Re: Tool to find hidden web proxy server

[Jose Maria Lopez <jkerouac () bgsec com>]

El jue, 02 de 09 de 2004 a las 19:56, R. DuFresne escribió:
> On 2 Sep 2004, Jose Maria Lopez wrote:
>
> > El jue, 02 de 09 de 2004 a las 05:36, vinay mangal escribió:
> > > Dear all,
> > >
> > > Thanks for your suggestions. May be I am not able to define my question
> > > properly.
> > >
> > > This problem is strictly with in company internet access firewall and in the
> > > LAN only. In a company, policy for Internet access says it is through IP
> > > only. The others can not browse the internet. This policy is implemented on
> > > firewall. Few smart guys have installed free proxy server running on non
> > > default ports and distributed the internet access to their friends. The
> > > firewall sees the traffic coming from the authorized IP and does not stop
> > > them. We want to know who has installed proxy on there machine.
> > >
> > > I hope, I am able to clearly define my question. Thanks
> > >
> > >
> > > vinay
> >
> > What's happening in your LAN is called firewall tunneling of firewall
> > piercing, and it's one of the security threats one have to deal of when
> > you have a firewall. If the proxies are running in non-standard ports
> > then you should close those ports in the firewall, if you have the
> > default policy to block only some ports you should turn to block all
> > ports and open only the ports you use (80, 21, 22, etc), or at least
> > only admit the packets coming from an established connection, so you
> > never let other machines to initiate connections to non-standard ports
> > from outside your LAN.
> >
> > You could also use a sniffer like ethereal to watch the traffic at your
> > firewall and see what IP addresses are tunneling traffic through
> > standard or non standard ports, you probably can discern normal traffic
> > from tunneled traffic with ethereal.
>
> Actually if only doing with with allowing new and or established though,
> providing ths FW in question is stateful, will not accomplish the task,
> the way to do this is to only allow in and out from specific IP's that
> should be serving the content being provided.

But if you allow in and out from specific ports you have at least a
second level of security over what the original poster said it had.
Only allowing out from some IPs it's possible, but I find it very
difficult to make rules for the outer IPs, having in mind the original
poster wants to have internet connection from the LAN for that
machines.

> Either internally scanning the network fr offending services and/or
> snooping traffic will be enugh to determine who is trying to break policy.
> There is no trick in this and any of the tools mentioned in the tread
> should do the trick.
>
> Thanks,
>
> Ron DuFresne
-- 
Jose Maria Lopez Hernandez
Director Tecnico de bgSEC
jkerouac () bgsec com
bgSEC Seguridad y Consultoria de Sistemas Informaticos
http://www.bgsec.com
ESPAÑA

The only people for me are the mad ones -- the ones who are mad to live,
mad to talk, mad to be saved, desirous of everything at the same time,
the ones who never yawn or say a commonplace thing, but burn, burn, burn
like fabulous yellow Roman candles.
                -- Jack Kerouac, "On the Road"


------------------------------------------------------------------------------
Ethical Hacking at the InfoSec Institute. All of our class sizes are
guaranteed to be 12 students or less to facilitate one-on-one interaction
with one of our expert instructors. Check out our Advanced Hacking course,
learn to write exploits and attack security infrastructure. Attend a course
taught by an expert instructor with years of in-the-field pen testing
experience in our state of the art hacking lab. Master the skills of an
Ethical Hacker to better assess the security of your organization.

http://www.infosecinstitute.com/courses/ethical_hacking_training.html
-------------------------------------------------------------------------------