Vulnerability Development mailing list archives
Re: N2H2 Web Proxy/Filter appliance
From: rhill () DUNCANVILLE K12 TX US (Richard Hill)
Date: Sun, 18 Jun 2000 10:01:51 -0500
We have the N2H2 proxy server at our High School, mpow. The thing is a piece of crap, most sites that already blocked are blocked by name only, ie. chat.yahoo.com is blocked but if do an nslookup or a ping and get its ip address and stick that in your broswer it goes right through the proxy server and Boom, you have your chat. Now www.playb0y.com is blocked by both, but most new sites and less popular sites are blocked by name only. It would be impossible to keep up with all the ips of every site you wanted blocked and enter them into the pos along with the names. I called N2H2 about this little problem and they thanked me and told me that it was now on their directors level and there was nothing more they could help me with. As of yet I have not seen a fix. -----Original Message----- From: Blue Boar To: VULN-DEV () SECURITYFOCUS COM Sent: 6/17/00 3:27 PM Subject: Re: N2H2 Web Proxy/Filter appliance OK, I appreciate everyone's point on the topic. I would like to avoid people trying to convince other people to not do something if possible, though it's fine to point out why something is a problem. I agree with both parties... it is impossible to keep people from getting out... if they're clever enough. Any protocol can be tunneled over any other, as long as its not timing sensitive. It's also fair to take into account your users' level of expertise, and what the value of what you're trying to protect is. I certainly wouldn't tell someone that it's OK to connect one's classified net to the Internet via a proxy, because you could keep them from going where they want. That's not going to fly. It is certainly worth noting that proxies won't keep most of the people who subscribe to this list fro getting their pr0n. However, if you're talking about high school kids (and the fact that he's probably trying to comply with some ridiculous censorship requirement) then this setup is probably adequate, to meet the requirements. If some kids is smart enough to arrange with an outside tunnel endpoint, and if they catch him, they'll nail him with some totalitarian high school anti-hacker rule, and make his life miserable (not that I have an opinion on the subject :) ). If they don't catch him, well then it doesn't matter, does it? The guy has fulfilled his due diligence, and as far as anyone knows, it's effective. The guy obviously knows about doing various types of baselines to catch changes.. but he never said he was going to. Again, he may not actually want to catch policy violators. Though, if that's the case, I'm sure he can't comment on it here. In fact, he never said he wasn't a student trying to get pr0n from the high school comp lab. For folks who actually want to detect this sort of thing, you put in an IDS or some sort of burglar alarm mechanism, and you don't tell anyone about it. No, this isn't security through obscurity. IDS and burglar alarms are there to detect when your protection (or in this case, policy) has already been violated. In most cases, if people know the details of alarms, they are easily bypassed. So for example, if you alarm on one machine making 100 times more DNS requests, that will likely do the job. If I know DNS is being watched for, I used ICMP instead, etc.. BB
Current thread:
- Re: N2H2 Web Proxy/Filter appliance, (continued)
- Re: N2H2 Web Proxy/Filter appliance Bluefish (Jun 18)
- HP LaserJet 4 Series Jet Direct Ryan Yagatich (Jun 18)
- Re: HP LaserJet 4 Series Jet Direct Blue Boar (Jun 18)
- Re: HP LaserJet 4 Series Jet Direct (and others) Joel Michael (Jun 18)
- Re: HP LaserJet 4 Series Jet Direct (and others) Blue Boar (Jun 18)
- Re: HP LaserJet 4 Series Jet Direct Steven Duckworth (Jun 19)
- omni backup program Antonomasia (Jun 19)
- Re: HP LaserJet 4 Series Jet Direct Felix von Leitner (Jun 21)
- [Fwd: Exploit code for PalmOS] Blue Boar (Jun 17)
- Re: N2H2 Web Proxy/Filter appliance Max Vision (Jun 18)