May 13, 2010 at 8:05 pm #5043
I’d like to start telling that I’m rather new.. no this is my first “job”.. well it’s not even a real job it’s just a test, ok enough.
I’ll have to test his “content filtering service”
the proxy is based on Squid
and the content filtering part is managed by DansGuardian
all the software is updated to the latest version and the content-filtering is based on (words weight / banned urls and IPs)
everything on an external CentOS machine
for the first tests I’ll just have to test for filter evasion nothing hard yet
if this will go well i think he’ll make me test it a little bit deeper
could you help me to compile something like a check list about the tests to do?
or just some tips/hints
P.S. I wasn’t really sure about the section so feel free to move the post 🙂
May 14, 2010 at 3:20 pm #31998
it will be on Tuesday!
May 14, 2010 at 3:29 pm #31999MicroJayParticipant
One suggestion would be think like the user that wants to avoid being filtered. Use google and search for “anonymous proxies”. Click on each link until you are able to view the site. Done!
If it passes that (you can’t get to one), set up a anonymous proxy yourself and see if you can get to it. (Does it block uncatagorized sites.)
Next…would be to see if there were any vulnerabilities. But if it is patched fully, it might not be as easy.
Just some quick thoughts as I have gone through this with our content filter devices in the past. 😉
May 14, 2010 at 3:59 pm #32000
There is also tunneling, especially over encrypting protocols.
May 14, 2010 at 4:09 pm #32001
Thanks for the answers!
I’ve been successfully bypassing the filters using a proxy and tunneling (we had the same service at school)
my suggest to fix the proxy (if not elite) problem would be to block all the packets with a “Forwarded” header
and all the tor’s endpoints
what you think about it?
May 14, 2010 at 4:31 pm #32002MicroJayParticipant
Correct! VPN or any encrypted tunneling would do as well.
Use that a lot when at hotels!
May 14, 2010 at 4:39 pm #32003
Thank you xD
any idea how to fix it?
how to filter encrypted traffic.. i was thinking about a..MitM attack (a legit one) made by the proxy (our..their service), but I’m afraid it would mess with the certificates making all the MitM countermeasures go vane
May 14, 2010 at 5:07 pm #32004
I am not sure if it can completely fixed. I usually implement egress filtering at the firewall that only permits traffic from certain hosts. With Proxies, centralized Email servers, etc, the users don’t really need to leave the firewall. The server makes the request for them. For those that need more connectivity and are trusted, I make exceptions in the firewall.
May 14, 2010 at 5:15 pm #32005
I don’t think you can filter out all tunneling. You need to develop solid outbound access policy. For HTTP tunneling regularly check the logs and block the relay server. Check for CONNECT requests to odd ports etc.
Edit: Ketchup beat me to it.
May 14, 2010 at 6:02 pm #32006
i forgot to mention that it blocks all the ports except for the allowed ones unless the Administrator sets it
May 15, 2010 at 3:57 pm #32007
The only option I can think of (or find) right now is to block HTTP CONNECT to all websites except the valid ones. Like I previously stated, you’ll need o develop strong outbound access rules. If HTTPS is allowed to random sites users can always find a way to bypass the firewall.
If blocking access to all sites is not feasible then you can use various addons with squid to blacklist ‘improper’ websites. You can easily find a large number of URL blacklists.
May 15, 2010 at 4:23 pm #32008
there already is a blacklist (a huge paid blacklist is updated daily) system
and thanks for the comments!
you think that username:email@example.com would trick the url detection?
if not, would whitelistedurl.mydomain.com be unbannable? (i mean making a sub-domain named after a white listed url
May 15, 2010 at 4:39 pm #32009
I’m not sure about it. But I think that in the conflict of whitelist and blacklist, blacklist always wins. But in this case I think that squid shouldn’t block whitelistedurl.mydomain.com unless you’ve added *mydomain.com in the blacklist. Someone more experienced should help here. However, I found links that might be helpful to you.
May 15, 2010 at 5:45 pm #32010
May 15, 2010 at 7:03 pm #32011rattisParticipant
I haven’t played with squid much, but typically if you have something white listed it’ll get checked before the black list and always be allowed through.
I’m basing this off firewalls (ip tables, ip chains, and cisco asa), where the allowed traffic usually comes before the deny all statement at the end.
So as far as I understand it, you can have allowed.domain.com in the white list, and *.domain.com in the black list, but you should still be able to get to allowed.domain.com.
I could be wrong. Like I said I’m basing this off my firewall knowledge and applying proxy filters to that.
May 16, 2010 at 12:39 am #32012
i’ll try to:
1) play with the white/black lists
2) use encrypted connections
3) use a premade proxy server (ssl and not)
what else i can try?
May 19, 2010 at 11:49 pm #32013
soo the first day passed.. well it didn’t go how i hoped to tell the truth
white and black lists were well written
ssl connections didn’t change anything
i didn’t manage to get ToR working.. shame on me
everything that i managed to put in that report was some pesky proxies and a site screenshot service 🙁
May 20, 2010 at 1:04 pm #32014
Did you try an SSH tunnel? I wouldn’t use the standard port 22. Instead, use port 80, 25, or something else typically allowed outbound.
May 20, 2010 at 1:19 pm #32015
I didn’t manage to tunnel ToR, it would have worked wonderfully
and yes their firewall blocks all thje ports except for the “needded” ones like 80 443 etc
May 20, 2010 at 2:52 pm #32016
You don’t need TOR. Just google SSH tunneling. In a nutshell, you can configure an SSH box somewhere outside of the network. You then configure a client to tunnel HTTP traffic through the SSH box.
The same can be done with HTTP traffic.
- You must be logged in to reply to this topic.