[lug] HTTP Tunneling
dan at usrsbin.com
Sat Oct 7 10:03:45 MDT 2006
You're right of course, but it's a requirement for the school.
I'm not going to loose sleep over the problem.
I guess from my standpoint, it's an interesting technical problem.
Nate Duehr wrote:
> Dan Ferris wrote:
>> Dear List,
>> I have helped a friend set up a DansGuardian Proxy filtering system
>> for her school district in Missouri. The Firewall blocks all traffic
>> to the internet period. The only traffic allowed to the net is via
>> the DansGuardian Proxy server. When I say everything is blocked, I
>> mean everything. None of the common VPN protocols will work (IPSec,
>> PPTP, L2TP etc), HTTPS will not work, and I'm pretty sure that
>> OpenVPN won't work (I'm not 100% sure about this we would have to test).
>> I'm convinced the only way around the proxy server is via a CGI proxy
>> which we can deal with via DansGuardian, or by HTTP tunneling.
>> So my question to the list is:
>> Does anybody know an easy way to detect HTTP tunneling? I have never
>> used it before. At the moment I'm thinking the easiest way is to
>> look for long periods of large data transfers via HTTP. Am I on the
>> right track?
>> Dan Ferris
> The generic rule holds true here; Never try to fix a people problem
> with technology.
> If he has kids smart enough to figure out how to tunnel out of his
> network via HTTP, you can block it, but they'll just find another way
> around it.
> Policy with real consequences from "management" is the only hope here,
> long-term. The kids and parents sign an acceptable-use agreement, and
> a serious infraction spells suspension and eventually expulsion.
> If he doesn't have policy and consequences covered, nothing else
> matters. Basic psychology -- people respond only to their perceived
> outcomes, and the outcome of bypassing the school district's network
> setup maliciously or non-maliciously needs to result in dire
> consequences for the student. (Well, also for teachers if they're the
> You're probably on the right track, from a purely technical
> standpoint, but he's not looking at the big picture.
> Engineers can build effective blocks and surveillance systems.
> Politicians, Statesmen, Administrators, and rule-makers need to make
> the rules. Ask them to do so and to back their rules up with real
> actions before you (or your friend) proceed further.
> He'll sleep better at night knowing there's a real threat he can pull
> out of his back pocket that will be enforced evenly and consistently
> if he finds someone doing something inappropriate like bypassing the
> mandated proxy server.
> (In other words, if management wants the Internet filtered then they
> need to finish the job and decide what will be done if the filter is
> bypassed -- and he needs it down in writing to hand to end-users and
> parents if those end-users are minors. "Just do it" without backing
> him up is not an appropriate or professional job by the administration
> and he should resist the temptation to think he can handle it -- kids
> will find ways around the firewall/proxy/filter/whatever. Guaranteed.)
> Web Page: http://lug.boulder.co.us
> Mailing List: http://lists.lug.boulder.co.us/mailman/listinfo/lug
> Join us on IRC: lug.boulder.co.us port=6667 channel=#colug
I like to think of Jesus as an Ice Dancer, dressed in an all-white jumpsuit, and doing an interpretive dance of my life.
More information about the LUG