[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]

Re: [K12OSN] Fedora 2 vs WB3 or RHE3 and old proxy by-pass prob



k12osn collinsoft com wrote:

On Fri, 4 Jun 2004, Terrell Prude', Jr. wrote:


k12osn collinsoft com wrote:


Even blocking everything and transparently proxying those two ports won't stop someone from running some sort of anonymizing proxy such as circumventor.


Actually, transparently proxying those two ports will do it very nicely. If someone's running an anonymizing proxy, just block that IP address. Since, in this scenario, you'd be allowing only TCP 80 and TCP 443 to go out, they *have* to go through your transparent proxy setup before they can go out. Thus, you can do whatever you want to their traffic, and they have no choice. Discover an anonymizing proxier? No problem: "access-list 199 deny ip any host ano.nym.iz.er". That's how we dealt with circumventor, and it does work.



This still won't stop someone from running an anonymous proxy service that acts as a website. I'm not familiar with circumventor at all, but I have seen software where you surf to the website running on a home machine, it asks for a url, and it sends the page to you, bypassing any filtering you might have done. A good example on how this works would be http://www.anonymizer.com/ (which should be blocked in your filtering software!).


And if they set it up as a secure site, Dans Guardian won't be able to filter the content.




You're absolutely correct; someone can do all of that. However, it'll show up in your logs (you are checking your logs, right? :-) ), and you can block that site, either from within DansGuardian/squidGuard/whatever, or on your packet filter, the same way you block www.anonymizer.com. Not sure if you're about to block a "real" Web site? nslookup and whois can be your friends here.


Oh, by the way, as it shows up in the logs, you can coordinate that with the source IP address, i. e. the client box, thus narrowing down which school, which switch port, therefore which drop in which room, at what time, and you have nailed that kid. I've had to do this kind of thing many times, and we do run DHCP w/ private IP addresses, and yes, I am successful nearly every time. Not that I'm particularly brilliant; it just ain't that hard. ;-)

--TP



[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]