Content filtering proxy service

Viewing 19 reply threads
  • Author
    Posts
    • #5043
      xFrosty
      Participant

      I’d like to start telling that I’m rather new.. no this is my first “job”.. well it’s not even a real job it’s just a test, ok enough.
      I’ll have to test his “content filtering service”
      the proxy is based on Squid
      http://en.wikipedia.org/wiki/Squid_%28software%29
      and the content filtering part is managed by DansGuardian
      http://en.wikipedia.org/wiki/DansGuardian
      all the software is updated to the latest version and the content-filtering is based on (words weight / banned urls and IPs)
      everything on an external CentOS machine

      for the first tests I’ll just have to test for filter evasion nothing hard yet
      if this will go well i think he’ll make me test it a little bit deeper

      could you help me to compile something like a check list about the tests to do?
      or just some tips/hints

      P.S. I wasn’t really sure about the section so feel free to move the post 🙂

    • #31998
      xFrosty
      Participant

      it will be on Tuesday!

    • #31999
      MicroJay
      Participant

      Welcome aboard!

      One suggestion would be think like the user that wants to avoid being filtered.  Use google and search for “anonymous proxies”.  Click on each link until you are able to view the site.  Done!

      If it passes that (you can’t get to one), set up a anonymous proxy yourself and see if you can get to it.  (Does it block uncatagorized sites.)

      Next…would be to see if there were any vulnerabilities.  But if it is patched fully, it might not be as easy.

      Just some quick thoughts as I have gone through this with our content filter devices in the past.  😉

    • #32000
      Ketchup
      Participant

      There is also tunneling, especially over encrypting protocols. 

    • #32001
      xFrosty
      Participant

      Thanks for the answers!

      I’ve been successfully bypassing the filters using a proxy and tunneling (we had the same service at school)

      my suggest to fix the proxy (if not elite) problem would be to block all the packets with a “Forwarded” header
      and all the tor’s endpoints
      what you think about it?

    • #32002
      MicroJay
      Participant

      Correct!  VPN or any encrypted tunneling would do as well.
      Use that a lot when at hotels!

    • #32003
      xFrosty
      Participant

      Thank you xD

      any idea how to fix it?
      how to filter encrypted traffic.. i was thinking about a..MitM attack (a legit one) made by the proxy (our..their service), but I’m afraid it would mess with the certificates making all the MitM countermeasures go vane

    • #32004
      Ketchup
      Participant

      I am not sure if it can completely fixed.  I usually implement egress filtering at the firewall that only permits traffic from certain hosts.  With Proxies, centralized Email servers, etc, the users don’t really need to leave the firewall.  The server makes the request for them.    For those that need more connectivity and are trusted, I make exceptions in the firewall. 

    • #32005
      Xen
      Participant

      I don’t think you can filter out all tunneling.  You need to develop solid outbound access policy. For HTTP tunneling regularly check the logs and block the relay server. Check for CONNECT requests to odd ports etc.

      Edit: Ketchup beat me to it.

    • #32006
      xFrosty
      Participant

      i forgot to mention that it blocks all the ports except for the allowed ones unless the Administrator sets it

    • #32007
      Xen
      Participant

      The only option I can think of (or find) right now is to block HTTP CONNECT to all websites except the valid ones. Like I previously stated, you’ll need o develop strong outbound access rules. If HTTPS is allowed to random sites users can always find a way to bypass the firewall.
      If blocking access to all sites is not feasible then you can use various addons with squid to blacklist ‘improper’ websites. You can easily find a large number of URL blacklists.

    • #32008
      xFrosty
      Participant

      there already is a blacklist (a huge paid blacklist is updated daily) system
      and thanks for the comments!

      you think that username:password@bannedurl.com would trick the url detection?
      if not, would whitelistedurl.mydomain.com be unbannable? (i mean making a sub-domain named after a white listed url

    • #32009
      Xen
      Participant

      I’m not sure about it. But I think that in the conflict of whitelist and blacklist, blacklist always wins. But in this case I think that squid shouldn’t block whitelistedurl.mydomain.com unless you’ve added *mydomain.com in the blacklist. Someone more experienced should help here. However, I found links that might be helpful to you.
      http://marc.info/?l=squidguard&m=108285256707491
      http://marc.info/?l=squidguard&m=108260329925644&w=2

    • #32010
      xFrosty
      Participant

      Thank you!

    • #32011
      rattis
      Participant

      I haven’t played with squid much, but typically if you have something white listed it’ll get checked before the black list and always be allowed through.

      I’m basing this off firewalls (ip tables, ip chains, and cisco asa), where the allowed traffic usually comes before the deny all statement at the end.

      So as far as I understand it, you can have allowed.domain.com in the white list, and *.domain.com in the black list, but you should still be able to get to allowed.domain.com.

      I could be wrong. Like I said I’m basing this off my firewall knowledge and applying proxy filters to that.

      squid example: unfiltered adults, white listed kids, deny everything else

    • #32012
      xFrosty
      Participant

      i’ll try to:
      1) play with the white/black lists
      2) use encrypted connections
      3) use a premade proxy server (ssl and not)

      what else i can try?

    • #32013
      xFrosty
      Participant

      soo the first day passed.. well it didn’t go how i hoped to tell the truth

      white and black lists were well written

      ssl connections didn’t change anything

      i didn’t manage to get ToR working.. shame on me

      everything that i managed to put in that report was some pesky proxies and a site screenshot service 🙁

    • #32014
      Ketchup
      Participant

      Did you try an SSH tunnel?  I wouldn’t use the standard port 22.  Instead, use port 80, 25, or something else typically allowed outbound.

    • #32015
      xFrosty
      Participant

      I didn’t manage to tunnel ToR, it would have worked wonderfully
      and yes their firewall blocks all thje ports except for the “needded” ones like 80 443 etc

    • #32016
      Ketchup
      Participant

      You don’t need TOR.  Just google SSH tunneling.  In a nutshell, you can configure an SSH box somewhere outside of the network.  You then configure a client to tunnel HTTP traffic through the SSH box. 

      http://www.ssh.com/support/documentation/online/ssh/winhelp/32/Tunneling_Explained.html

      The same can be done with HTTP traffic.

Viewing 19 reply threads
  • You must be logged in to reply to this topic.

Copyright ©2021 Caendra, Inc.

Contact Us

Thoughts, suggestions, issues? Send us an email, and we'll get back to you.

Sending

Sign in with Caendra

Forgot password?Sign up

Forgot your details?