Re: Bypassing proxies
On Tue, 19 Nov 2002 at 04:59:08PM +0100, DEFFONTAINES Vincent wrote: > people do what they please. > my job is [to try] to keep the network secure, in spite of users installing > whatever. Not to mention if you burden your proxy server with all this overhead it may not function well on any volume level. I work for a fortune 50 company with 40,000+ employees globally. Our firewall/proxy servers barely work as it is...let alone examining packets at layer 5 for validity. -- Phil PGP/GPG Key: http://www.zionlth.org/~plhofmei/ wget -O - http://www.zionlth.org/~plhofmei/key.txt | gpg --import -- Excuse #190: CPU needs bearings repacked pgpyVrXrVrMm2.pgp Description: PGP signature
Re: Bypassing proxies
* Quoting DEFFONTAINES Vincent ([EMAIL PROTECTED]): > > Since the traffic is encrypted, content filtering > > will not trigger. > > Thats true for HTTPS, not HTTP. According their website, the tunnel is AES-encrypted. > > Why do you allow people to install software on the > > clients, if you don't trust them. > > people do what they please. > my job is [to try] to keep the network secure, in spite of users installing > whatever. Mission impossible. Tunnels exist for almost every protocol. - rk -- These wheels are for inline skates only, unless you are stupid. Aggressive skating can be dangerous and hazardous to your health. If you get hurt, you are doing it wrong.
Re: Bypassing proxies
On Tue, 19 Nov 2002 at 04:59:08PM +0100, DEFFONTAINES Vincent wrote: > people do what they please. > my job is [to try] to keep the network secure, in spite of users installing > whatever. Not to mention if you burden your proxy server with all this overhead it may not function well on any volume level. I work for a fortune 50 company with 40,000+ employees globally. Our firewall/proxy servers barely work as it is...let alone examining packets at layer 5 for validity. -- Phil PGP/GPG Key: http://www.zionlth.org/~plhofmei/ wget -O - http://www.zionlth.org/~plhofmei/key.txt | gpg --import -- Excuse #190: CPU needs bearings repacked msg07843/pgp0.pgp Description: PGP signature
Re: Bypassing proxies
* Quoting DEFFONTAINES Vincent ([EMAIL PROTECTED]): > > Since the traffic is encrypted, content filtering > > will not trigger. > > Thats true for HTTPS, not HTTP. According their website, the tunnel is AES-encrypted. > > Why do you allow people to install software on the > > clients, if you don't trust them. > > people do what they please. > my job is [to try] to keep the network secure, in spite of users installing > whatever. Mission impossible. Tunnels exist for almost every protocol. - rk -- These wheels are for inline skates only, unless you are stupid. Aggressive skating can be dangerous and hazardous to your health. If you get hurt, you are doing it wrong. -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
RE: Bypassing proxies
> > > Wondering if some people know of some "content-aware" > proxies/filters, to > > attempt to block [some of] those dangerous products (apart > from maintaining > > a black-list...) > > Since the traffic is encrypted, content filtering > will not trigger. > Thats true for HTTPS, not HTTP. And still, encrypted traffic could be filtered based on other criterias than content analysis. > > Certainly, it will always be possible to encapsulate > anything in HTML very > > sharply, but some filtering could be made still? > > If you allow traffic between the client and the > Internet at all, tunneling will always be > possible. Indeed. But i believe some things could be filtered in some cases, and are not. > > > (Maybe even run a browser on the proxy and have it check it > is able to > > display what goes through? sounds a bit freak, doesn't it?) > > Why do you allow people to install software on the > clients, if you don't trust them. > people do what they please. my job is [to try] to keep the network secure, in spite of users installing whatever. > - rk > > -- > These wheels are for inline skates only, unless you are stupid. > Aggressive skating can be dangerous and hazardous to your health. > If you get hurt, you are doing it wrong. > >
Re: Bypassing proxies
* Quoting DEFFONTAINES Vincent ([EMAIL PROTECTED]): > Wondering if some people know of some "content-aware" proxies/filters, to > attempt to block [some of] those dangerous products (apart from maintaining > a black-list...) Since the traffic is encrypted, content filtering will not trigger. > Certainly, it will always be possible to encapsulate anything in HTML very > sharply, but some filtering could be made still? If you allow traffic between the client and the Internet at all, tunneling will always be possible. > (Maybe even run a browser on the proxy and have it check it is able to > display what goes through? sounds a bit freak, doesn't it?) Why do you allow people to install software on the clients, if you don't trust them. - rk -- These wheels are for inline skates only, unless you are stupid. Aggressive skating can be dangerous and hazardous to your health. If you get hurt, you are doing it wrong.
Re: Bypassing proxies
> > Wondering if some people know of some "content-aware" proxies/filters, to > > attempt to block [some of] those dangerous products (apart from maintaining > > a black-list...) > If you allow out FTP I will be able to start an SSH connection over port > 20 (FTP-Data) and it will look like a binary data transmission on any > network sniff. In reality I am forwarding a local port to a remote > squid proxy and instructing IE, Netscape or the browser of choice > to proxy through the local port. Finding a solution to block something > like this (similiar to what you mentioned above) may be difficult... > > If you find something, please let me know... > I've bypassed proxies before (check out DESPROXY on freshmeat). One possible way to deal with it is to require an authentication method that the bypass doesn't understand. A
RE: Bypassing proxies
> -Original Message- > From: Phillip Hofmeister [mailto:[EMAIL PROTECTED] > Sent: Tuesday 19 November 2002 15:30 > To: DEFFONTAINES Vincent > Cc: debian-security@lists.debian.org > Subject: Re: Bypassing proxies > > > On Tue, 19 Nov 2002 at 02:48:04PM +0100, DEFFONTAINES Vincent wrote: > > Wondering if some people know of some "content-aware" > proxies/filters, to > > attempt to block [some of] those dangerous products (apart > from maintaining > > a black-list...) > If you allow out FTP I will be able to start an SSH > connection over port > 20 (FTP-Data) and it will look like a binary data transmission on any > network sniff. I would say it should not look like it. I may be wrong but on a ftp binary connection, "most" of the data goes on only one sense. And the data that goes back is checksum, etc, therefore could be calculated and checked by the proxy. A ssh or even a telnet connection is more "asymetric" than that, you cannot calculate the content of a packet from another. That kind of check wouldn't make things impossible for someone who wants to bypass a proxy, they would just need to send more data to encapsulate his messages... > In reality I am forwarding a local port to a remote > squid proxy and instructing IE, Netscape or the browser of choice > to proxy through the local port. Finding a solution to block > something > like this (similiar to what you mentioned above) may be difficult... > > If you find something, please let me know... > > -- > Phil > > PGP/GPG Key: > http://www.zionlth.org/~plhofmei/ > wget -O - http://www.zionlth.org/~plhofmei/key.txt | gpg --import > -- > Excuse #236: microelectronic Riemannian curved-space fault in > write-only file system >
RE: Bypassing proxies
> > > Wondering if some people know of some "content-aware" > proxies/filters, to > > attempt to block [some of] those dangerous products (apart > from maintaining > > a black-list...) > > Since the traffic is encrypted, content filtering > will not trigger. > Thats true for HTTPS, not HTTP. And still, encrypted traffic could be filtered based on other criterias than content analysis. > > Certainly, it will always be possible to encapsulate > anything in HTML very > > sharply, but some filtering could be made still? > > If you allow traffic between the client and the > Internet at all, tunneling will always be > possible. Indeed. But i believe some things could be filtered in some cases, and are not. > > > (Maybe even run a browser on the proxy and have it check it > is able to > > display what goes through? sounds a bit freak, doesn't it?) > > Why do you allow people to install software on the > clients, if you don't trust them. > people do what they please. my job is [to try] to keep the network secure, in spite of users installing whatever. > - rk > > -- > These wheels are for inline skates only, unless you are stupid. > Aggressive skating can be dangerous and hazardous to your health. > If you get hurt, you are doing it wrong. > > -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: Bypassing proxies
On Tue, 19 Nov 2002 at 02:48:04PM +0100, DEFFONTAINES Vincent wrote: > Wondering if some people know of some "content-aware" proxies/filters, to > attempt to block [some of] those dangerous products (apart from maintaining > a black-list...) If you allow out FTP I will be able to start an SSH connection over port 20 (FTP-Data) and it will look like a binary data transmission on any network sniff. In reality I am forwarding a local port to a remote squid proxy and instructing IE, Netscape or the browser of choice to proxy through the local port. Finding a solution to block something like this (similiar to what you mentioned above) may be difficult... If you find something, please let me know... -- Phil PGP/GPG Key: http://www.zionlth.org/~plhofmei/ wget -O - http://www.zionlth.org/~plhofmei/key.txt | gpg --import -- Excuse #236: microelectronic Riemannian curved-space fault in write-only file system
Re: Bypassing proxies
* Quoting DEFFONTAINES Vincent ([EMAIL PROTECTED]): > Wondering if some people know of some "content-aware" proxies/filters, to > attempt to block [some of] those dangerous products (apart from maintaining > a black-list...) Since the traffic is encrypted, content filtering will not trigger. > Certainly, it will always be possible to encapsulate anything in HTML very > sharply, but some filtering could be made still? If you allow traffic between the client and the Internet at all, tunneling will always be possible. > (Maybe even run a browser on the proxy and have it check it is able to > display what goes through? sounds a bit freak, doesn't it?) Why do you allow people to install software on the clients, if you don't trust them. - rk -- These wheels are for inline skates only, unless you are stupid. Aggressive skating can be dangerous and hazardous to your health. If you get hurt, you are doing it wrong. -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: Bypassing proxies
> > Wondering if some people know of some "content-aware" proxies/filters, to > > attempt to block [some of] those dangerous products (apart from maintaining > > a black-list...) > If you allow out FTP I will be able to start an SSH connection over port > 20 (FTP-Data) and it will look like a binary data transmission on any > network sniff. In reality I am forwarding a local port to a remote > squid proxy and instructing IE, Netscape or the browser of choice > to proxy through the local port. Finding a solution to block something > like this (similiar to what you mentioned above) may be difficult... > > If you find something, please let me know... > I've bypassed proxies before (check out DESPROXY on freshmeat). One possible way to deal with it is to require an authentication method that the bypass doesn't understand. A -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
RE: Bypassing proxies
> -Original Message- > From: Phillip Hofmeister [mailto:[EMAIL PROTECTED]] > Sent: Tuesday 19 November 2002 15:30 > To: DEFFONTAINES Vincent > Cc: [EMAIL PROTECTED] > Subject: Re: Bypassing proxies > > > On Tue, 19 Nov 2002 at 02:48:04PM +0100, DEFFONTAINES Vincent wrote: > > Wondering if some people know of some "content-aware" > proxies/filters, to > > attempt to block [some of] those dangerous products (apart > from maintaining > > a black-list...) > If you allow out FTP I will be able to start an SSH > connection over port > 20 (FTP-Data) and it will look like a binary data transmission on any > network sniff. I would say it should not look like it. I may be wrong but on a ftp binary connection, "most" of the data goes on only one sense. And the data that goes back is checksum, etc, therefore could be calculated and checked by the proxy. A ssh or even a telnet connection is more "asymetric" than that, you cannot calculate the content of a packet from another. That kind of check wouldn't make things impossible for someone who wants to bypass a proxy, they would just need to send more data to encapsulate his messages... > In reality I am forwarding a local port to a remote > squid proxy and instructing IE, Netscape or the browser of choice > to proxy through the local port. Finding a solution to block > something > like this (similiar to what you mentioned above) may be difficult... > > If you find something, please let me know... > > -- > Phil > > PGP/GPG Key: > http://www.zionlth.org/~plhofmei/ > wget -O - http://www.zionlth.org/~plhofmei/key.txt | gpg --import > -- > Excuse #236: microelectronic Riemannian curved-space fault in > write-only file system > -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: Bypassing proxies
On Tue, 19 Nov 2002 at 02:48:04PM +0100, DEFFONTAINES Vincent wrote: > Wondering if some people know of some "content-aware" proxies/filters, to > attempt to block [some of] those dangerous products (apart from maintaining > a black-list...) If you allow out FTP I will be able to start an SSH connection over port 20 (FTP-Data) and it will look like a binary data transmission on any network sniff. In reality I am forwarding a local port to a remote squid proxy and instructing IE, Netscape or the browser of choice to proxy through the local port. Finding a solution to block something like this (similiar to what you mentioned above) may be difficult... If you find something, please let me know... -- Phil PGP/GPG Key: http://www.zionlth.org/~plhofmei/ wget -O - http://www.zionlth.org/~plhofmei/key.txt | gpg --import -- Excuse #236: microelectronic Riemannian curved-space fault in write-only file system -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]