[lug] HTTP Tunneling

Dan Ferris dan at usrsbin.com
Sat Oct 7 10:03:45 MDT 2006

You're right of course, but it's a requirement for the school.

I'm not going to loose sleep over the problem.

I guess from my standpoint, it's an interesting technical problem.


Nate Duehr wrote:
> Dan Ferris wrote:
>> Dear List,
>> I have helped a friend set up a DansGuardian Proxy filtering system 
>> for her school district in Missouri.  The Firewall blocks all traffic 
>> to the internet period.  The only traffic allowed to the net is via 
>> the DansGuardian Proxy server.  When I say everything is blocked, I 
>> mean everything.  None of the common VPN protocols will work (IPSec, 
>> PPTP, L2TP etc), HTTPS will not work, and I'm pretty sure that 
>> OpenVPN won't work (I'm not 100% sure about this we would have to test).
>> I'm convinced the only way around the proxy server is via a CGI proxy 
>> which we can deal with via DansGuardian, or by HTTP tunneling.
>> So my question to the list is:
>> Does anybody know an easy way to detect HTTP tunneling?  I have never 
>> used it before.  At the moment I'm thinking the easiest way is to 
>> look for long periods of large data transfers via HTTP.  Am I on the 
>> right track?
>> Thanks,
>> Dan Ferris
> The generic rule holds true here; Never try to fix a people problem 
> with technology.
> If he has kids smart enough to figure out how to tunnel out of his 
> network via HTTP, you can block it, but they'll just find another way 
> around it.
> Policy with real consequences from "management" is the only hope here, 
> long-term.  The kids and parents sign an acceptable-use agreement, and 
> a serious infraction spells suspension and eventually expulsion.
> If he doesn't have policy and consequences covered, nothing else 
> matters.  Basic psychology -- people respond only to their perceived 
> outcomes, and the outcome of bypassing the school district's network 
> setup maliciously or non-maliciously needs to result in dire 
> consequences for the student.  (Well, also for teachers if they're the 
> problem.)
> You're probably on the right track, from a purely technical 
> standpoint, but he's not looking at the big picture.
> Engineers can build effective blocks and surveillance systems. 
> Politicians, Statesmen, Administrators, and rule-makers need to make 
> the rules.  Ask them to do so and to back their rules up with real 
> actions before you (or your friend) proceed further.
> He'll sleep better at night knowing there's a real threat he can pull 
> out of his back pocket that will be enforced evenly and consistently 
> if he finds someone doing something inappropriate like bypassing the 
> mandated proxy server.
> (In other words, if management wants the Internet filtered then they 
> need to finish the job and decide what will be done if the filter is 
> bypassed -- and he needs it down in writing to hand to end-users and 
> parents if those end-users are minors.  "Just do it" without backing 
> him up is not an appropriate or professional job by the administration 
> and he should resist the temptation to think he can handle it -- kids 
> will find ways around the firewall/proxy/filter/whatever.  Guaranteed.)
> Nate
> _______________________________________________
> Web Page:  http://lug.boulder.co.us
> Mailing List: http://lists.lug.boulder.co.us/mailman/listinfo/lug
> Join us on IRC: lug.boulder.co.us port=6667 channel=#colug

I like to think of Jesus as an Ice Dancer, dressed in an all-white jumpsuit, and doing an interpretive dance of my life. 

More information about the LUG mailing list