Using McAfee Firewall Enterprise Application Control - Case Study: Why using HTTP.Tunnel work before and now it won't after the MFE application DB update?

What is HTTP Tunnel?

HTTP Tunnel is not HTTPS; it is a separate program used to tunnel non-HTTP traffic over HTTP use by individual or corporation to tunnel network connections using HTTP/s to bypass filtering by firewall. Think of it as an anonymizer programs that user can use in order to have internet access on a restrictive environment. The difference is, this can be use by developers to integrate it on their application.

Because this is treated as an actual application (and not a tunneling "protocol" like SSL/TLS), MFE Application DB has its "signature" stored so that it can quickly identify and do action when it recognize that the traffic passing on the network originate from an HTTP Tunnel application (This applies to other application as well)

So why can you access the internet or web server when using HTTP.Tunnel, is MFE broken?

When you access a certain website (internet or intranet), MFE scan the traffic passing on it. Since it evaluated that the site is not a web application or a known application (e.g. 4Shared, Dropbox, or Google Drive) MFE will flag it as a normal HTTP or an HTTPS traffic because it is using port 80 and 443. The risk here is, it will work 50-50. When MFE detects that the traffic shares a similarity on one of its application signature (especially after application DB update), the traffic will be drop since only HTTP.Tunnel is allowed.

When accessing an internal site, it is recommended to use a similar policy shown on the right since it's telling that all traffic going on that server is an HTTP/s request and it's a trusted site already.

As a proof, you can try using other application signature that utilize HTTP(80) and SSL/TLS(443) to browse the internet and it will work, but browse on a known application signature, it will be drop.

What is the correct application to use?

The answer is, use HTTP and SSL/TLS application (or custom application/port)  to handle traffic going to a specific website or web server (webmail, web portal and so on..) As an example, below are the different scenario wherein a comparison of each audit log on MFE when using HTTP tunnel and the combination of HTTP and SSL/TLS

For the purpose of this example, the website that's being trying to access is Dropbox

Scenario 1: Enabled Application Discovery on internet and internal zone, then use HTTP and SSL/TLS application on the policy

Fig. 1

Fig 2

Figure 1 shows audit report is clean of alerts and errors. With the help of application discovery, MFE can properly identify that the website is Dropbox. While on Figure 2, it shows that this traffic is passing on port 443 and its allowed

Scenario 2: Enabled Application Discovery on internet and internal zone, then use HTTP.Tunnel application on the policy

Fig 3

Fig 4

Figure 3 shows that there are multiple attacks detected by MFE since it doesn't match any current policy it has. And this can be further analyze on Figure 4 which shows that this traffic passing on port 443 is a policy violation because it only allows HTTP.Tunnel application.

Scenario 3: Disabled Application Discovery on internet and internal zone, then use HTTP and SSL/TLS application on the policy

Fig 5

Fig 6

Figure 5 shows a similar clean audit logs like in Figure 1, the difference is, MFE tag the application field as a generic HTTPS traffic rather than Dropbox.

Scenario 3: Disabled Application Discovery on internet and internal zone, then use HTTP.Tunnel application on the policy

Fig 7

Fig 8

Figure 7 shows a similar audit log with Figure 3, it contains a lot of attack and alert events because of the wrong application being use on the policy. The interesting part on this scenario is that, even though application discovery is disabled, MFE is able to tag this as Dropbox. This further prove that MFE do scan the traffic passing on it to check if it matches on any signature it currently has. 

Closing Remarks

When creating a policy, identify what kind of service will the destination address will offer. This is very important to have not just a good list of firewall policy, but also a clean and understood one.

Enabling  Application Discovery on the MFE zone is good approach since it will able to identify traffic better. 

If you have questions or other inquiry, please feel free to leave your comment and I will response as quick as possible. Until then, take care!