Firewalls equipped with
Threat Prevention can
now detect domain fronting, a TLS evasion technique that can circumvent
URL filtering database solutions and facilitate data exfiltration.
A malicious user with a crafted packet can indicate a fake website
in the SNI while surreptitiously connecting to a different website
via the HTTP Host Header. Websites that are expressed using domain
fronting are unlikely to be on the allow list for users, as per
corporate security policies.
When the domain entry differs between what is presented in the
SNI (server name indication) and HTTP payloads, the firewall generates
a threat log with a unique threat ID of 86467 (as a Spyware signature).
To provide a context for threat assessment purposes, the threat
log contains the spoofed SNI domain in the URL/Filename (misc)
threat log field, which
is expressed as
URL in the threat log. A
corresponding URL log showing the HTTP host header in the
URL field,
is also available, which can be found by searching for the matching
session ID.