Re: N2H2 Web Proxy/Filter appliance

[rhill () DUNCANVILLE K12 TX US (Richard Hill)]

We have the N2H2 proxy server at our High School, mpow.  The thing is a
piece of crap, most sites that already blocked are blocked by name only,
ie. chat.yahoo.com is blocked but if do an nslookup or a ping and get its
ip address and stick that in your broswer it goes right through the proxy
server and Boom, you have your chat. Now www.playb0y.com is blocked by both,
but most new sites and less popular sites are blocked by name only. It would
be impossible to keep up  with all the ips of every site you wanted blocked
and enter them into the
pos along with the names. I called N2H2 about this little problem and they
thanked me and told me that it was now on their directors level and
there was nothing more they could help me with. As of yet I have not
seen a fix.

-----Original Message-----
From: Blue Boar
To: VULN-DEV () SECURITYFOCUS COM
Sent: 6/17/00 3:27 PM
Subject: Re: N2H2 Web Proxy/Filter appliance

OK, I appreciate everyone's point on the topic.  I would like to avoid
people trying to convince other people to not do something if possible,
though it's fine to point out why something is a problem.

I agree with both parties... it is impossible to keep people from
getting out... if they're clever enough.  Any protocol can be tunneled
over any other, as long as its not timing sensitive.

It's also fair to take into account your users' level of expertise,
and what the value of what you're trying to protect is.  I certainly
wouldn't tell someone that it's OK to connect one's classified net
to the Internet via a proxy, because you could keep them from going
where
they want.  That's not going to fly.  It is certainly worth noting that
proxies won't keep most of the people who subscribe to this list
fro getting their pr0n.

However, if you're talking about high school kids (and the fact that
he's
probably trying to comply with some ridiculous censorship requirement)
then this setup is probably adequate, to meet the requirements.  If some
kids is smart enough to arrange with an outside tunnel endpoint, and
if they catch him, they'll nail him with some totalitarian high school
anti-hacker rule, and make his life miserable (not that I have an
opinion on the subject :) ).  If they don't catch him, well then it
doesn't
matter, does it?  The guy has fulfilled his due diligence, and as far
as anyone knows, it's effective.

The guy obviously knows about doing various types of baselines to catch
changes.. but he never said he was going to.  Again, he may not actually
want to catch policy violators.  Though, if that's the case, I'm sure he
can't comment on it here.  In fact, he never said he wasn't a student
trying to get pr0n from the high school comp lab.

For folks who actually want to detect this sort of thing, you put in an
IDS or some sort of burglar alarm mechanism, and you don't tell anyone
about it.  No, this isn't security through obscurity.  IDS and burglar
alarms are there to detect when your protection (or in this case,
policy)
has already been violated.  In most cases, if people know the details of
alarms, they are easily bypassed.  So for example, if you alarm on one
machine making 100 times more DNS requests, that will likely do the job.
If I know DNS is being watched for, I used ICMP instead, etc..

                                        BB