topic Re: Blocking pornography without https inspection in Firewall and Security Management

Blocking pornography without https inspection

ED — Wed, 20 Mar 2019 12:03:58 GMT

Hi,

Trying to block pornsites like Youporn fails without https inspection in R80.10.

"Categorize HTTPS websites" is enabled. Youporn use a *.youporn.com certificate.

Is it true that Application control will not be able to block Pornography category for all sites that use a *.xxxx certificate?

Re: Blocking pornography without https inspection

Vladimir — Wed, 20 Mar 2019 12:09:56 GMT

Do you have the APPC/URLF enabled, added to the layer and are blocking the category "Pornography"?

Any chance a higher rule permitting it?

Re: Blocking pornography without https inspection

ED — Wed, 20 Mar 2019 12:47:48 GMT

APPC/URLF enabled added as to the layer and blocking category "Pornography".

If https://youporn.com is used there is no match for that rule in the Application layer and it's being accepted by the default allow in the end of the application rules.

If http://youporn.com is used it's being blocked.

Do you think the *.youporn.com certificate is the problem?

Re: Blocking pornography without https inspection

Vladimir — Wed, 20 Mar 2019 12:50:28 GMT

Nope, I think it is a categorization problem. Please report it to Check Point.

Re: Blocking pornography without https inspection

Wolfgang — Wed, 20 Mar 2019 12:54:34 GMT

checked on R80.20, is blocked

Re: Blocking pornography without https inspection

Vladimir — Wed, 20 Mar 2019 13:04:33 GMT

Then perhaps the exception categories should be examined.

Re: Blocking pornography without https inspection

ED — Wed, 20 Mar 2019 13:04:42 GMT

Thanks for checking Wolfgang. I hope someone can check it also in R80.10 without https inspection.

Re: Blocking pornography without https inspection

KennyManrique — Wed, 20 Mar 2019 13:36:00 GMT

Hi Ed,

We're also experiencing this issues on R80.20 for pornography sites hosted on cloudflare. HTTPS categorization is enabled, but the site is not recognized under HTTPS. We opened a TAC case for another customer on R80.10 with this issue also, and the only viable solution is to enable HTTPS Inspection based on sk121532.

Our policy it's configured to block uncategorized and porn sites; however since the site on HTTPS returns cloudflare certificate, the connection is allowed on second instance:

Here is the DNS Query for the site:

You can check the alternate names on the site to get other porn sites that are hosted under the same cloudflare certificate; also not blocked.

Re: Blocking pornography without https inspection

Wolfgang — Wed, 20 Mar 2019 14:14:36 GMT

checked with R80.10, blocked without HTTPS inspection

Re: Blocking pornography without https inspection

Timothy_Hall — Wed, 20 Mar 2019 17:06:09 GMT

Right, the reason that full HTTPS Inspection must be enabled in that case is that the server's certificate name/subject does not match the actual domain/website being requested by the user. In R80.30 it is planned to be able to leverage the Server Name Indication (SNI) provided by the client for filtering, instead of what the server's certificate says. Should definitely help with this particular situation. I think there may be a special version of R80.20 that supports SNI inspection as well.

Re: Blocking pornography without https inspection

HeikoAnkenbrand — Wed, 20 Mar 2019 22:08:56 GMT

The following is new in r80.30:

- SNI Support

- TLS1.3

Regards

Heiko

Re: Blocking pornography without https inspection

Vladimir — Wed, 20 Mar 2019 22:31:31 GMT

Hmm.. Tim, I think I may be missing something here:

The URL itself contains the word "porno".

We may surmise that the back-end categorization of sites would parse it out, we'll have the regex match for the categorization and would prevent even the DNS portion of communication.

So why are we even performing lookup of this URL's IP, connecting to it, analyzing its certificate etc.. ?

Re: Blocking pornography without https inspection

PhoneBoy — Thu, 21 Mar 2019 04:35:58 GMT

While some have said blocking the DNS lookups is a solution, it’s not full proof either. What if the DNS lookup doesn’t go thru the security device? Or traverses a DNS over HTTPS proxy like CloudFlare operates?

Having proper support for SNI is definitely going to help here.

Re: Blocking pornography without https inspection

ED — Thu, 21 Mar 2019 07:01:33 GMT

Wolfgang, thanks again for checking. Does R80.10 support having both HTTPS inspection and "Categorize HTTPS websites" enabled concurrently? When you tested did you have both enabled (without having your source machine going through HTTPS inspection?

Re: Blocking pornography without https inspection

Boris_Karnaukh — Thu, 21 Mar 2019 11:57:24 GMT

I had once similar issue. In my case HTTPS access to porno worked because there was an Application Control rule with "SSL Protocol" allowed.

Re: Blocking pornography without https inspection

D_W — Thu, 21 Mar 2019 14:29:12 GMT

Any chance you have HTTPS Inspection active for testing/only for specific sources?
Or do you use a proxy?

Then HTTPS Categorization will not work in R80.10.

See:

https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&solutionid=sk108202#Additional%20Information%20-%20Update%20Services

The Categorize HTTPS sites option does not run if:

HTTPS Inspection is enabled - solved in R80.20 and above under PMTR-3908
There is a proxy between the destination site and the Security Gateway (or the Security Gateway functions as a proxy)

Re: Blocking pornography without https inspection

Vladimir — Thu, 21 Mar 2019 15:16:11 GMT

Of course relying strictly on DNS is not a solution, for all we know the site could have a URL of "https://www.cakebaking.com" and be a porn site. The issue with Cloudflare is also a possibility, albeit is not a prevalent situation yet. That being said, if we do see the URL in the clear and if the portion of its name does clearly indicate its intended use, why not take advantage of it at this early stage and forego additional processing just to block it?

I also wander if in this case, the categorization is st to "Hold":

And if this will help.

Re: Blocking pornography without https inspection

ED — Fri, 22 Mar 2019 09:25:20 GMT

Hi D_W,

I have HTTPS inspection active for only specific sources and also categorize HTTPS websites enabled. Turned off HTTPS inspection and the App/URL now stops the porn sites. I have some questions left:

1. What is the reason that having both HTTPS inspection and categorize HTTPS sites doesn't work in R80.10?

2. If i had to choose only one of these in R80.10, forexample HTTPS inspection and turned off categorization of HTTPS sites. How reliable is the APP/URL blade to stop HTTPS sites that belong to pornography category without being HTTPS inspected?

@PhoneBoy do you have any input on these questions?

Re: Blocking pornography without https inspection

Timothy_Hall — Fri, 22 Mar 2019 13:45:31 GMT

Doesn't matter if the URL requested by the client contains the word "porno", that is not what the firewall is looking at for categorization. It is looking at the site name in the certificate sent by the remote server, which does not necessarily match the site name requested by the client. This difference is what will be addressed by SNI inspection. Some large social media companies have taken advantage of this difference in an attempt to avoid filtering and keep their users engaged 24/7 even at work where the site is supposed to be blocked. All "to help ensure the privacy of their users". Yeah right...

Re: Blocking pornography without https inspection

Vladimir — Fri, 22 Mar 2019 13:58:27 GMT

What about http:// sites?

I mean what is wrong, conceptually, with the idea of categorization based on the content of the site's name in addition to the SNI? In the end, it is looking at the strings identifying the sites, it is just in case of SNI inspection it is retrieving them from the certs.