October 17th, 2002, 05:33 AM
Just a question - I found a program called HTTP-Tunnel on prompting from a user to find this program in an earlier thread. It appears to use port 80 to send out requests to HTTP-Tunnel servers, which then process the taks and return the information. Since firewalls provide access to remote hosts on port 80 for HTTP, this program enables people to use programs like ICQ and telnet when they are not supposed to.
If there is no way to prevent this sort of unauthorised access, then I was justly negged for finding the program and linking to it; but now I have a question: Is there any way to prevent this sort of program from being implemented by a user to circumvent a firewall?
October 17th, 2002, 05:48 AM
unless you have full lockdown over your network and run everything like a true sadist not really.
On a proactive level one might block traffic to and from the http-tunnel servers, which assumes that an updated list is available and/or compiled occasionally.
on a more reactive level one could monitor traffic for such a transaction and deal with it then on a case by case basis.
yet another pain in the arse for admin's eh....
I\'ll preach my pessimism right out loud to anyone that listens!
I\'m not afraid to be alive.... I\'m afraid to be alone.
October 17th, 2002, 05:51 AM
youd have to moniter you access logs for allot of activity to certain ips addys that arn't resolved, track them down to see if they are tunnel servers and deny access to these ips. but thats a lot of work, why not just let them get fired for not doing their job. of course these always sms server which can tell you whats running on everyones machine if you got a few grand to spend on it.
Bukhari:V3B48N826 “The Prophet said, ‘Isn’t the witness of a woman equal to half of that of a man?’ The women said, ‘Yes.’ He said, ‘This is because of the deficiency of a woman’s mind.’”
October 17th, 2002, 06:01 AM
We have had a few problems with this seemingly "unfirewallable" traffic. We have detected people using ICQ over port 80, and even remote control software over port 80 and it is all a pain in the arse to lock down.
As Tedob1 suggested, monitor your logs (a network IDS may be very useful) and drop this unauthorised traffic at your Firewall or router.
Or you could send out a broadcast message informing your users that doing this is against our standard/policy, and place a filter on your proxy server picking out key words like "icq" etc.. and disciplining the users accordingly.
[glowpurple]There were so many fewer questions when the stars where still just the holes to heaven - JJ[/glowpurple] [gloworange]I sure could use a vacation from this bull$hit, three ringed circus side show of freaks. - Tool. [/gloworange]