[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]

Re: [K12OSN] Fedora 2 vs WB3 or RHE3 and old proxy by-pass prob



k12osn collinsoft com wrote:

On Thu, 3 Jun 2004, Jim Christiansen wrote:


The questions that I had about the IPCop/Mozilla proxy being bypassed have been solved by only allowing proxy traffic through a defined port in iptables. If anyone wants to know how I did this, please drop me a line. Oh, heck...scp /home2/ipcop-252/rc.local.proxy-252 jim home:
# ports:
# 20,21 ftp
# 22 ssh
# 25 smtp
# 53 dns
# 80,443 web
# 123 ntpd
# 445 https: ipcop
# 11371 GNU GPG
# 445 IPCop external https connection


ALLOW_TCP_OUT="20 21 22 25 53 80 85 113 123 443 445 8800 11371"
ALLOW_UDP_OUT="20 21 22 25 53 80 85 123 443 445 8800"

for i in $ALLOW_TCP_OUT ; do
/sbin/iptables -A CUSTOMFORWARD -i $GREEN -p tcp --dport $i -j ACCEPT
done



Can't they still setup an external proxy on one of these ports and still bypass it? If I was a student I would setup apache in proxy mode on my Road Runner connection (requiring a username/password) and set it to accept connections on various ports that have a good chance of being open, such as 20,21,22,23,25,443.


A good site to see what students can do is http://peacefire.org/. It appears they have a program called circumventor which lets the students get around you're filtering even without changing the proxy server. It also uses SSL to encrypt the transmission so you can't even see what's going through. I don't know how to stop this one.




Sure they could; we've had to deal with circumventor for the last couple of years in our district. That's why you need to have a written policy in place that says what the penalties are for actions like this, and then enforce it. A big part of INFOSEC anywhere, including in a school, is having the written policy, otherwise you have little legal leg on which to stand when someone does something inappropriate, be it staff member, board member, or student.


Of course, there certainly are technological ways to stop this, and you'd do that at your Internet firewall. Do your students have any *actual need* to use TCP 20, 21, 22, 23, and 25 to carry forward the educational process? Ask yourself that. TCP 80 and TCP 443, you can transparently proxy those. Combined, this should put a stop to apps like circumventor.

--TP



[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]