Vulnerability Development mailing list archives

Re: N2H2 Web Proxy/Filter appliance

From: BlueBoar () THIEVCO COM (Blue Boar)
Date: Sat, 17 Jun 2000 13:27:17 -0700


OK, I appreciate everyone's point on the topic.  I would like to avoid
people trying to convince other people to not do something if possible,
though it's fine to point out why something is a problem.

I agree with both parties... it is impossible to keep people from
getting out... if they're clever enough.  Any protocol can be tunneled
over any other, as long as its not timing sensitive.

It's also fair to take into account your users' level of expertise,
and what the value of what you're trying to protect is.  I certainly
wouldn't tell someone that it's OK to connect one's classified net
to the Internet via a proxy, because you could keep them from going where
they want.  That's not going to fly.  It is certainly worth noting that
proxies won't keep most of the people who subscribe to this list
fro getting their pr0n.

However, if you're talking about high school kids (and the fact that he's
probably trying to comply with some ridiculous censorship requirement)
then this setup is probably adequate, to meet the requirements.  If some
kids is smart enough to arrange with an outside tunnel endpoint, and
if they catch him, they'll nail him with some totalitarian high school
anti-hacker rule, and make his life miserable (not that I have an
opinion on the subject :) ).  If they don't catch him, well then it doesn't
matter, does it?  The guy has fulfilled his due diligence, and as far
as anyone knows, it's effective.

The guy obviously knows about doing various types of baselines to catch
changes.. but he never said he was going to.  Again, he may not actually
want to catch policy violators.  Though, if that's the case, I'm sure he
can't comment on it here.  In fact, he never said he wasn't a student
trying to get pr0n from the high school comp lab.

For folks who actually want to detect this sort of thing, you put in an
IDS or some sort of burglar alarm mechanism, and you don't tell anyone
about it.  No, this isn't security through obscurity.  IDS and burglar
alarms are there to detect when your protection (or in this case, policy)
has already been violated.  In most cases, if people know the details of
alarms, they are easily bypassed.  So for example, if you alarm on one
machine making 100 times more DNS requests, that will likely do the job.
If I know DNS is being watched for, I used ICMP instead, etc..

                                        BB

Current thread:

N2H2 Web Proxy/Filter appliance Mark (Jun 15)
- Re: N2H2 Web Proxy/Filter appliance Alex Schuetz (Jun 16)
  - Re: N2H2 Web Proxy/Filter appliance Mark (Jun 17)
    - Re: N2H2 Web Proxy/Filter appliance Crispin Cowan (Jun 16)
    - Re: Firewalls and stuff (Was about N2H2) Mark (Jun 17)
    - Re: Firewalls and stuff (Was about N2H2) Crispin Cowan (Jun 17)
    - (no subject) Bluefish (Jun 18)
  - Re: N2H2 Web Proxy/Filter appliance Eric Wanner (Jun 17)
    - Re: N2H2 Web Proxy/Filter appliance Crispin Cowan (Jun 17)
    - Re: N2H2 Web Proxy/Filter appliance Blue Boar (Jun 17)
    - Re: N2H2 Web Proxy/Filter appliance Bluefish (Jun 18)
    - HP LaserJet 4 Series Jet Direct Ryan Yagatich (Jun 18)
    - Re: HP LaserJet 4 Series Jet Direct Blue Boar (Jun 18)
    - Re: HP LaserJet 4 Series Jet Direct (and others) Joel Michael (Jun 18)
    - Re: HP LaserJet 4 Series Jet Direct (and others) Blue Boar (Jun 18)
    - Re: HP LaserJet 4 Series Jet Direct Steven Duckworth (Jun 19)
    - omni backup program Antonomasia (Jun 19)
    - Re: HP LaserJet 4 Series Jet Direct Felix von Leitner (Jun 21)
    - [Fwd: Exploit code for PalmOS] Blue Boar (Jun 17)
- <Possible follow-ups>
- Re: N2H2 Web Proxy/Filter appliance Crispin Cowan (Jun 18)

(Thread continues...)