We have an explicit (= not transparent) proxy setup using a BlueCoat ProxySG (software 6.4.3.1).
When I create Web Access Layer rules like:
- Protocol: HTTPS -> All HTTPS: Allow,
- Protocol: All TCP Tunneling: DENY, then
I still can do an SSH outside via the proxy.
Inversely when specifying something along the lines of
- Protocol: All Shell: DENY
(with no explicit statement of HTTPS) I can also do the SSH via the proxy.
The only thing that helps (with the SSH) is to specify All TCP Tunneling: DENY
.
However in that case HTTPS also no longer works.
HTTPS thus seems to be treated like TCP tunneling. That's also what the trace file shows on a HTTPS request:
CONNECT tcp://www.xxx.com:443/
I know as long as someone is allowed to create outgoing encrypted connections they will probably be able to make almost anything work. But I don't want to make it too easy.
So how to recognize HTTPS while not allowing too much other stuff? (Probably impossible without setting up the MitM stuff etc.) And why is there an object called HTTPS and when I use it it doesn't change anything. I really don't get that part.
Alrighty,
looking for a User-Agent header that does not exist in the case of an SSH or the like is the official answer.
A regular HTTPS session would usually transmit these headers along with the call to the HTTP CONNECT xxx:443 method (in case of a tunneled connection). We indeed only allow connections to port 80 on the proxy so everything not HTTP gets (no longer) tunneled.
It's security by obscurity, but I guess a lot more cannot be done in this case and with this device...