blocking web proxies

I've seen all sorts of people proclaiming that it's impossible to block people from using external web proxies to sites (like myspace) without blocking the whole internet.

Why could'nt you...

  1. Require everybody on your internal network to use YOUR authenticated proxy.

  1. Block ALL encrypted outgoing activity by default through the proxy (except for authorized individuals). This is to keep somebody from setting up squid at home through a broadband connection and connecting to it via SSL or some other encryption. Basically if your sniffer does not recognize/can't decipher the traffic...block it.

  2. Sniff packets at your proxy for your blocked sites (like myspace) and deny them outbound access.

This way anybody trying to access myspace through a public or private external proxy would be stopped cold. Even if they successfully connect unencrypted to a public proxy your sniffer should be able to sniff the "myspace.com" address from the packets and keep it from going through. Plus you'd have their userid and IPaddress on the inside (so you can drop an anvil on them!). In addition things like SSH would get blocked (due to encryption) so no forward or reverse port forwarding/layer 2 vpn would work.

Are there holes in my Evil(TM) network admin setup? :)

Reply to
Doug.Baggett
Loading thread data ...

man proxy chaining man non-http proxying

It's still a good idea in terms of real security.

man steganography

man non-http proxying

I would call them huge craters instead.

Reply to
Sebastian Gottschalk

How would you use steganography to obscure requests to the user's non-http proxy at home (connected to their broadband line)? Assuming you could obscure the request to the home proxy so that only it knows you are requesting a forward to myspace.com you would still have to transmit the return data back through my sniffer. I don't see how you could use steganography to obscure ALL of the return data without me recognizing it.

I admit...this is a theoretical thought game...but it's interesting anyway

Reply to
Doug.Baggett

I don't know, Sebastian. When you have a high level of knowledge about these things it's easy to forget that 99.99% of the populace doesn't. I mean... steganography, really? How many people do you suppose would know how to set up something like that? To go to myspace.com??!! And let's hope that you at least have your normal users comfortably trapped behind limited user accounts that I'm sure can be circumvented, but, once again, not by the 99.99% herd. So they would never be able to install the software that you would need to get around that anyway.

The measures Doug outlined will stop the casual user trying to circumvent your controls (i.e., the 99.99% mentioned above). If you have actual hackers inside your network with ill intent then you have a personnel issue as much as a security issue and all hope is lost.

Reply to
Rod Engelsman

What got me thinking about all this was an article I came across today talking about how kids are getting around myspace.com filtering at school by using external web proxies. The argument is that you can't know all the proxies that are open worldwide so there is no way to block them from myspace.com.

Reply to
Doug.Baggett

At best: DNS resolving, bypassing all your measures entirely. Just encode it in base64, split it up into 64 chars chunks and make some DNS requests to an authorative zone you own (or 0wn). Send back the reply in TXT records.

That's quite easy, even for HTTP. 128 Bits in an ETag header value, some

1000 bits in the whitespace encoding of the response HTML file, multiplied by 60 images and 20 includes... your lack of creativity is disturbing. :-)

It's a theoretical and practical lost game. It's only fun if the losers are recognizing themselves as such.

Reply to
Sebastian Gottschalk

So what? A certain well-known DNS tunneling tool is freely available on the net, can be installed with just some mouse clicks and will make look dumb.

How many people do know how to enter "tunneling" in Google or asking someone who has a clue in Usenet or a web forum?

But by the malware. One privilege escalation path it enough and it has been proven that enumeration of weaknesses for certain ACL models is very feasable.

Ehm... could you have misunderstand ACLs? Whereever the user has write access he can save an executeable (or create, when it comes to downloads), is the owner and can give himself exec rights.

This has been addressed with Software Restriction Policies in Windows XP and yes, if correctly used it works quite well!

So where exactly do you want to adjust the border between effectiveness and costs? How effective is any obscurity? Why not threatening the users with true claims about policy enforcement and untrue claims about monitoring?

BTW, once it breaks, people will tell each other how to break it.

And even that's wrong. There are numerous feasable ways to limit damage in case of a break-in. A very typical one is known as "firewall" and, guess what? That's the group topic!

Reply to
Sebastian Gottschalk

"That's quite easy, even for HTTP. 128 Bits in an ETag header value, some

1000 bits in the whitespace encoding of the response HTML file, multiplied by 60 images and 20 includes... your lack of creativity is disturbing. :-) "

hmm...I'll have to meditate on that :)

Reply to
Doug.Baggett

And what exactly didn't you understand about "You cannot solve purely social problems with technical measures"? It's a long-term proven mantra. People will find ways to circumvent it, they will tell everyone about it, you will always loose the game.

The point is that one well-known cryptographer stated: There is no question about whether a covert channel exists or not, jsut about how large its bandwidth it. Sometimes it's unexpectedly large.

As, far example, DNS tunneling -> 50% bandwidth efficiency!

Reply to
Sebastian Gottschalk

Oh..I'm pretty open minded about the ability of mammals (humans in particular) to figure a way around a lock. All one has to do is watch a pair of squirrels cooperate getting into a bird feeder to understand that (In my case one ended up hanging over the supposedly non graspable bird feeder roof and used his claws to push the seed onto the ground while the other gathered on the ground below...then they switched duties until it was all gone!).

But I'm also open minded about the ability of humans to create some pretty HARD locks to get through. The SuperMax prison in Colorado dubbed "Alcatraz of the Rockies" comes to mind.

At some point the amount of work involved to get around a lock or to create a lock becomes such that the work involved is not worth the effort.

With Intelligent HS students of course the challenge of getting through the filtering system ends up becoming the motivator.

I was just curious as to how hard you COULD make it and what you'd have to do to defeat it. This forum IS about the technical side :) Not to say "well I was thinking of what you said before you posted" but...I was thinking in general about having the data as non-encrypted binary data but I had not thought about it in the level of detail you had (very interesting BTW).

If I were a sysadmin or network admin for a school I'd definitely be more paranoid about the environment (thinking about the way I was back in HS..of course all I had was a C-64 back then..)

If I ran lab I'd probably have to run OpenBSD desktops in chrooted jails before I'd let a class of HS CS students (especially if it was a TAG - Talented and gifted) class. :)

Reply to
Doug.Baggett

SOCKS 4a + whitelisting. But as whitelisting is impractical, you have to resort to blacklisting and therefore to loosing.

Anyway, trials cost time and money.

This is no forum, this is Usenet.

And well, before actually looking at the headers, I already concluded that this came in through Google Groups. What a sad development, a lousy Web2News gateway being better known than the Usenet itself, which has been existing long before the Internet... damn, we need a RFC for IP-over-NNTP.

I would not. Simply said, content filtering is a bad idea of a technical solution to a social problem. I wouldn't bother around with it, I would add it to the policy and let just the claim of consequences be the only real enforcement - of course, if you did some sufficient monitoring or logging, you can enforce consequences to a policy violating.

"Piss him off and you'll be fired by tomorrow morn', \\ because he's the guy who knows that you've been surfing p*rn. \\ So make sure that you stay nice to your \\ system administrator."

What about FreeBSD? It runs X.org, Gnome and Mozilla and is rock-solid. What about Windows XP with Software Restriction Policies in place (and a good auditing of third-party programs not circumventing the policies). No need to make fuzz about anything but basic security measures (and auditing them), as it's always a good base for refinement.

Reply to
Sebastian Gottschalk

Looks to me like more than "just some mouse clicks". Maybe for the client app, but the server takes some setting up.

Most people don't know shit about Usenet and most users aren't going to even consider that something like this is possible. Or even what DNS or IP is for that matter.

If your point is that a sufficiently knowledgeable and motivated person can circumvent the controls, then I won't argue with you.

But you've just been telling us all that you can't stop this sort of thing! So which is it? Can you or can't you?

I think the bigger issue here is "What's your goal?"

If you imagine that you can completely stop any conceivable threat, then you may as well give up because even the CIA has leaks. But you can make it as hard as you want, and can afford.

If you are running a school network that students can access, then you should have the administration on a separate VLAN at least and maybe even a completely physically separate network. Corporates should firewall accounting, R&D, and HR.

Whitelisting is entirely appropriate for many if not most corporate users and very effective. But I agree that blacklisting is a losing battle in the long run.

Reply to
Rod Engelsman

There is nothing that says you have to provide internet access to any employees at any time. A simple fact is that if you only provide internet access to those that actually have a business need and then you only allow access to business partner sites, you don't have problems like many describe here.

Allowing unrestricted internet access to ALL employees is a foolish thing that is done by people that don't care about their networks.

You can eliminate 99% of all web browsing threats by using white lists, content filtering, black lists, and rules based browsing.

Reply to
Leythos

If I were thinking of buisness I'd agree with you. The whole thing that got me thinking about this was the High School environment where you have a need for students to have access to the widest access of information but you don't want them spending all day reading myspace.

Reply to
Doug.Baggett

And you can still block it - as "Students" don't deserve/have a right to the entire internet. They can do that at home.

You've got to adjust your thinking - access to the internet is not a given right, it's a tool, and unlimited access in a k-12 environment is not needed by the students.

Reply to
Leythos

Log. Inspect the logs. Punish.

And there is a teacher in the room, right?

Reply to
Rod Engelsman

It's impossible to block certain sites by using black-listing. And that's good :-)

Everyone should have access to all information.

You can just install PHProxy [1] on your Webserver and can bypass content-filtering things even without using SSL / TLS.

[1]
formatting link
Reply to
Lars Geiger

If you don't have control of the firewall, and that's part of what this thread started with - the kids don't have control of it, you can easily block the ability to proxy, it's done all the time.

Black listing alone is only part of the solution path in any good firewall setup.

Reply to
Leythos

And, as everytime on this argument: we're talking about computers. Such things can be automated and implemented as "toolz" the kiddies can use.

Yours, VB.

Reply to
Volker Birk

Have any links to these automated tools? Sebastian didn't supply any and when I googled for it what I found was anything but automated. The server software was of the *nix make-configure variety and you needed two machines, one of which was a dns name server connected in to the global network.

But the bigger obstacle here is the need for the client app and a tun/tap interface. In this conversation I'm assuming that the user does

*not* have administrator access to their workstation. Garden-variety employees shouldn't have that access and neither should students to school-owned PC's. So without admin rights you would never be able to implement this. And to be honest, I have yet to find *any* client-side apps for this. Is the ntsx program symmetrical like OpenVPN (one package, both server and client)?
Reply to
Rod Engelsman

Cabling-Design.com Forums website is not affiliated with any of the manufacturers or service providers discussed here. All logos and trade names are the property of their respective owners.