Can’t Block HTTPS Traffic Using Astaro Content Filter

Problem:  Using Astaro content filter, we were having issues with people using anonymous proxies to bypass the filter using HTTPS (port 443) instead of standard port 80.  Turns out that the Astaro content filter only processes port 80 traffic, thus leaving a pretty big hole for us to fill.  I could use packet filter rules to block these sites but that would be a never ending ordeal of individually adding site after site.  Since these types of sites come up everyday, there would be such a long list, it would, most likely, affect the performance if the firewall.

Solution:  Listen to a Security Now podcast that was on TWIT.TV and heard about OpenDNS.  This free service filters your email by DNS request instead of port.  Therefore HTTPS traffic and any other traffic requests for that site will be blocked.  All you have to do is register with OpenDNS, configure your network and setup what you want blocked.   This took me about 20 minutes to accomplish.

OpenDNS is a perfect tool for a business, school or home environment where you need a bit of added security and comfort.  Would, I recommend using OpenDNS by itself?  Probably not.  The reason being that it’s based on DNS so all someone needs to do is have the IP address of a site or change the DNS settings on the workstation and they can bypass the filter.  But a tow pronged approach of Astaro and OpenDNS is very useful indeed.  I’m sure there will be ways to circumvent this solution coming soon but in the mean time, I’ll take solace in knowing there are some frustrated students that can’t get to MySpace today.  : )

Links of Interest:

Astaro

OpenDNS

Security Now!

2 thoughts on “Can’t Block HTTPS Traffic Using Astaro Content Filter

  1. I realize this is an old post, but I had two points you might be interested in. First, https is only unfiltered when using transparent mode on the firewall. Using a standard or any authenticated mode does allow content filtering of https sites.

    Second, Astaro is adding transparent https scanning in the next major release, version 7.400. It is due out early next year, and is currently available in beta. You might want to check it out. http://up2date.astaro.com/ has more info.

  2. Thank you for the update. Unfortunately, I am unable to standard or authenticated mode. Due do my setup, transparent is the only way for me.
    I appreciate the news on version 7.4 and look forward to being able to add https scanning to our security model. That will help a great deal. I’ve been an Astaro user since 4.xx and I love what it does.
    Even with HTTPS scanning on the horizon, I will still utilize OpenDNS because it’s nice to have two layers of security.

Leave a comment

Your email address will not be published. Required fields are marked *