Firewall Troubleshooting 3: Chrome browser bypass the WebBlocker

WebBlocker:
WebBlocker is one of the most commonly used functions in the Firewall.
WebBlocker uses a database of website addresses that are identified by content categories.
when a network user tries to connect to a website your firebox or XTM device examines the web databased if the WebBlocker if the website is in the web database and the administrator has blocked the context category of the site, the network is denied access and sees a customized message to let them know.

WebBlock works with HTTP and https proxy policies to control web browsing,

Issue:
In my company Firewall, I have set up an HTTP and HTTPS proxy. I blocked some of the websites.
 But I noticed Some of the agents were still able to access the blocked websites by using Chrome Browser.

Troubleshoot:
Ping the blocked website: not able to reach it
Visit it from Firefox/ IE: Not able t reach it
Visit it from Chome: able to access the blocked website
So, I found that for web browsers other than Google Chrome that the connections were denied successfully.

Go Deep:
From Google search, I found Google Chrome utilizes a protocol called QUIC that utilizes UDP/443 instead of the normal TCP/443 that the HTTPSproxy uses.QUIC is an experimental transport layer protocol that was first implemented in 2012 and became a default setting in 2015.

With QUIC, the Chrome browser will send traffic over UDP 80 and 443. Because this traffic is not HTTP or HTTPS, the WebBlock HTTP and HTTPS proxy action do not apply to this traffic and some users could use QUIC to avoid the company’s security policy. Users that connect with QUIC will bypass controls such as WebBlocker and SafeSearch enforcement.

Solution:
To prevent this behavior with Google Chrome we can disable QUIC in the Chrome browser or we will need the policy to deny UDP/443.

Here is the config instruction that I got it online:

To see QUIC connections in your Chrome browser, visit chrome://net-internals/#quic.

To disable QUIC in your network, use one of the options shown below.

Option 1: Disable QUIC in the Chrome browser
To disable QUIC in a Chrome browser, visit chrome://flags. Locate Experimental QUIC protocol and select Disabled from the drop-down menu.

Option 2: Deny UDP Ports 80 and 443
From Fireware Web UI, use this procedure to create a policy to deny connections on UDP ports 80 and 443:

Select Firewall > Firewall Policies.
Click Add Policy.
The Firewall Policies / Add Firewall Policy page appears.
Select the Custom radio button.
Click Add.
The Firewall Policies / Add Fireware Policy / Add Policy Template page appears.
In the Name textbox, type QUIC.
For Type, select the Packet Filter radio button.
Click Add.
The Add Protocol dialog appears.
From the Type drop-down list, select Single Port.
From the Protocol drop-down list, select UDP. 
In the Server Port textbox, type 80.
Click OK.
The UDP Port 80 appears in the Protocols list.
Repeat steps 6-10 with UDP port 443.
Click Save.
The Firewall Policies / Add Firewall Policy page appears with the QUIC policy template selected.
Click Add Policy.
The Firewall Policies / Add page appears. The Name text box contains QUIC.
From the Connections is drop-down list, select Denied.
By default, the From field contains Any-Trusted. Add or remove aliases as necessary so the FROM field contains the specific networks that include users that you do not want to access internet sites with QUIC.
By default, the To field contains Any-External. Do not change this unless you want to allow QUIC traffic for traffic to a specific external interface.
Click Save to add this policy to your configuration.



Comments

Post a Comment

Popular posts from this blog

To Be A CyberMan: Installing PfSense on a WatchGuard Firebox

Image
OX01 Preface My company recently upgraded its firewall to FortiGate Firewall.  They eliminated 3 of the licenses expired WatchGuard Firebox Firewalls. The WatchGuard FireBox models are XTM5 Series, M400, and M470. I was wondering if I can install the opensource Firewall application such as PfSense on FireBox to use as Testing Lab Environment. 0X02 Information      XTM5 Series comes with a 1GB CF card, free space is not enough for the lastest Pfsense,  need to add additional Hard Disk as PfSense system booting drive.     M400 comes with a 4 GB CF card, can use CF card as a PfSense system booting drive.     M470 comes with mSTAT SSD.  can SSD as a PfSense system booting drive. 0X03 Installing PfSense on M400 1. Preparation:           WatchGuard Firebox M400 Appliance          A USB Flash Drive          A CF Card USB reader          A co...
Read more

How I passed the CSX Fundamentals within one month

Image
  How I passed the CSX Fundamentals within one month Hi Guys, My name is Trevor Shi. I just passed the CSX within one month. I would like to share some experience maybe it will help you guys to prepare the exam. One of the funny things was, I used one month to learn it. But I spent the other one month to book the exam. I re-booked 5 times of exam as ISACA PSI online exam application has lots of issues.  I met every situation you can imagine. The first-time ISACA website down, the second-time they canceled my booked without excuse, the third-time application couldn't open, and the Fourth time was my fault, I just missed the exam. Finally, I got this certificate. We had a small group named CyberRookie, It just like an unorganized cyber knowledge self-studying group, we are trying to be more organized. So t he purpose of this article is as a guideline of the CyberRookie Project CSX certification learning method . A. The Cybersecurity Fundamentals Certific...
Read more

To Be A CyberMan: Set Up SFTP Server On Azure VM behind FortiGate Firewall

Image
1. Business request     S et up a file transfer server with public internet access.  2. security concern      The common ways are FTP, FTPS, or SFTP:     The FTPS requires applying the certificates to the FTP service,  So I deceived to go for SFTP.       SolarWinds SFTP & SCP Server is a Free SFTP server App. 3. Deployment     3.1  Set up SFTP on VM          Download the software to Server and install it                https://www.solarwinds.com/free-tools/free-sftp-server          Redirect the Root Directory           Create user to login           verify the SFTP service is running on localhost     3.2 Config Host firewall and  Azure NSG to allow SFTP service           Add Port 22 TCP into host firewall ...
Read more