Re: Cyber Monday - Firewalls

This is a discussion on Re: Cyber Monday - Firewalls ; "Chilly8" wrote in message news:fi8d0l$igr$1@aioe.org... > "slackerama" wrote in message > news:13kf237g00ucea2@corp.supernews.com... >> That's precisely the reason I do all my surfing through an ssh tunnel to >> my home server running a squid proxy, bypassing the corporate monitoring >> ...

+ Reply to Thread
Results 1 to 19 of 19

Thread: Re: Cyber Monday

  1. Re: Cyber Monday

    "Chilly8" wrote in message
    news:fi8d0l$igr$1@aioe.org...
    > "slackerama" wrote in message
    > news:13kf237g00ucea2@corp.supernews.com...


    >> That's precisely the reason I do all my surfing through an ssh tunnel to
    >> my home server running a squid proxy, bypassing the corporate monitoring
    >> completely.

    >
    >
    > You are most correct there. With any proxy, including your own,
    > they cannot determine where you went. They would know you
    > were going to a proxy, but would NOT know where you went
    > BEYOND that proxy.


    Which in turn is why many companies block access to proxies.
    --
    Brian Cryer
    www.cryer.co.uk/brian



  2. Re: Cyber Monday

    X-No-Archive: Yes

    "Brian Cryer" wrote in message
    news:2t6dnVla5IhNztDaRVnygQA@pipex.net...
    > "Chilly8" wrote in message
    > news:fi8d0l$igr$1@aioe.org...
    >> "slackerama" wrote in message
    >> news:13kf237g00ucea2@corp.supernews.com...

    >
    >>> That's precisely the reason I do all my surfing through an ssh tunnel to
    >>> my home server running a squid proxy, bypassing the corporate monitoring
    >>> completely.

    >>
    >>
    >> You are most correct there. With any proxy, including your own,
    >> they cannot determine where you went. They would know you
    >> were going to a proxy, but would NOT know where you went
    >> BEYOND that proxy.

    >
    > Which in turn is why many companies block access to proxies.


    X-No-Archive: Yes

    "Brian Cryer" wrote in message
    news:2t6dnVla5IhNztDaRVnygQA@pipex.net...
    > "Chilly8" wrote in message
    > news:fi8d0l$igr$1@aioe.org...
    >> "slackerama" wrote in message
    >> news:13kf237g00ucea2@corp.supernews.com...

    >
    >>> That's precisely the reason I do all my surfing through an ssh tunnel to
    >>> my home server running a squid proxy, bypassing the corporate monitoring
    >>> completely.

    >>
    >>
    >> You are most correct there. With any proxy, including your own,
    >> they cannot determine where you went. They would know you
    >> were going to a proxy, but would NOT know where you went
    >> BEYOND that proxy.

    >
    > Which in turn is why many companies block access to proxies.


    However, proxies, are sprouting up like weeds so fast that the
    filteirng companies cannot keep up with them half the time.
    Proxies come and go at such a huge rate, that they cannot keep
    with them. And my proxy is one of thousands of them being
    operated as public proxies.





  3. Re: Cyber Monday


    > Which in turn is why many companies block access to proxies.


    Which is why ssh is your best friend...show me a company that can
    effectively block outbound ssh without disrupting normal outbound
    business traffic and i have a bridge to sell you...

  4. Re: Cyber Monday

    In article , chilly8@hotmail.com says...
    > However, proxies, are sprouting up like weeds so fast that the
    > filteirng companies cannot keep up with them half the time.
    > Proxies come and go at such a huge rate, that they cannot keep
    > with them. And my proxy is one of thousands of them being
    > operated as public proxies.


    And a properly configured firewall solution does not need a "Filtering
    Company" to identify them in order to prevent access to them.

    As a matter of fact, all quality firewall appliances can block all
    outbound access by default and then permit the admins to create rules
    that allow access to "approved" sites only. Since the approved sites are
    not proxy sites, there is no way for the user to abuse the company
    resources and access yours or anyone else's services.

    --

    Leythos
    - Igitur qui desiderat pacem, praeparet bellum.
    - Calling an illegal alien an "undocumented worker" is like calling a
    drug dealer an "unlicensed pharmacist"
    spam999free@rrohio.com (remove 999 for proper email address)

  5. Re: Cyber Monday

    In article <474E2952.7060408@slacker.com>, slackerama@slacker.com
    says...
    > > Which in turn is why many companies block access to proxies.

    >
    > Which is why ssh is your best friend...show me a company that can
    > effectively block outbound ssh without disrupting normal outbound
    > business traffic and i have a bridge to sell you...


    If the outbound only permits access to approved sites then it doesn't
    matter what you try.

    --

    Leythos
    - Igitur qui desiderat pacem, praeparet bellum.
    - Calling an illegal alien an "undocumented worker" is like calling a
    drug dealer an "unlicensed pharmacist"
    spam999free@rrohio.com (remove 999 for proper email address)

  6. Re: Cyber Monday

    "Leythos" wrote in message
    news:MPG.21b7f5a98518a04d989875@adfree.Usenet.com. ..
    > In article , chilly8@hotmail.com says...
    >> However, proxies, are sprouting up like weeds so fast that the
    >> filteirng companies cannot keep up with them half the time.
    >> Proxies come and go at such a huge rate, that they cannot keep
    >> with them. And my proxy is one of thousands of them being
    >> operated as public proxies.

    >
    > And a properly configured firewall solution does not need a "Filtering
    > Company" to identify them in order to prevent access to them.
    >
    > As a matter of fact, all quality firewall appliances can block all
    > outbound access by default and then permit the admins to create rules
    > that allow access to "approved" sites only. Since the approved sites are
    > not proxy sites, there is no way for the user to abuse the company
    > resources and access yours or anyone else's services.


    Is that practical? I don't want to have to draw up a list of approved sites
    for my company, the list would be almost never ending because many of our
    staff use the internet for research which means they could legitimately end
    up going almost anywhere.
    --
    Brian Cryer
    www.cryer.co.uk/brian




  7. Re: Cyber Monday

    "slackerama" wrote in message
    news:474E2952.7060408@slacker.com...
    >
    >> Which in turn is why many companies block access to proxies.

    >
    > Which is why ssh is your best friend...show me a company that can
    > effectively block outbound ssh without disrupting normal outbound business
    > traffic and i have a bridge to sell you...


    Isn't it simply a case of blocking all traffic to a specific destination?
    SSL is still layered over TCP. What the traffic is doesn't matter. Of course
    (as Leythos will point out) that requires a decent firewall, or maybe not
    given that my cheapo router at home lets me block specific destinations
    (although probably not many).

    Of course obtaining an up to date list of proxies, that would be a good
    trick. My daughters at school know of more proxies than I do, maybe I should
    ask them.
    --
    Brian Cryer
    www.cryer.co.uk/brian



  8. Re: Cyber Monday

    X-No-Archive: Yes

    "Brian Cryer" wrote in message
    news:IvCdnRHQjribFtPanZ2dnUVZ8tGqnZ2d@pipex.net...
    > "slackerama" wrote in message
    > news:474E2952.7060408@slacker.com...
    >>
    >>> Which in turn is why many companies block access to proxies.

    >>
    >> Which is why ssh is your best friend...show me a company that can
    >> effectively block outbound ssh without disrupting normal outbound
    >> business traffic and i have a bridge to sell you...

    >
    > Isn't it simply a case of blocking all traffic to a specific destination?
    > SSL is still layered over TCP. What the traffic is doesn't matter. Of
    > course (as Leythos will point out) that requires a decent firewall, or
    > maybe not given that my cheapo router at home lets me block specific
    > destinations (although probably not many).
    >
    > Of course obtaining an up to date list of proxies, that would be a good
    > trick. My daughters at school know of more proxies than I do, maybe I
    > should ask them.
    > --


    Proxies come and go so fast, your lists would be out of date in no time.
    The various filtering vendors cannot keep up with it. Your daughter
    might be able to give you a list, but it will be out of date in no time.




  9. Re: Cyber Monday

    "Chilly8" wrote in message
    news:fim9qg$dl4$1@aioe.org...
    > X-No-Archive: Yes
    >
    > "Brian Cryer" wrote in message
    > news:IvCdnRHQjribFtPanZ2dnUVZ8tGqnZ2d@pipex.net...
    >> "slackerama" wrote in message
    >> news:474E2952.7060408@slacker.com...
    >>>
    >>>> Which in turn is why many companies block access to proxies.
    >>>
    >>> Which is why ssh is your best friend...show me a company that can
    >>> effectively block outbound ssh without disrupting normal outbound
    >>> business traffic and i have a bridge to sell you...

    >>
    >> Isn't it simply a case of blocking all traffic to a specific destination?
    >> SSL is still layered over TCP. What the traffic is doesn't matter. Of
    >> course (as Leythos will point out) that requires a decent firewall, or
    >> maybe not given that my cheapo router at home lets me block specific
    >> destinations (although probably not many).
    >>
    >> Of course obtaining an up to date list of proxies, that would be a good
    >> trick. My daughters at school know of more proxies than I do, maybe I
    >> should ask them.
    >> --

    >
    > Proxies come and go so fast, your lists would be out of date in no time.
    > The various filtering vendors cannot keep up with it. Your daughter
    > might be able to give you a list, but it will be out of date in no time.


    Quite true. No argument there.




  10. Re: Cyber Monday

    In article , brian.cryer@
    127.0.0.1.ntlworld.com says...
    > "Leythos" wrote in message
    > news:MPG.21b7f5a98518a04d989875@adfree.Usenet.com. ..
    > > In article , chilly8@hotmail.com says...
    > >> However, proxies, are sprouting up like weeds so fast that the
    > >> filteirng companies cannot keep up with them half the time.
    > >> Proxies come and go at such a huge rate, that they cannot keep
    > >> with them. And my proxy is one of thousands of them being
    > >> operated as public proxies.

    > >
    > > And a properly configured firewall solution does not need a "Filtering
    > > Company" to identify them in order to prevent access to them.
    > >
    > > As a matter of fact, all quality firewall appliances can block all
    > > outbound access by default and then permit the admins to create rules
    > > that allow access to "approved" sites only. Since the approved sites are
    > > not proxy sites, there is no way for the user to abuse the company
    > > resources and access yours or anyone else's services.

    >
    > Is that practical? I don't want to have to draw up a list of approved sites
    > for my company, the list would be almost never ending because many of our
    > staff use the internet for research which means they could legitimately end
    > up going almost anywhere.


    Yea, and it's what should be done. If you have a select group that does
    research, using the web, you could (and should) create a different HTTP
    rule for them, allowing them access to ALL of the web, but restrict them
    using content/other filters to block most of the crap. The generic users
    and others would fall under the block all except business rule.

    We do this with managers in most companies, permit them to authenticate
    with the firewall, or have their PC's in a reserved area (IP), and have
    different rules for managers.

    Either way, spotting an abuser is simple.

    --

    Leythos
    - Igitur qui desiderat pacem, praeparet bellum.
    - Calling an illegal alien an "undocumented worker" is like calling a
    drug dealer an "unlicensed pharmacist"
    spam999free@rrohio.com (remove 999 for proper email address)

  11. Re: Cyber Monday

    In article , chilly8@hotmail.com says...
    > X-No-Archive: Yes
    >
    > "Brian Cryer" wrote in message
    > news:IvCdnRHQjribFtPanZ2dnUVZ8tGqnZ2d@pipex.net...
    > > "slackerama" wrote in message
    > > news:474E2952.7060408@slacker.com...
    > >>
    > >>> Which in turn is why many companies block access to proxies.
    > >>
    > >> Which is why ssh is your best friend...show me a company that can
    > >> effectively block outbound ssh without disrupting normal outbound
    > >> business traffic and i have a bridge to sell you...

    > >
    > > Isn't it simply a case of blocking all traffic to a specific destination?
    > > SSL is still layered over TCP. What the traffic is doesn't matter. Of
    > > course (as Leythos will point out) that requires a decent firewall, or
    > > maybe not given that my cheapo router at home lets me block specific
    > > destinations (although probably not many).
    > >
    > > Of course obtaining an up to date list of proxies, that would be a good
    > > trick. My daughters at school know of more proxies than I do, maybe I
    > > should ask them.
    > > --

    >
    > Proxies come and go so fast, your lists would be out of date in no time.
    > The various filtering vendors cannot keep up with it. Your daughter
    > might be able to give you a list, but it will be out of date in no time.


    And that's why you have to adopt the idea that no one has a "Right" to
    internet access for anything other than Business functions. They don't
    have a right to personal use of the company network at all.

    Block all access, approve only business legit sites, doesn't matter how
    many new/old proxy are out there since they can't get to them at all.

    --

    Leythos
    - Igitur qui desiderat pacem, praeparet bellum.
    - Calling an illegal alien an "undocumented worker" is like calling a
    drug dealer an "unlicensed pharmacist"
    spam999free@rrohio.com (remove 999 for proper email address)

  12. Re: Cyber Monday

    slackerama wrote:
    >> Which in turn is why many companies block access to proxies.

    >
    > Which is why ssh is your best friend...show me a company that can
    > effectively block outbound ssh without disrupting normal outbound
    > business traffic and i have a bridge to sell you...


    Easy:

    - Allow outbound SSH only from whitelisted hosts,
    - Allow outbound https only to whitelisted sites.
    - Use a transparent proxy for all outbound http.
    - Block all other outbound connections.

    Besides, despite the encryption it is quite possible to distinguish
    between SSH and https connections.

    Try getting a clue before posting next time.

    cu
    59cobalt
    --
    "If a software developer ever believes a rootkit is a necessary part of
    their architecture they should go back and re-architect their solution."
    --Mark Russinovich

  13. Re: Cyber Monday

    X-No-Archive: Yes

    "Leythos" wrote in message
    news:MPG.21b879b547e9691f989877@adfree.Usenet.com. ..
    > In article , brian.cryer@
    > 127.0.0.1.ntlworld.com says...
    >> "Leythos" wrote in message
    >> news:MPG.21b7f5a98518a04d989875@adfree.Usenet.com. ..
    >> > In article , chilly8@hotmail.com says...
    >> >> However, proxies, are sprouting up like weeds so fast that the
    >> >> filteirng companies cannot keep up with them half the time.
    >> >> Proxies come and go at such a huge rate, that they cannot keep
    >> >> with them. And my proxy is one of thousands of them being
    >> >> operated as public proxies.
    >> >
    >> > And a properly configured firewall solution does not need a "Filtering
    >> > Company" to identify them in order to prevent access to them.
    >> >
    >> > As a matter of fact, all quality firewall appliances can block all
    >> > outbound access by default and then permit the admins to create rules
    >> > that allow access to "approved" sites only. Since the approved sites
    >> > are
    >> > not proxy sites, there is no way for the user to abuse the company
    >> > resources and access yours or anyone else's services.

    >>
    >> Is that practical? I don't want to have to draw up a list of approved
    >> sites
    >> for my company, the list would be almost never ending because many of our
    >> staff use the internet for research which means they could legitimately
    >> end
    >> up going almost anywhere.

    >
    > Yea, and it's what should be done. If you have a select group that does
    > research, using the web, you could (and should) create a different HTTP


    What you are talking about requires one filteirng tool, CyBlock, with
    the most expensive annual licensing, $799 annually for just 10 users.
    CyBlock can handle specific groups and their filteirng requirements,
    and can do whitelisting, and there is one European filter maker,
    though I cannot recall the name right now, that can whitelist, but
    unless you use these pricey filtering products, whitelisting is just
    not practical.



  14. Re: Cyber Monday

    In article , chilly8@hotmail.com says...
    > X-No-Archive: Yes
    >
    > "Leythos" wrote in message
    > news:MPG.21b879b547e9691f989877@adfree.Usenet.com. ..
    > > In article , brian.cryer@
    > > 127.0.0.1.ntlworld.com says...
    > >> "Leythos" wrote in message
    > >> news:MPG.21b7f5a98518a04d989875@adfree.Usenet.com. ..
    > >> > In article , chilly8@hotmail.com says...
    > >> >> However, proxies, are sprouting up like weeds so fast that the
    > >> >> filteirng companies cannot keep up with them half the time.
    > >> >> Proxies come and go at such a huge rate, that they cannot keep
    > >> >> with them. And my proxy is one of thousands of them being
    > >> >> operated as public proxies.
    > >> >
    > >> > And a properly configured firewall solution does not need a "Filtering
    > >> > Company" to identify them in order to prevent access to them.
    > >> >
    > >> > As a matter of fact, all quality firewall appliances can block all
    > >> > outbound access by default and then permit the admins to create rules
    > >> > that allow access to "approved" sites only. Since the approved sites
    > >> > are
    > >> > not proxy sites, there is no way for the user to abuse the company
    > >> > resources and access yours or anyone else's services.
    > >>
    > >> Is that practical? I don't want to have to draw up a list of approved
    > >> sites
    > >> for my company, the list would be almost never ending because many of our
    > >> staff use the internet for research which means they could legitimately
    > >> end
    > >> up going almost anywhere.

    > >
    > > Yea, and it's what should be done. If you have a select group that does
    > > research, using the web, you could (and should) create a different HTTP

    >
    > What you are talking about requires one filteirng tool, CyBlock, with
    > the most expensive annual licensing, $799 annually for just 10 users.
    > CyBlock can handle specific groups and their filteirng requirements,
    > and can do whitelisting, and there is one European filter maker,
    > though I cannot recall the name right now, that can whitelist, but
    > unless you use these pricey filtering products, whitelisting is just
    > not practical.


    Again, you are WRONG:

    1) Block all access except approved sites - ANY Firewall appliance cand
    do this as shipped - any real firewall has this function already, no
    fee, no additional cost, no subscription.

    2) Blocking based on Categories of Sites, yes, this has a subscription,
    provides hourly/daily updates, still only allows access to approved
    sites in the list or can be set to only block what is in the list. Cost
    is under $200 per year in most cases, for the ENTIRE FIREWALL, not a
    per-user cost.

    3) Multiple, simple groups, for HTTP access:

    3a - Default rule - block all except business approved sites.

    3b - MANAGERS_Rule - allows access to search, etc... still most sites
    blocked

    3c - SoftwareUpdate_Rule - allow unlimited access by servers to specific
    IP ranges for Windows Updates/AV updates (not for workstations).

    4 rules for HTTPS:

    4a - Default rule - block all except to business approved sites.

    4b - Managers/Admins - Allow all HTTPS access.

    And the list goes on....

    cheap, easy, works well, completely blocks your crap from all users
    except IT Admins in network.



    --

    Leythos
    - Igitur qui desiderat pacem, praeparet bellum.
    - Calling an illegal alien an "undocumented worker" is like calling a
    drug dealer an "unlicensed pharmacist"
    spam999free@rrohio.com (remove 999 for proper email address)

  15. Re: Cyber Monday

    * Chilly8 :
    > What you are talking about requires one filteirng tool, CyBlock, with
    > the most expensive annual licensing, $799 annually for just 10 users.
    > CyBlock can handle specific groups and their filteirng requirements,
    > and can do whitelisting, and there is one European filter maker,
    > though I cannot recall the name right now, that can whitelist, but
    > unless you use these pricey filtering products, whitelisting is just
    > not practical.
    >
    >


    Wrong as usual but then we've come to expect that from you.

    Jason

  16. Re: Cyber Monday

    > Easy:
    >
    > - Allow outbound SSH only from whitelisted hosts,

    Good luck... do you have deep packet inspection where you are able to
    filter by protocol? i doubt it. block port 22 I'll use 443 or whatever
    else is available
    > - Allow outbound https only to whitelisted sites.

    Wouldn't want to mange that...you'd have people screaming at you all
    day long to add sites and it's not practical from a business point of view
    > - Use a transparent proxy for all outbound http.

    Again, easily bypassed (haven't worked for a company yet that I
    couldn't get around)
    > - Block all other outbound connections.

    No complaint there
    > Besides, despite the encryption it is quite possible to distinguish
    > between SSH and https connections.

    True
    > Try getting a clue before posting next time.
    >

    from one security expert to another.... touche'
    > cu
    > 59cobalt


  17. Re: Cyber Monday

    Ansgar -59cobalt- Wiechers wrote:
    > slackerama wrote:
    >>> Which in turn is why many companies block access to proxies.

    >> Which is why ssh is your best friend...show me a company that can
    >> effectively block outbound ssh without disrupting normal outbound
    >> business traffic and i have a bridge to sell you...

    >
    > Easy:
    >
    > - Allow outbound SSH only from whitelisted hosts,
    > - Allow outbound https only to whitelisted sites.
    > - Use a transparent proxy for all outbound http.
    > - Block all other outbound connections.
    >
    > Besides, despite the encryption it is quite possible to distinguish
    > between SSH and https connections.
    >
    > Try getting a clue before posting next time.
    >

    from one security expert to another... touche
    > cu
    > 59cobalt


    Do I really need to post a rebuttal to this??

  18. Re: Cyber Monday

    In article <474F6526.8040509@slacker.com>, slackerama@slacker.com
    says...
    > Good luck... do you have deep packet inspection where you are able to
    > filter by protocol? i doubt it. block port 22 I'll use 443 or whatever
    > else is available


    Wont work on a properly secured network.

    You can't use 443 to connect to sites that are not approved at the
    firewall.

    While white-listing is VERY practical - As soon as businesses adopt the
    ideals that users don't need internet service to work, and most don't,
    then it becomes very simple and it doesn't take much time at all.

    --

    Leythos
    - Igitur qui desiderat pacem, praeparet bellum.
    - Calling an illegal alien an "undocumented worker" is like calling a
    drug dealer an "unlicensed pharmacist"
    spam999free@rrohio.com (remove 999 for proper email address)

  19. Re: Cyber Monday

    slackerama wrote:
    > Ansgar -59cobalt- Wiechers wrote:
    >> slackerama wrote:
    >>>> Which in turn is why many companies block access to proxies.
    >>> Which is why ssh is your best friend...show me a company that can
    >>> effectively block outbound ssh without disrupting normal outbound
    >>> business traffic and i have a bridge to sell you...

    >>
    >> Easy:
    >>
    >> - Allow outbound SSH only from whitelisted hosts,
    >> - Allow outbound https only to whitelisted sites.
    >> - Use a transparent proxy for all outbound http.
    >> - Block all other outbound connections.
    >>
    >> Besides, despite the encryption it is quite possible to distinguish
    >> between SSH and https connections.
    >>
    >> Try getting a clue before posting next time.
    >>

    > from one security expert to another... touche
    >> cu
    >> 59cobalt

    >
    > Do I really need to post a rebuttal to this??


    To address the points you tried to make in the post you apparently
    cancelled (MID <474F6526.8040509@slacker.com>):

    >> - Allow outbound SSH only from whitelisted hosts,

    >
    > Good luck... do you have deep packet inspection where you are able to
    > filter by protocol? i doubt it.


    We don't have an application level filter in place, because our
    employees are allowed to use the internet for their own purposes (as
    long as they don't overdo it). However, if I had the need to filter at
    application level I'd probably use something like l7-filter:

    http://l7-filter.sf.net/

    > block port 22 I'll use 443 or whatever else is available


    There isn't anything else available to you.

    - 22/tcp is allowed only from whitelisted hosts on the LAN
    - 80/tcp and 443/tcp are redirected transparently to the proxy, which
    allows https connections only to whitelisted domains
    - 53/udp and 53/tcp are allowed only from the company's DNS servers
    - 25/tcp is allowed only from the company's mail server
    - everything else is blocked

    >> - Allow outbound https only to whitelisted sites.

    >
    > Wouldn't want to mange that...you'd have people screaming at you all
    > day long to add sites and it's not practical from a business point of
    > view


    Users don't need to access that many sites using SSL for their work, and
    the sites they need to access don't change that frequently, so contrary
    to your belief it is quite manageable.

    >> - Use a transparent proxy for all outbound http.

    >
    > Again, easily bypassed (haven't worked for a company yet that I
    > couldn't get around)


    Get around a transparent proxy? Do you even understand how a transparent
    proxy works? The router indiscriminately redirects all traffic on the
    given ports to the proxy (and you're not allowed to establish outbound
    connections on other ports), so pray tell how you think you can get
    around that.

    cu
    59cobalt
    --
    "If a software developer ever believes a rootkit is a necessary part of
    their architecture they should go back and re-architect their solution."
    --Mark Russinovich

+ Reply to Thread