.

Content filtering proxy service

<<

xFrosty

Newbie
Newbie

Posts: 14

Joined: Wed May 12, 2010 1:59 pm

Post Thu May 13, 2010 3:05 pm

Content filtering proxy service

I'd like to start telling that I'm rather new.. no this is my first "job".. well it's not even a real job it's just a test, ok enough.
I'll have to test his "content filtering service"
the proxy is based on Squid
http://en.wikipedia.org/wiki/Squid_%28software%29
and the content filtering part is managed by DansGuardian
http://en.wikipedia.org/wiki/DansGuardian
all the software is updated to the latest version and the content-filtering is based on (words weight / banned urls and IPs)
everything on an external CentOS machine

for the first tests I'll just have to test for filter evasion nothing hard yet
if this will go well i think he'll make me test it a little bit deeper

could you help me to compile something like a check list about the tests to do?
or just some tips/hints

P.S. I wasn't really sure about the section so feel free to move the post :)
<<

xFrosty

Newbie
Newbie

Posts: 14

Joined: Wed May 12, 2010 1:59 pm

Post Fri May 14, 2010 10:20 am

Re: Content filtering proxy service

it will be on Tuesday!
<<

MicroJay

User avatar

Full Member
Full Member

Posts: 101

Joined: Wed Feb 04, 2009 4:19 pm

Post Fri May 14, 2010 10:29 am

Re: Content filtering proxy service

Welcome aboard!

One suggestion would be think like the user that wants to avoid being filtered.  Use google and search for "anonymous proxies".  Click on each link until you are able to view the site.  Done!

If it passes that (you can't get to one), set up a anonymous proxy yourself and see if you can get to it.  (Does it block uncatagorized sites.)

Next...would be to see if there were any vulnerabilities.  But if it is patched fully, it might not be as easy.

Just some quick thoughts as I have gone through this with our content filter devices in the past.  ;)
GSEC - GCIH - GSNA - GPEN
<<

Ketchup

User avatar

Hero Member
Hero Member

Posts: 1021

Joined: Fri Jul 04, 2008 7:44 pm

Location: Philadelphia, PA

Post Fri May 14, 2010 10:59 am

Re: Content filtering proxy service

There is also tunneling, especially over encrypting protocols. 
~~~~~~~~~~~~~~
Ketchup
<<

xFrosty

Newbie
Newbie

Posts: 14

Joined: Wed May 12, 2010 1:59 pm

Post Fri May 14, 2010 11:09 am

Re: Content filtering proxy service

Thanks for the answers!

I've been successfully bypassing the filters using a proxy and tunneling (we had the same service at school)

my suggest to fix the proxy (if not elite) problem would be to block all the packets with a "Forwarded" header
and all the tor's endpoints
what you think about it?
<<

MicroJay

User avatar

Full Member
Full Member

Posts: 101

Joined: Wed Feb 04, 2009 4:19 pm

Post Fri May 14, 2010 11:31 am

Re: Content filtering proxy service

Correct!  VPN or any encrypted tunneling would do as well.
Use that a lot when at hotels!
GSEC - GCIH - GSNA - GPEN
<<

xFrosty

Newbie
Newbie

Posts: 14

Joined: Wed May 12, 2010 1:59 pm

Post Fri May 14, 2010 11:39 am

Re: Content filtering proxy service

Thank you xD

any idea how to fix it?
how to filter encrypted traffic.. i was thinking about a..MitM attack (a legit one) made by the proxy (our..their service), but I'm afraid it would mess with the certificates making all the MitM countermeasures go vane
<<

Ketchup

User avatar

Hero Member
Hero Member

Posts: 1021

Joined: Fri Jul 04, 2008 7:44 pm

Location: Philadelphia, PA

Post Fri May 14, 2010 12:07 pm

Re: Content filtering proxy service

I am not sure if it can completely fixed.  I usually implement egress filtering at the firewall that only permits traffic from certain hosts.  With Proxies, centralized Email servers, etc, the users don't really need to leave the firewall.  The server makes the request for them.    For those that need more connectivity and are trusted, I make exceptions in the firewall. 
~~~~~~~~~~~~~~
Ketchup
<<

Xen

User avatar

Sr. Member
Sr. Member

Posts: 386

Joined: Tue Feb 03, 2009 3:59 am

Post Fri May 14, 2010 12:15 pm

Re: Content filtering proxy service

I don't think you can filter out all tunneling.  You need to develop solid outbound access policy. For HTTP tunneling regularly check the logs and block the relay server. Check for CONNECT requests to odd ports etc.

Edit: Ketchup beat me to it.
Last edited by Xen on Fri May 14, 2010 12:18 pm, edited 1 time in total.
<<

xFrosty

Newbie
Newbie

Posts: 14

Joined: Wed May 12, 2010 1:59 pm

Post Fri May 14, 2010 1:02 pm

Re: Content filtering proxy service

i forgot to mention that it blocks all the ports except for the allowed ones unless the Administrator sets it
<<

Xen

User avatar

Sr. Member
Sr. Member

Posts: 386

Joined: Tue Feb 03, 2009 3:59 am

Post Sat May 15, 2010 10:57 am

Re: Content filtering proxy service

The only option I can think of (or find) right now is to block HTTP CONNECT to all websites except the valid ones. Like I previously stated, you'll need o develop strong outbound access rules. If HTTPS is allowed to random sites users can always find a way to bypass the firewall.
If blocking access to all sites is not feasible then you can use various addons with squid to blacklist 'improper' websites. You can easily find a large number of URL blacklists.
<<

xFrosty

Newbie
Newbie

Posts: 14

Joined: Wed May 12, 2010 1:59 pm

Post Sat May 15, 2010 11:23 am

Re: Content filtering proxy service

there already is a blacklist (a huge paid blacklist is updated daily) system
and thanks for the comments!

you think that username:password@bannedurl.com would trick the url detection?
if not, would whitelistedurl.mydomain.com be unbannable? (i mean making a sub-domain named after a white listed url
<<

Xen

User avatar

Sr. Member
Sr. Member

Posts: 386

Joined: Tue Feb 03, 2009 3:59 am

Post Sat May 15, 2010 11:39 am

Re: Content filtering proxy service

I'm not sure about it. But I think that in the conflict of whitelist and blacklist, blacklist always wins. But in this case I think that squid shouldn't block whitelistedurl.mydomain.com unless you've added *mydomain.com in the blacklist. Someone more experienced should help here. However, I found links that might be helpful to you.
http://marc.info/?l=squidguard&m=108285256707491
http://marc.info/?l=squidguard&m=108260329925644&w=2
<<

xFrosty

Newbie
Newbie

Posts: 14

Joined: Wed May 12, 2010 1:59 pm

Post Sat May 15, 2010 12:45 pm

Re: Content filtering proxy service

Thank you!
<<

rattis

User avatar

Hero Member
Hero Member

Posts: 1172

Joined: Mon Jul 27, 2009 1:25 pm

Post Sat May 15, 2010 2:03 pm

Re: Content filtering proxy service

I haven't played with squid much, but typically if you have something white listed it'll get checked before the black list and always be allowed through.

I'm basing this off firewalls (ip tables, ip chains, and cisco asa), where the allowed traffic usually comes before the deny all statement at the end.

So as far as I understand it, you can have allowed.domain.com in the white list, and *.domain.com in the black list, but you should still be able to get to allowed.domain.com.

I could be wrong. Like I said I'm basing this off my firewall knowledge and applying proxy filters to that.

squid example: unfiltered adults, white listed kids, deny everything else
OSWP, Sec+
Next

Return to Web Applications

Who is online

Users browsing this forum: No registered users and 2 guests

.
Powered by phpBB® Forum Software © phpBB Group.
Designed by ST Software