ENCRYPTED in port 80 header

I just started seeing some traffic on my firewall going to port 80 of some outside servers. The headers start out with ACTION=ENCRYPTED&DATA= does anybody know what this pertains to.

Reply to
Philip Washington
Loading thread data ...

If your firewall is corporate and not your local home wall could it be someone is trying to tunnel with a app such as HTTPORT?

I know keys can be setup to encrypt the traffic via HTTP to the end host which does the dirty work of using the ports you have blocked on your wall.

Just an idea

Cheers

Sheldon

Reply to
Sheldon Botha

Yes, it is a corporate firewall. We have restrictions on using IM services and I suspected that this is what was going on.

Does this create any extra security risks beyond typical http traffic?

Reply to
Philip Washington

Thanks for the input and I think I should rephrase my question. I think by it's nature that it is no less secure than standard http, but the encrypted/proxy aspect of this makes me a little nervous.

This is probably out of the realm of this newsgroup, but someone here may be able to point me to better information on this.

Are there any known risks (legal or other) to the company if we allow users to use this service?

Reply to
Philip Washington

Well it means that the subjects can now pretty much bypass the rules you have set in. For example they could use something like HTTPort to use filesharing (KAZAA) or to visit PORN sites using your bandwidth. This ofcause you do not want. There are indeed ways against this, HTTPORT for example offers 2 general ways of use, you can connect to their public servers or have your own setup at home. You can either block the IPS this person is connecting too or try and trap them. I have read there are IDS systems in place to catch out this type of tunneling, I cannot unfortunetly go very indepth into this however.

Another problem for you is once you stop one way, there are so many more, meaning that there is for example HTTPORT, SOCKS2HTTP, and many other "service vendors" selling and giving away these services.

It is and can most definetly be VERY VERY harmful to your corporation. It can allow viruses and p*rn to come into your local corporation unchecked. It pretty much will allow that user to surf/chat/download unchecked.

This will be a major heachache which will become worse as he/she discovers more advanced methods of use for it.

I would suggest reading up on this and methods against it ASAP.

Cheers

Sheldon

Reply to
Sheldon Botha

At 3 Dec 2004 09:01:25 -0800, you posted:

Correction: You _did_ have restrictions - they've been bypassed.

At 3 Dec 2004 09:27:58 -0800, you rephrased that to:

Certainly. Now, you have no idea what is going over the wires. Is it pr0n - company secrets - or something "innocent" but merely wasting the company bandwidth? You don't know.

The 'alt.privacy' newsgroups are probably the one place, but are almost certainly in favor of "you have no right to stop me".

Ask your company lawyers how they intend to defend the company against future sexual harassment complaints because you are allowing pr0n. Ask management to absolve you of any claims about losses of company data, and lost productivity. Ask the HR types (and the lawyers) how to put in place a policy against this - that's really going to be fun.

Old guy

Reply to
Moe Trin

That shouldn't be hard, but legally, it doesn't matter which department they are in. I suppose if it's someone up on mahogany row, you'd want to watch your step, but they're just as liable as the janitor. If you want some real fun, wait until you catch the company president's 12 year old son downloading pr0n onto Daddies computer, and getting it hopelessly

0wn3d with tons of viruses, trojans, spybots and other n33t s*1t.

/sbin/route add -net 56.0.0.0 netmask 248.0.0.0 -reject /dev/br0

and suddenly, all of 56.0.0.0 through 63.255.255.255 is unreachable. Takes longer to SSH into the firewall than it does to add that route. Or, one can add a reject route to the luser's company IP address, and suddenly the Internet is b0rken... for him.

VERY BAD IDEA - it's called "entrapment" and gets the company (and maybe you too) sued out the wahzoo. Anyway, in nearly all cases, it's not needed.

That you can do, provided the lawyers agree (there needs to be a policy in force that the computers are subject to search). You don't need anything special in software - I carry an overstuffed boot floppy with all the tools I need. Remember, physical access beats _five_ aces.

Suicide. Don't even think about it unless this is LONG ESTABLISHED POLICY and company legal (and each luser) has signed the policy.

Actually, I couldn't do so - I stopped using windoze in 1992, and haven't worked for a company that used a microsoft O/S since 1993. But I wouldn't recommend anyone trying this either - that's what the security and H/R bodies are for.

You don't nail 'em. That's not your job. You see that H/R and security has all they need, and document this (including off-site copies if you might be threatened).

That is a major point. Should be against company rules/policies, etc. That HAS TO BE IN PLACE BEFORE YOU GO OFF shooting the lusers, lest you get involved in a nasty "wrongful termination" lawsuit. Consult the company landshark.

Please note that I'm not the original poster with the problem. Where I work, we have quite Draconian policies in place, warning signs all over hall and gone, and a tightly configured firewall and proxy. Attempts to bypass this are easily detected, and subject the perp to instant dismissal for cause. Likewise, we don't allow 'non-company' computers into the buildings, much less allow the users to mess with the company hardware. Each employee has signed a copy of the policy which is stuffed into their personnel folder. We don't have problems. The last klown that got shot thought that using an encrypted link would prevent anyone from seeing what he was doing - forgetting the fact that if I can't understand exactly what is going on, I WILL FIND OUT RIGHT NOW. I won't ignore it just because it's encrypted (or otherwise "unknown").

Old guy

Reply to
Moe Trin

"Old guy" much agreed.

My suggestion is keep track of what IP/host on your lan this traffic is coming from, are they a normal user or are they in some form of IT Dept. I would suggest research in IDS systems that can stop this but also once you have tracked what user/users this data is coming from, set a trap. If you do not have a admin share to their PC's, get together with their local IT dept to check things like OE History, while they are not on shift have some form of logger or surveilance device installed. You could use something like AdmWin with admin share to attach at anytime and take screenshots. Once you have caught them in the act, nail them.

Wether they are chatting on IRC sucking up company bandwidth, sending confidential documents or downloading p*rn, what they are doing should be illegal via company rules. I think get your plan of action to block these sites but before you do find out where it is from and what it is, then you can make a final judgement.

Cheers

Sheldon

Reply to
Sheldon Botha

Old guy I see your points and once again agree. Sorry I came from IT Departments where the law was written on every and anything you could do, farting wrong on the network would get you in deep trouble.

The thing is (the problem) once you block the end host, there is always another one available with the help of google.com, thus I wanted him to

1stly find out which host it is coming from, and them find out exactly what it is causing this. For all we know mabey he is doing nothing illegal (although Im sure he is tunneling) I was curious wether he is some backend user or someone on IT staff as if this guy is at another site running the wall he may be needing some help from the local sites IT Dept in this matter. It wasnt that I thought an IT guy should get more or less of a warning.

Ofcause if the company does not have suffient rules in place on what kind of activities are allowed by the users then they should be drawen up ASAP and HR should push them out. If you want internet access from work you sign, if not no prob, no internet. The users cant have any moan against it, you get paid to work, to profit your company, not to sit on ya butt n surf p*rn, this ofcause (me knowing been in IT) is like the end of the world when you block them off from a time wasting activity they shoudl not be engaged in.

Philip please let us know the outcome of this, and what the cause was. Old guy thanx for the good advice in this, I admit I didnt think of it from other companys prespectives.

Cheers

Sheldon

Reply to
Sheldon Botha

If your corporate firewall is a Netscreen (ScreenOS 5.1), Sonicwall (generation 4), or Fortinet you should enabled Deep Inspection/IPS - the idp functionality on all 3 will detect http tunneling attempts.

Reply to
Mark S

In our case (and I think it wiser), policy was set at corporate level, and applied to everyone - even the cook in the cafeteria who used his computer to publish a tiny web site with the breakfast/luncheon menus.

I think a bit depends on how well you know your network, and what is running on your network. We can easily determine which drop the suspect computer is located on, and it normally takes less than five minutes to be at that drop with two security bodies. Not running windoze helps, because the users simply can't mess with the software without being detected.

and I take that to mean IT staff.

I've been lucky - the places I've worked had quickly realized both the dangers of Internet access (legal problems, as well as productivity and security) as well as the problems that can/could occur fairly early in the game, and the policies were put in place way back when. A lot of our people do need at least some access as part of their job, so problem people get terminated rather than loose access. As this is a known fact, we simply don't have the problems. The users know it's a hair trigger problem, and let us know IN ADVANCE when they might be doing something out of the ordinary. Even ten minute notice is enough to cushion the bear trap reaction.

Agreed.

Old guy

Reply to
Moe Trin

Cabling-Design.com Forums website is not affiliated with any of the manufacturers or service providers discussed here. All logos and trade names are the property of their respective owners.