HTTP-Tunnel?

Printable View

October 17th, 2002, 05:33 AM
powertoad5000

HTTP-Tunnel?

Just a question - I found a program called HTTP-Tunnel on prompting from a user to find this program in an earlier thread. It appears to use port 80 to send out requests to HTTP-Tunnel servers, which then process the taks and return the information. Since firewalls provide access to remote hosts on port 80 for HTTP, this program enables people to use programs like ICQ and telnet when they are not supposed to.

If there is no way to prevent this sort of unauthorised access, then I was justly negged for finding the program and linking to it; but now I have a question: Is there any way to prevent this sort of program from being implemented by a user to circumvent a firewall?
October 17th, 2002, 05:48 AM
THEJRC

unless you have full lockdown over your network and run everything like a true sadist not really.

On a proactive level one might block traffic to and from the http-tunnel servers, which assumes that an updated list is available and/or compiled occasionally.

on a more reactive level one could monitor traffic for such a transaction and deal with it then on a case by case basis.

yet another pain in the arse for admin's eh....
October 17th, 2002, 05:51 AM
Tedob1

youd have to moniter you access logs for allot of activity to certain ips addys that arn't resolved, track them down to see if they are tunnel servers and deny access to these ips. but thats a lot of work, why not just let them get fired for not doing their job. of course these always sms server which can tell you whats running on everyones machine if you got a few grand to spend on it.
October 17th, 2002, 06:01 AM
SoggyBottom

We have had a few problems with this seemingly "unfirewallable" traffic. We have detected people using ICQ over port 80, and even remote control software over port 80 and it is all a pain in the arse to lock down.

As Tedob1 suggested, monitor your logs (a network IDS may be very useful) and drop this unauthorised traffic at your Firewall or router.

Or you could send out a broadcast message informing your users that doing this is against our standard/policy, and place a filter on your proxy server picking out key words like "icq" etc.. and disciplining the users accordingly.