Firewall Wizards mailing list archives
RE: httport 3snf
From: "Dawes, Rogan (ZA - Johannesburg)" <rdawes () deloitte co za>
Date: Mon, 21 Oct 2002 17:02:44 +0200
Require authentication for outgoing SSL requests through your proxy server. Log excessive requests to a particular server. Excessive by number of requests, as well as by data volume. This becomes particularly relevant if you can do it by userid, if you are authenticating requests. Students making use of httport will typically only show a single site in their request lists, since all outgoing requests will be tunnelled through that site. Also consider monitoring how much data is *sent* as part of the request if you can. Typically web surfing has a very low sent/received ratio. Connections/requests that are higher than average may indicate different protocols being tunnelled. Also, identify the public httport servers (from the web site), and put explicit block rules in your proxy or firewall. Try using something like ngrep on port 443 for strings that httport uses as part of the protocol. This is the one most likely to achieve the results you need, but would involve setting up a client, a host, and a sniffer to determine what those strings are. Of course, if the traffic is encrypted, as they seem to offer, you could try running ssldump with the keypair supplied with the software. (I assume it is SSL compatible, if not, you're out of luck on that one) See above Re traffic analysis. Finally, and this should really be the first action, update your policy to make "bypassing firewall restrictions" a punishable offence. Good luck. Rogan
-----Original Message----- From: Robert E. Martin [mailto:rmartin () fishburne org] Sent: 21 October 2002 03:57 To: firewall-wizards () nfr com Subject: [fw-wiz] httport 3snf Hi there. We run Redhat 6.0 with ipchains and have been able to block AIM and others with this system quite effectively, however, our students here have discovered HTTport 3.snf to bypass our proxy server using a SSL connection. Is there a way to stop this without bringing the rest of the newtork to it's knees? I have been unable to sniff the packets successfully enough to find out what ip address the host ssl server is, but I am able to launch the program on my local machine, sniff the packets and see that the first thing that happens is a DNS Request. Can I block DNS requests for a specifid url, ipaddress or other entry via IPCHAINS? Thanks for your time. -- Robert E Martin IT Manager Fishburne Military School rmartin () fishburne org 540.946.7726 _______________________________________________ firewall-wizards mailing list firewall-wizards () honor icsalabs com http://honor.icsalabs.com/mailman/listinfo/firewall-wizards
_______________________________________________ firewall-wizards mailing list firewall-wizards () honor icsalabs com http://honor.icsalabs.com/mailman/listinfo/firewall-wizards
Current thread:
- Re: httport 3snf, (continued)
- Re: httport 3snf Duncan (Oct 22)
- Re: httport 3snf Paul Robertson (Oct 22)
- Re: httport 3snf R. DuFresne (Oct 22)
- Re: httport 3snf Robert E. Martin (Oct 22)
- Re: httport 3snf Paul Robertson (Oct 22)
- Re: httport 3snf m p (Oct 22)
- Re: httport 3snf Al Potter (Oct 22)
- Re: httport 3snf Duncan (Oct 22)
- Re: httport 3snf Paul Robertson (Oct 22)
- Re: httport 3snf Kyle R. Hofmann (Oct 23)