On 20/03/2012 8:23 p.m., Maqsood Ahmad wrote:
Hi all
Is there any way or acl example through which i can block http tunnel software.
One more thing , We are running time base acls and one of our user has full time access, he is running proxy on his system through which he allowed internet to those users which are blocked in our acl.
Is there any way we can block this.
Assuming that you have already tried reporting this to your management
and had them apply the usage policy for people violating (you have one
of those right?)
Given the proper permissiosn have been give, you can be mean, evil, very
evil or a BOFH.
mean: rate-limit his traffic. or bump him into the time-limited group.
evil: connection-count limit his traffic. One browser on defaults makes
no more than 6 connections to a proxy at once, and can operate fine with
less.
very evil: rate-limit with random connection aborting on a low threshold
for disconnect.
BOFH: SSL-bump his connections. Then filter or ACL process the decrypted
traffic.
NOTE: be sure you have your managements permission to do this, and
your country allows you legal right to do so on this network. Some
countries ban it outright, and some permit corporate and home
environments to manage their own staff security. Doing it on
public-access networks is almost never permitted and doesn't work anyway.
Bonus: all his non-HTTPS tunnelled traffic will break. Squid does not
support non-HTTP inbound protocols. And if you can identify the original
users requests you should be able to apply the proper time-based limits
on them despite their attempt to avoid. Voiding the benefit he offers.
** I am interested to know if and how easy you find it to spot
individual users requests and apply ACL to them inside the decrypted
CONNECT streams.
Amos
