[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index] RE: [FW1] http tunneling
Just an idea: If the HTTP tunneling software does not hit the proxy on port 80, then you could place a firewall between the users and the proxy. Sandwiching the proxy between 2 firewalls - Internet----Firewall1---Proxy---Firewall2---Users Then just allow port 80 requests to the IP(s) of the Proxy in Firewall2, or deny whatever port the tunneling software is using. Of course if the software is using port 80 just disregard this email. HTH, Alex -----Original Message----- From: Jesus Calvo Hernandez [mailto:[email protected]] Sent: Friday, May 04, 2001 4:57 AM To: [email protected] Cc: FW1-MailingList (E-mail) Subject: Re: [FW1] http tunneling Hi Juan Thanks for your help, but the problem is that http tunnel software links directly to the proxy server, which is BEFORE the firewall, so this rule never would be applied, as it is the proxy making legitimate http requests to the internet who hides internally on http packets other non-legitmate requests. What is needed I think is a way to look into the packets to separate those who have legitimate http requests from other non-legitimate packets embedded on http requests. Best regards Jesus Calvo ----- Original Message ----- From: "Juan" <[email protected]> To: "Jesus Calvo Hernandez" <[email protected]> Sent: Saturday, May 05, 2001 1:45 AM Subject: Re: [FW1] http tunneling You need to find out what protocol their software uses, create a service with those specific ports, next you want to create a rule above the one allowing them outbound access. It will read: Src: Internal Network Dst: Any Service: Tunneling sofware Action: Drop Track: Long (temporarily while you make sure it works) Mind you this is if you definitely want to kill that software that they are using to tunnel outbound. Just an idea. -- JUAN CONCEPCION Network Consultant CCSA/CCSE [email protected] On 2001.05.03 05:52 Jesus Calvo Hernandez wrote: > Hi everybody > > Currently I´m facing problems with the fact that our internal users have > got http tunnel software installed on their pcs, so they use our proxy > server for more things than it has to be. Concretely with this software > they convert their pcs into a socks client which contact a socks server > outside our network, from where they can do almost whatever they want, > and which is forbidden by the firewall any other way. > > Anyone knows how to crop this out on the firewall (any uri resource or > whaetever) so that only http legitimate requests are relayed by the > proxy? > > Any help would be a great advantage and greatly appreciated. > > Best regards to all > > Jesus Calvo > > ------------------------------------------------------------------ > This email is confidential and intended solely for the use of the > individual to whom it is addressed. Any views or opinions presented are > solely those of the author and do not necessarily represent those of Sema > Group. > If you are not the intended recipient, be advised that you have received > this email in error and that any use, dissemination, forwarding, > printing, or copying of this email is strictly prohibited. > ------------------------------------------------------------------ > > <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN"> > <HTML><HEAD> > <META http-equiv=Content-Type content="text/html; charset=iso-8859-1"> > <META content="MSHTML 5.50.4522.1801" name=GENERATOR> > <STYLE></STYLE> > </HEAD> > <BODY bgColor=#ffffff> > <DIV><FONT face=Arial size=2>Hi everybody > > </FONT></DIV> > <DIV><FONT face=Arial size=2></FONT> </DIV> > <DIV><FONT face=Arial size=2>Currently I´m facing problems with the fact > that > our internal users have got http tunnel software installed on their pcs, > so they > use our proxy server for more things than it has to be. Concretely with > this > software they convert their pcs into a socks client which contact a socks > server > outside our network, from where they can do almost whatever they want, > and which > is forbidden by the firewall any other way.</FONT></DIV> > <DIV><FONT face=Arial size=2></FONT> </DIV> > <DIV><FONT face=Arial size=2>Anyone knows how to crop this out on the > firewall > (any uri resource or whaetever) so that only http legitimate requests are > > relayed by the proxy?</FONT></DIV> > <DIV><FONT face=Arial size=2></FONT> </DIV> > <DIV><FONT face=Arial size=2>Any help would be a great advantage and > greatly > appreciated.</FONT></DIV> > <DIV><FONT face=Arial size=2></FONT> </DIV> > <DIV><FONT face=Arial size=2>Best regards to all</FONT></DIV> > <DIV><FONT face=Arial size=2></FONT> </DIV> > <DIV><FONT face=Arial size=2>Jesus Calvo</FONT></DIV></BODY></HTML> > ------------------------------------------------------------------ This email is confidential and intended solely for the use of the individual to whom it is addressed. Any views or opinions presented are solely those of the author and do not necessarily represent those of Sema Group. If you are not the intended recipient, be advised that you have received this email in error and that any use, dissemination, forwarding, printing, or copying of this email is strictly prohibited. ------------------------------------------------------------------ ============================================================================ ==== To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html ============================================================================ ==== ================================================================================ To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html ================================================================================
|