restrictive environment. The difference is, this can
be use by developers to integrate it on their application.
Because this is treated as an actual application (and not a
tunneling "protocol" like SSL/TLS), MFE Application DB has its
"signature" stored so that it can quickly identify and do action when
it recognize that the traffic passing on the network originate from an HTTP
Tunnel application (This applies to other application as well)
So why can you access
the internet or web server when using HTTP.Tunnel, is MFE broken?
When you access a certain website (internet or intranet),
MFE scan the traffic passing on it. Since it evaluated that the site is not a
web application or a known application (e.g. 4Shared, Dropbox, or Google Drive)
MFE will flag it as a normal HTTP or an HTTPS traffic because it is using port
80 and 443. The risk here is, it will work 50-50. When MFE detects that the
traffic shares a similarity on one of its application signature (especially
after application DB update), the traffic will be drop since only HTTP.Tunnel
is allowed.
 |
When accessing an
internal site, it is recommended to use a similar policy shown on the right
since it's telling that all traffic going on that server is an HTTP/s request
and it's a trusted site already.
|
As a proof, you can try using other application signature
that utilize HTTP(80) and SSL/TLS(443) to browse the internet and it will work,
but browse on a known application signature, it will be drop.
What is the correct
application to use?
The answer is, use HTTP and SSL/TLS application (or custom
application/port) to handle traffic
going to a specific website or web server (webmail, web portal and so on..) As
an example, below are the different scenario wherein a comparison of each audit
log on MFE when using HTTP tunnel and the combination of HTTP and SSL/TLS
For
the purpose of this example, the website that's being trying to access is
Dropbox
Scenario 1: Enabled Application Discovery on internet and
internal zone, then use HTTP and SSL/TLS application on the policy
 |
| Fig. 1 |
 |
| Fig 2 |
Figure 1 shows audit report is clean of alerts and errors.
With the help of application discovery, MFE can properly identify that the
website is Dropbox. While on Figure 2, it shows that this traffic is passing on
port 443 and its allowed
Scenario 2: Enabled Application Discovery on internet and
internal zone, then use HTTP.Tunnel application on the policy
 |
| Fig 3 |
 |
| Fig 4 |
Figure 3 shows that there are multiple attacks detected by
MFE since it doesn't match any current policy it has. And this can be further
analyze on Figure 4 which shows that this traffic passing on port 443 is a
policy violation because it only allows HTTP.Tunnel application.
Scenario 3: Disabled Application Discovery on internet
and internal zone, then use HTTP and SSL/TLS application on the policy
 |
| Fig 5 |
 |
| Fig 6 |
Figure 5 shows a similar clean audit logs like in Figure 1,
the difference is, MFE tag the application field as a generic HTTPS traffic
rather than Dropbox.
Scenario 3: Disabled Application Discovery on internet
and internal zone, then use HTTP.Tunnel application on the policy
 |
| Fig 7 |
 |
| Fig 8 |
Figure 7 shows a similar audit log with Figure 3, it
contains a lot of attack and alert events because of the wrong application
being use on the policy. The interesting part on this scenario is that, even
though application discovery is disabled, MFE is able to tag this as Dropbox.
This further prove that MFE do scan the traffic passing on it to check if it
matches on any signature it currently has.
Closing Remarks
When creating a policy, identify what kind of service will
the destination address will offer. This is very important to have not just a
good list of firewall policy, but also a clean and understood one.
Enabling Application
Discovery on the MFE zone is good approach since it will able to identify
traffic better.
If you have questions or other inquiry, please feel free to leave your comment and I will response as quick as possible. Until then, take care!
