Vadim Pushkin schrieb:
I am using a Java ssh client, which allows me to set an http proxy.
Going against that, I am able to reach outside my network. My
firewall rules are such as to not allow outbound ssh, nor is their any
routing for same.
Ok, but then it is http traffic as far as squid is concerned. You cannot
avoid that by configuration. There is -IMHO- no easy way to prevent
tunneling other protocols through the proxy, short of analyzing the
packets. There is a good article on the security implications of this in
http://www.heise.de/security/artikel/print/43716
Sadly, it is in german, but I know of no other comprehensive
presentation of the problem.
One thing they suggest is disabling name resolution for the normal
clients as this is done by the proxy. So they would have a harder job
reaching anything on the outside but if the attackes knows the IP he
gets through. I am not sure if intrusion preventios systems can decode
such tunnel traffic and inspect it.
Jakob Curdes
