Home page logo

basics logo Security Basics mailing list archives

Re: Proxy Port detection
From: Alexander Klimov <alserkli () inbox ru>
Date: Thu, 23 Dec 2004 17:53:44 +0200 (IST)

On Wed, 22 Dec 2004, John Madden wrote:
In our enterprise we have URL filtering capabilities and we restrict the usual
sites (Porn, Sports, Gambling etc..)

We do not use a proxy, so everyone goes directly to the internet.

Curiously, how do you filter URLs without a proxy?

I believe that some users put in their proxy settings
an anonymous proxy using port 80 (which is obviously
allowed) and in that manner avoid the restriction of
the URL filtering.

First thoughts:

- Blocking all the anonymous proxy is imposible and
would be a full time job
- The use of a proxy is not an option right now

If it is not an option only because you do not want to force everybody to change
their web browsers setups you can use transparent proxy.

Is there any way to detect this type of traffic (HTTP-Proxy) ?

If the following request

GET /url HTTP/1.1
Host: some.host.name

was sent to IP a.b.c.d which does not belong to some.host.name it is likely that
a.b.c.d hosts a proxy. But since DNS can report differnt IPs for the same
domain it's not that easy to check if an IP serves some particular domain.

Note that if you allow encrypted connections (https) you can't inspect their
contents. Also if your user has a webserver A outside they can setup it to make
a request on behalve of the user with a translation of urls, e.g., http://B/url
is encoded as http://A/B,port/url, A sends request to B and sends the reply to
your user (and change all embeded urls). A can also encode all documents (with
an embeded JavaScript to auto-decode) to avoid content filtering. So, you should
consider how far you want to go into these troubles with rather marginal ROI
into enforcing the policy.


  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]