On 4/5/06, Jakob Curdes <jc@xxxxxxxxxxxxxxx> wrote: > Henrik Nordstrom schrieb: > >Note: The suggested default rules restricts CONNECT to only two well > >known SSL ports for good reasons.. > > > OK, but still this does not prevent the scenario of people connecting > via the proxy to a ssh server running on port 443. > Actually if you look around a bit it seems that half the school kids and > university students use similar setups to connect to their home pcs from > inside the institution. > > To block this, a small inspector that checks the incoming proxy ssl > traffic if it is really ssl would be enough. I wonder if anybody has > written such a thing already ? That can be done, but then the escape artists just make their tunnel a little smarter and run it underneath TLS, and you are back at square one. Several commercial products solve this by actively intercepting and unwrapping the SSL, inspecting the certificates and the contents, and blocking/alerting based on both bad certificates and bad protocols inside the SSL. It's more effective to publish a "Thou Shalt Not" policy, wait about a week, then manually discover the top two or three offenders and (Terminate|Expel|Prosecute|Court Martial) them. Repeat until the problem goes away, or at least becomes very well hidden. Kevin