RE: [fw-wiz] httport 3snf
From: Dawes, Rogan (ZA - Johannesburg) (rdawes@deloitte.co.za)
Date: 10/21/02
- Next message: Devdas Bhagat: "Re: [fw-wiz] httport 3snf"
- Previous message: Robert E. Martin: "[fw-wiz] httport 3snf"
- Maybe in reply to: Robert E. Martin: "[fw-wiz] httport 3snf"
- Next in thread: Devdas Bhagat: "Re: [fw-wiz] httport 3snf"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
From: "Dawes, Rogan (ZA - Johannesburg)" <rdawes@deloitte.co.za> To: "'Robert E. Martin'" <rmartin@fishburne.org>, firewall-wizards@nfr.com Date: Mon Oct 21 13:42:01 2002
Require authentication for outgoing SSL requests through your proxy server.
Log excessive requests to a particular server. Excessive by number of
requests, as well as by data volume. This becomes particularly relevant if
you can do it by userid, if you are authenticating requests. Students making
use of httport will typically only show a single site in their request
lists, since all outgoing requests will be tunnelled through that site.
Also consider monitoring how much data is *sent* as part of the request if
you can. Typically web surfing has a very low sent/received ratio.
Connections/requests that are higher than average may indicate different
protocols being tunnelled.
Also, identify the public httport servers (from the web site), and put
explicit block rules in your proxy or firewall.
Try using something like ngrep on port 443 for strings that httport uses as
part of the protocol. This is the one most likely to achieve the results you
need, but would involve setting up a client, a host, and a sniffer to
determine what those strings are.
Of course, if the traffic is encrypted, as they seem to offer, you could try
running ssldump with the keypair supplied with the software. (I assume it is
SSL compatible, if not, you're out of luck on that one) See above Re traffic
analysis.
Finally, and this should really be the first action, update your policy to
make "bypassing firewall restrictions" a punishable offence.
Good luck.
Rogan
> -----Original Message-----
> From: Robert E. Martin [mailto:rmartin@fishburne.org]
> Sent: 21 October 2002 03:57
> To: firewall-wizards@nfr.com
> Subject: [fw-wiz] httport 3snf
>
>
> Hi there.
> We run Redhat 6.0 with ipchains and have been able to block AIM and
> others with this system quite effectively, however, our students here
> have discovered HTTport 3.snf to bypass our proxy server using a SSL
> connection. Is there a way to stop this without bringing the
> rest of the
> newtork to it's knees? I have been unable to sniff the packets
> successfully enough to find out what ip address the host ssl
> server is,
> but I am able to launch the program on my local machine, sniff the
> packets and see that the first thing that happens is a DNS
> Request. Can
> I block DNS requests for a specifid url, ipaddress or other entry via
> IPCHAINS?
>
> Thanks for your time.
>
> --
> Robert E Martin
> IT Manager
> Fishburne Military School
> rmartin@fishburne.org
> 540.946.7726
>
>
> _______________________________________________
> firewall-wizards mailing list
> firewall-wizards@honor.icsalabs.com
> http://honor.icsalabs.com/mailman/listinfo/firewall-wizards
>
- Next message: Devdas Bhagat: "Re: [fw-wiz] httport 3snf"
- Previous message: Robert E. Martin: "[fw-wiz] httport 3snf"
- Maybe in reply to: Robert E. Martin: "[fw-wiz] httport 3snf"
- Next in thread: Devdas Bhagat: "Re: [fw-wiz] httport 3snf"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
|
