Re: N2H2 Web Proxy/Filter appliance

[crispin () WIREX COM (Crispin Cowan)]

Mark wrote:

> > Now : Change your browser settings from "use a proxy" to "Direct
> > connection to the internet" and guess what? You've just disabled the
> > censoring proxy in three seconds. Oh, great. Amazing what simple
> > stupidity can do.
>
> Indeed.  I've seen some of our kids get around some of the things that our
> webmasters have put up trying to "protect" certain web pages, and they did
> it in a matter of seconds.  It's amusing :)
>
> That is one of several reasons we are using unrouted internal addresses
> and requiring all communications with the outside travel through proxy
> servers.  You disable web proxy/filter server, you don't surf.  :)

Hmmm ... are you allowing the workstations to SSH out?  If so, then the
kiddles can port forward a local port and surf on a remote, public proxy.  If
not, then how do you expect to do secure remote access?

Bottom line:  firewalls are UTTERLY USELESS at containing people on the
inside.  If they wanna get out, they will.  The most vigorous example of this
is Marcus Ranum's implementation of TCP/IP running on top of DNS requests.
You CANNOT block someone on the inside from communicating data with the
outside.  It's fairly difficult just detecting such communication if they
don't want you to find it.

Crispin

--
Crispin Cowan, CTO, WireX Communications, Inc.    http://wirex.com
Free Hardened Linux Distribution:                 http://immunix.org