Re: Kids bypassing firewall via web proxy sites

Ansgar -59cobalt- Wiechers wrote:
> E. wrote:
>
>>Sebastian Gottschalk wrote:
>>
>>>E. wrote:
>>>
>>>>How would you establish communications to a blocked site when
>>>>proxies are also blocked?
>>>
>>>DNS
>>
>>So you can resolve the IP using a UDP packet.
>
>
> If I control the authoritative DNS server for the domain I'm trying to
> resolve it's up to me what content is inside the DNS request/reply.
> Besides, for DNS you need TCP as well (no, not only for zone transfers).
>
>
>>How do you propose to get a two-way connection going using a UDP53,
>>and browsing myspace using this?
>
>
> Send/poll from the client side. Please have a look at the "wwwsh"
> section of [1]. We didn't use DNS there, but I suppose you'll get the
> idea.
>
>
>>>>Would standard clientside computer policy allow the user access to
>>>>use/install the tools needed to do this?
>>>
>>>That's the point: Modern policies can prohibit _running_ such tools,
>>>at least to a certain level. Not so reliable, but pretty effective.
>>>
>>>That's why downloading such utilities being possible, besides
>>>circumventing the policies, is no big problem.
>>
>>As already stated, all downloads being blocked. Sending a UDP packet
>>does no equal a downloaded utility.
>
>
> You are not limited to one UDP packet. And of course it's no problem to
> encapsulate the download in DNS replies and re-assemble the file on the
> client side.
>
> [1] http://copton.net/Personal_Firewalls/ccc-vortrag-en.html
>
> cu
> 59cobalt

Nothing new here. I'm quite aware of tunneling to dump files, any clown
with netcat can do that quite easily. In fact i've used it myself. Very
handy ;-)
Your reply also ignores the fact that a properly set up system uses
firewalls, policies and lockdowns, not just content filters.

As the admin, *I* will decide what DNS queries (and all other traffic)
will leave the network, and also occur between network segments.
Lets look at tour example of DNS, and what rules would be put in place.
1. Only server's would be allowed to send DNS requests out.
2. Only certain DNS server's would be allowed to query.
Would these rules allow *your* wkstn's DNS queries out? No.
Would they be blocked and logged? Yes
Would the admin be asking you some questions about you intentionally
violating AUP? Would you enjoy being fired?
Goto 1, and repeat for most, if not all traffic. The obvious exception
here is SSL tunnelling, but there are such things as SSL whitelists.

This assumes you got the tool to send the packet on the PC in the first
place, which is another matter and another violation of AUP.

While everything you and others have stated is *possible*, you are
looking at each technique in isolation of a total setup, and ignoring a
properly layered approach. I'm yet to see a properly set up enterprise
that allows the end user to initiate a direct connection with the
outside world. With internal servers/units that allow/disallow certain
traffic types, yes; letting Joe User have a direct SMTP, HTTP, DNS(or
whatever) connection with anywhere external, NO.

In theory you could bring in tools, then clink away trying to find a
weakness in the setup, but the chances of doing it undetected are
very,very slim. If you would like to take the risk and think you can get
away with it, please keep your cubicle tidy so your replacement doesn't
trip over the junk you leave behind when you get terminated and escorted
off the premises.
Cheers,
E.
Received on Mon May 1 00:59:52 2006