Kids bypassing firewall via web proxy sites

Ansgar -59cobalt- Wiechers wrote:

Nothing new here. I'm quite aware of tunneling to dump files, any clown with netcat can do that quite easily. In fact i've used it myself. Very handy Your reply also ignores the fact that a properly set up system uses firewalls, policies and lockdowns, not just content filters.

As the admin, *I* will decide what DNS queries (and all other traffic) will leave the network, and also occur between network segments. Lets look at tour example of DNS, and what rules would be put in place.

1. Only server's would be allowed to send DNS requests out.
2. Only certain DNS server's would be allowed to query. Would these rules allow *your* wkstn's DNS queries out? No. Would they be blocked and logged? Yes Would the admin be asking you some questions about you intentionally violating AUP? Would you enjoy being fired? Goto 1, and repeat for most, if not all traffic. The obvious exception here is SSL tunnelling, but there are such things as SSL whitelists.

This assumes you got the tool to send the packet on the PC in the first place, which is another matter and another violation of AUP.

While everything you and others have stated is *possible*, you are looking at each technique in isolation of a total setup, and ignoring a properly layered approach. I'm yet to see a properly set up enterprise that allows the end user to initiate a direct connection with the outside world. With internal servers/units that allow/disallow certain traffic types, yes; letting Joe User have a direct SMTP, HTTP, DNS(or whatever) connection with anywhere external, NO.

In theory you could bring in tools, then clink away trying to find a weakness in the setup, but the chances of doing it undetected are very,very slim. If you would like to take the risk and think you can get away with it, please keep your cubicle tidy so your replacement doesn't trip over the junk you leave behind when you get terminated and escorted off the premises. Cheers, E.

And IE is not fully Wc3 compliant. E.

I love that last paragraph.

And I readily agree. There's very little that escapes detection. Especially with the tools available today.

All these articles require direct connection, and in the cse of the specific article, the ability to create a PPP session. I'm yet to see an certified environment that allows you to create a dialup, let alone has standard phone sockets lying around for you to play with.

Already covered this aspect. E.

Didn't you read it? There is no official way to disable CSS is IE. If you know an undocumented one, please share your information.

So far you might try to add a user stylesheet that disables all previous styles. Still that doesn't stop the exploit from working, IE will always parse the supplied stylesheet and do the boundary error, running arbitary code.

Which other one?

Ehm, actually is does display this website pretty well if the MIME type is registered or if text/html is used instead.

I don't blame Microsoft that with the release of IE6 the MIME type for XHTML wasn't finally approved. I blame them for not adding the correct one later with one of those many IE updates (which seem to be pretty useless anyway). What's the point about adding one simple MIME type?

My fault - fumble-finger. Read RFC2026

"It is a well-established principle that an SMTP server may refuse to accept mail for any operational or technical reason that makes sense to the site providing the server."

Maybe there is something you don't understand. Can you point out the word "relay in that sentence? Can you point to the word in the _title_ of that section? Can you cite ANY RFC that _requires_ my network to accept _packets_ from everyone - never mind mail?

Valid NDNs? No - and I see less than one of those a month because our users rarely have reason to talk to incompetent domains.

Actually, the federal laws here do protect the rights to filter, and the legal mind-set encourages it. While some have pointed to figures saying that spam is approaching 90% of the SMTP traffic in the world, it's even greater for us because we don't use a lot of Internet email - it doesn't fit into the scope of business. Internal mail is another story, but we have ways of controlling problems there.

Old guy

Sorry - that was a typo - try RFC2026 instead

2026 The Internet Standards Process -- Revision 3. S. Bradner. October 1996. (Format: TXT=86731 bytes) (Obsoletes RFC1602, RFC1871) (Updated by RFC3667, RFC3668, RFC3932, RFC3979, RFC3978) (Also BCP0009) (Status: BEST CURRENT PRACTICE)

You seem to feel that all RFCs, whether standards or not, whether _current_ or not must be followed by everyone exactly. You have a very fundamental misunderstanding about the Internet. Perhaps the first sentence of the first paragraph of that RFC might give you a hint. Then read the rest of the document.

Old guy

nospam.nospam might become a fully valid NDN. Wanna send a DNS request for every mail, potentially ignoring domains becoming available while delivering but being unavailable when the message is received?

No. It's not required. It's the application sample in the article.

Yours, VB.

No. There was the claim, that there is no RFC covering the usage of a valid mail address as the sender. I offered one to refute. Period.

Yours, VB.

"Didn't I read it?"

IE does not display *anything* from the webpage. Ergo if IE doesn't display anything, it's going to be extremely difficult for me to read whatever was on the webpage.

Did you have any particular reason to ignore the second paragraph?

No, but as has been pointed out over and over again: your network and your servers are not the problem.

cu

59cobalt

Yes - the first sentence in the first paragraph. Bear in mind this isn't a blanket restriction. But when some one abuses our network or our servers, then our willingness to accept further traffic from them ends. It's really quite simple. The guy who runs our block system reviews other public block lists, but someone getting listed on (example) SPEWS doesn't automatically get into ours. We block people who abuse us. We do follow the _principles_ that SPEWS uses - holding the listed entity responsible for their IP space. Continued abuse means wider blocks, and yes we do have some blocks that have less than eight '1's in the netmask.

Old guy

Ah, but you didn't. Read RFC1036 again. Specifically the first paragraph on the first page where it states

This document defines the standard format for the interchange of network News messages among USENET hosts. It updates and replaces RFC-850, reflecting version B2.11 of the News program. This memo is disributed as an RFC to make this information easily accessible to the Internet community. It does not specify an Internet standard. ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^

Straight out of the RFC - typo and all.

It might surprise you, but the account I'm posting from doesn't _have_ a valid email address. That was intentional. The account name doesn't comply with the accepted standards for a *nix username, and mail tools and applications reject it. Just because I may post on Usenet does not mean that I am inviting mail of any sort for any reason.

RFC1036 has been a problem RFC since the early 1990s. Do a google search for "son-of-1036" which was a proposed replacement that went no-where. RFC0850 and it's successor RFC1036 used the concept of a news article being mail, and even included the 'Reply-To:' concept from mail. But Usenet isn't mail. RFC1855 sort of recognized this difference, but it is also out of step with the times, never mind not being an Internet standard either. Things didn't really get out of hand with address harvesting until

1997 or so, but it certainly is now.

Old guy

You should stop misusing IE as a webbrowser. :-)

Anyway, I pointed you to adding the relevant MIME type. Then it will display fine, even on IE.

Well, until now I wasn't aware of this irony. No bad pun whatsoever.

I did.

We were not talking about Internet standards, but about an RFC.

Yes. BTW: this RFC never will be an Internet standard. It documents an Usenet standard in an RFC.

And the Usenet is not the Internet.

With your sight of RFC1036 being problematic, I agree. I cannot see, why an RFC for usenet should exist at all.

While it does.

Yours, VB.

We do something called BrowseReporter, this tells you which web site each user has accessed. You can use this to track who has been where and at what time. You can download it from

We also have BrowseControl which allows you to block web sites

Hope that helps!!

Regards Divyesh