HTTP Tunnels Though Proxies

A proper security policy should take into consideration both the business need to accomplish work and the need for privacy and security. HTTP tunnels are necessary for SSL web browsing. However, due to a weakness in the CONNECT method in the HTTP protocol, arbitrary connection can be made through a HTTP proxy server. Furthermore, if these simple tunnels are used in conjunction with other protocols and applications, VPNs can be created between the local and remote systems. Once a VPN is established the perimeter of the local network is push to the remote system. The risks to the local machine and network depend on what applications being used and on the security of the remote systems. This poses significant risk to the owners of the local network. Steps can be taken to limit the risk of HTTP tunnels being exploited and still allow appropriate SSL web traffic. The local proxy administrator can limit destinations by web site and port number. They can also monitor connection times and flag users that make repeat long duration HTTP connections. So, while HTTP tunnels poses risks, they can be limited with proper administration and the business need of secure web traffic can still be allowed.