Re: Kids bypassing firewall via web proxy sites

E. wrote:
> Sebastian Gottschalk wrote:
>> E. wrote:
>>> How would you establish communications to a blocked site when
>>> proxies are also blocked?
>>
>> DNS
>
> So you can resolve the IP using a UDP packet.

If I control the authoritative DNS server for the domain I'm trying to
resolve it's up to me what content is inside the DNS request/reply.
Besides, for DNS you need TCP as well (no, not only for zone transfers).

> How do you propose to get a two-way connection going using a UDP53,
> and browsing myspace using this?

Send/poll from the client side. Please have a look at the "wwwsh"
section of [1]. We didn't use DNS there, but I suppose you'll get the
idea.

>>> Would standard clientside computer policy allow the user access to
>>> use/install the tools needed to do this?
>>
>> That's the point: Modern policies can prohibit _running_ such tools,
>> at least to a certain level. Not so reliable, but pretty effective.
>>
>> That's why downloading such utilities being possible, besides
>> circumventing the policies, is no big problem.
>
> As already stated, all downloads being blocked. Sending a UDP packet
> does no equal a downloaded utility.

You are not limited to one UDP packet. And of course it's no problem to
encapsulate the download in DNS replies and re-assemble the file on the
client side.

[1] http://copton.net/Personal_Firewalls/ccc-vortrag-en.html

cu
59cobalt

-- 
"If you think technology can solve your security problems, then you
don't understand the problems and you don't understand the technology."
--Bruce Schneier