Hot!Web Filter still allowing traffic?

Author
Bold Eagle
New Member
  • Total Posts : 3
  • Scores: 0
  • Reward points: 0
  • Joined: 2021/02/18 06:24:10
  • Status: offline
2021/02/18 06:36:48 (permalink)
0

Web Filter still allowing traffic?

I have a webfilter active with some URL's
 
URL                         Type        Action  Status
*.123.domain1.com  Wildcard  Allow    Enable
*.123.domain2.com  Wildcard  Allow    Enable
*.123.domain3.com  Wildcard  Allow    Enable
*.*                          Wildcard  Block    Enable
 
If i do a telnet>   telnet www.xyzdomain.com 443
In my opinion this should be blocked, but it shows:
 
HTTP/1.1 400 Bad Request                                                                                             
Server: nginx/1.17.7                                                                                                   
Date: Thu, 18 Feb 2021 14:19:24 GMT                                                                                     
Content-Type: text/html                                                                                                 
Content-Length: 157                                                                                                     
Connection: close                                                                                                                                                                                                                               
<html>
<head><title>400 Bad Request</title></head>                                                                             
<body>                                                                                                                 
<center><h1>400 Bad Request</h1></center>                                                                               
<hr><center>nginx/1.17.7</center>                                                                                       
</body>                                                                                                                 
</html>
 
Does this expose a security risk for PC contacting a Malware site.
 
Regards,
 
Henk
                                     
post edited by Bold Eagle - 2021/02/22 03:30:09
#1

4 Replies Related Threads

    Yurisk
    Gold Member
    • Total Posts : 182
    • Scores: 32
    • Reward points: 0
    • Joined: 2011/12/04 03:30:01
    • Status: offline
    Re: Web Filter still allowing traffic? 2021/02/21 06:36:17 (permalink)
    0
    Your test is not good for this - URL Filtering looks at URLs in a valid browser<->web server connection, your telnet session cannot emulate this and will be closed (as you see in the output) by the web server as invalid. To verify, try browse to the domain.
    Also make sure you don't have other rules that would allow outbound access to port 443 without Web Filtering applied.
     
    #2
    Bold Eagle
    New Member
    • Total Posts : 3
    • Scores: 0
    • Reward points: 0
    • Joined: 2021/02/18 06:24:10
    • Status: offline
    Re: Web Filter still allowing traffic? 2021/02/22 00:40:25 (permalink)
    0
    Hello Yurisk,
     
    Yurisk
    Your test is not good for this - URL Filtering looks at URLs in a valid browser<->web server connection, your telnet session cannot emulate this and will be closed (as you see in the output) by the web server as invalid. To verify, try
    browse to the domain.
     
    Bold Eagle: 
    I know, but what if my system was infected with malware, and the website has code injected for this malware and will react on the malware request, then it is still not blocked by the Fortigate Webfilter. Or is this technically impossible?
     
    Also make sure you don't have other rules that would allow outbound access to port 443 without Web Filtering applied.
     
    Bold Eagle: no other rules with port 443 exist.
     



    #3
    Yurisk
    Gold Member
    • Total Posts : 182
    • Scores: 32
    • Reward points: 0
    • Joined: 2011/12/04 03:30:01
    • Status: offline
    Re: Web Filter still allowing traffic? 2021/02/22 02:45:22 (permalink)
    0
    BTW The last rule in your URL FIlter should have action Block not Allow which makes URL filter to permit Any website.
    Regarding the broader question of how to prevent potentially present in LAN malware to contact outside world, it is too broad of a question as this depends on malware, whether you are using Deep SSL inspection, whether you are using AppControl in addition to URL filtering. Or on a totally different side - are you using host based measures like EDR/Endpoint Protection? 
    You should formulate for yourself  exact threats you are trying to prevent and do analysis of existing state of your security controls, then you will be able to answer "given this threat with these security measures already in place, what are chances of stopping this malware and what can be done to better those chances?".
     
    #4
    Bold Eagle
    New Member
    • Total Posts : 3
    • Scores: 0
    • Reward points: 0
    • Joined: 2021/02/18 06:24:10
    • Status: offline
    Re: Web Filter still allowing traffic? 2021/02/22 03:36:52 (permalink)
    0
    Yurisk
    BTW The last rule in your URL FIlter should have action Block not Allow which makes URL filter to permit Any website.
     
    [Bold Eagle]
    There was a mistake in my overview, the last is a Block, I've corrected my question.
     
    Regarding the broader question of how to prevent potentially present in LAN malware to contact outside world, it is too broad of a question as this depends on malware, whether you are using Deep SSL inspection, whether you are using AppControl in addition to URL filtering. Or on a totally different side - are you using host based measures like EDR/Endpoint Protection?
     
    [Bold Eagle]
    We also have Symantec SEP/SES in place as Endpoint protection, so we have several layers of safety nets.
     
    You should formulate for yourself  exact threats you are trying to prevent and do analysis of existing state of your security controls, then you will be able to answer "given this threat with these security measures already in place, what are chances of stopping this malware and what can be done to better those chances?".
     
    [Bold Eagle]
    Clear, thanks for your explanation.
     



    #5
    Jump to:
    © 2021 APG vNext Commercial Version 5.5