This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
Jonathan_Sander
Participant
‎2018-09-18 08:39 AM

whitelist AWS S3 buckets using complex URI / URL patterns?

We're working with a customer who wishes to make a whitelist entry for a range of AWS S3 bucket addresses in their firewall. The names would be in the form:

abc-*-xyz.s3-us-east-2.amazonaws.com

OR

abc-*-xyz.s3.us-west-1.amazonaws.com

Where the "*" would be a randomly generated string that maps to an ephemeral name for a particular S3 bucket.

They are claiming this is not possible because the host in the URI has more than 3 parts. So they say that if it were "abc-*-xyz.amazonaws.com" it could work. But the other pieces in that host make it an invalid authority to use in a whitelist entry.

Is that true? Might it be a limitation of some very old version? I would welcome any pointers to appropriate documentation about this as well as answers.

Thanks!

7 Replies
PhoneBoy
Admin
Admin
‎2018-09-18 02:50 PM

That doesn't sound right.

What steps are they following to try and do this on which version?

Jonathan_Sander
Participant
‎2018-09-18 03:10 PM
In response to PhoneBoy

These were, of course, my first questions as well. I am awaiting replies on both. The other detail that I do know is that this is related to deep packet inspection with SSL. The reason for the whitelisting is to have the data streams inbound from S3 on those address patterns exempt from the inspection.

In general, do you believe that a host in a URI can only have 3 parts? Or can it be arbitrarily long so long as it is a valid host name?

0 Kudos
PhoneBoy
Admin
Admin
‎2018-09-18 03:22 PM
In response to Jonathan_Sander

I've never heard of such a limitation myself (related to number of hosts/domain in a URI). 

Jonathan_Sander
Participant
‎2018-09-19 04:14 PM
In response to PhoneBoy

Spoke to an engineer today who pointed out that if you create the URL as a regex instead of a plain URL, you can essentially use any form you need to. So that may be a solution for us in this case, and certainly may help others facing similar challenges. This would then be connected to the https inspection policy as an exception to avoid the deep packet inspection.

Shows the application site creation dialog in the policy creation tool entering a regular expression that contains a complicated URL URI

0 Kudos
PhoneBoy
Admin
Admin
‎2018-09-19 08:38 PM
In response to Jonathan_Sander

Regex is definitely the way to go with this.

As I recall, you can't use a custom application in the HTTPS Inspection rulebase, but you should be able to use the "category".

Is that working for you?

0 Kudos
Jonathan_Sander
Participant
‎2018-09-20 03:58 AM
In response to PhoneBoy

I'm doing all of this through proxies (people), but the way this engineer configured it was to add an entry to the policy for HTTPS inspection to bypass anything that matched those regexs for the URLs. That did seem to do the trick according to what we could tell. This was done on 80.10, but still not clear the exact version the client has.

HTTPS inspection Policy screen showing rules and one with a bypass action for these regex URL / URI types

0 Kudos
Jonathan_Sander
Participant
‎2018-09-26 05:13 AM

Looks like this was all the result of confusion. With some help from Brian Butts‌, what we discovered is that if you request something like bucketname.s3.us-west-2.amazonaws.com from AWS, they will respond from s3.us-west-2.amazonaws.com, and their certificate shows *.s3-us-west-2.amazonaws.com. These translations that cut off the bucket name likely account for the thought that the rules woudl not work with longer address, since these longer addresses were not involved with the responses and therefore a bypass on them would never work. SO it's a different issue all together.

I've opened a new thread to discuss this: https://community.checkpoint.com/message/28606-base-a-bypass-rule-on-the-request-address-not-the-res... 

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    CheckMates Events