[prev in list] [next in list] [prev in thread] [next in thread] 

List:       focus-ids
Subject:    Re: how to detect http tunnel?
From:       "Kurt Seifried" <bt () seifried ! org>
Date:       2003-02-04 1:44:31
[Download RAW message or body]

> hi,
>   my environment here is squid/linux serving 1000 users. i need to detect
> any proxy request which could be a http tunnel connection (e.g. p2p).
> can anyone give me hint which IDS or tool (e.g. squid patch)
> (free or commercal) can detect suspicious proxy connections, or send me
> weblink to tech. paper on this topic?
>
> thank you
>
> bobr.

Use squid acl's tto block outgoing access to ports other then 80, 443 and
whatever else you consider "safe". Please note that of course users can
still put tunnels through these. Blocking the "CONNECT" method would largely
block tunneling software, however this would also break HTTPS for most
clients. Probably the best advice is to simply log and then check logs for
suspicious activity, I assume your AUP/TOS says no proxying software, this
is generally better dealt with as a social issue then a technical issue (as
a savvy user if I can access my external web server on port 80, I can use it
as a proxy).

Ultimately you can't block all proxy connections, data embedded in images or
base64 encoded responses, etc. Trying to do so leads to vendors doing things
to get aroundit, Microsoft and SOAP for example (which goes through
firewalls like industrial strength laxative).


Kurt Seifried, kurt@seifried.org
A15B BEE5 B391 B9AD B0EF
AEB0 AD63 0B4E AD56 E574
http://seifried.org/security/

[prev in list] [next in list] [prev in thread] [next in thread]