Hi. Depending on the tunnelware in use, it may not be possible to block the traffic as it is perfectly valid HTTP traffic and therefore may not have a signature that RS can use.
Rather than *block-prohibited* why not change to an *allow-permitted* methodology...? There are products available (WebSense is one) that will allow a network admin to only allow network traffic to certain legitimate sites (such as research, information, news) and block inappropriate sites (such as porn, sport, hate, etc). The URL database is updated with new info at least once a day with new sites. This way, you reduce employee abuse and are able to allow free surfing to allowed categories. <vestedinterest> BTW, Allasso sell and support WebSense. There *are* other products out there, however. </vestedinterest> This is really a human problem and a technical solution (of any kind) is not going to give a 100% fix. For a human problem, find a human fix. Write an acceptable use policy and say that it is gross misconduct to use a http tunnel. Get everyone to sign it. Remind them regularly (once every 2-3 months) and fire anyone who disobeys. There might be one or two firings but once you have sacked them, the news will get around and it will stop. In IT security you often need to combine technical and human solutions. Hope this is helpful. Kind Regards, Jon Paine. Technical Lead. Allasso European Support Centre. SMTP - mailto:support@;allasso.com WEB - http://support.allasso.com Tel. 0870 366 8533 (+44 118 971 1533) Fax. 0870 366 8544 (+44 118 971 1544) PGP Fingerprint: ADD3 07AC ED47 292A BF61 E124 E81F 9249 7AD9 6E0C > -----Original Message----- > From: Mokkapati Rao Venkat [mailto:mvenkat@;vanenburg.com] > Sent: 18 October 2002 04:12 > To: ''[EMAIL PROTECTED]' ' > Cc: 'Rob Rosenberger' > Subject: RE: [ISSForum] Http tunneling > > > HI, > > I need a solution where in I should be able to configure my > firewall/IDS in > such a way that Http tunnels using port 80 should be dropped > and rest all > the http traffic should be allowed.in our company everybody > has internet > access.port 80 is enabled by default which have to be > checked.First of all > is it possible to block HTTP tunnels with ISS network sensor..??? > > Thanks > > Regards > > Venkat > > -----Original Message----- > From: Rob Rosenberger [mailto:junkmail@;barnowl.com] > Sent: Thursday, October 17, 2002 9:55 PM > To: Mokkapati Rao Venkat > Subject: RE: [ISSForum] Http tunneling > > >>Do anybody know how to block HTTP tunneling ..???Can we > configure ISS > network sensor to do that..? > > You can use any port to tunnel HTTP, including port 80 itself (as > Anonymizer.com does). I usually tunnel HTTP through ports 22 > and 80, but > I've also used ports 21, 23, 25, 79, 81, 3128(!), 8000, 8001, > and 8080. In > the future, I might use ports 5517 and 5518 to cover my tracks. > > If you just want to take a stab at it, then you should at > least block ports > 22 & 3128 and then block any outbound HTTP connections to a > short list of > well-known secure proxy sites like Anonymizer.com. > > If you really want to block HTTP tunneling, then you may need > to block every > single outbound port as the {ahem} "obvious and easiest" > solution. Don't > throw out this idea as stupid! If your company treats the > Internet as an > employee privilege, not an employee expectation, then you > could possibly > implement a strong policy of "deny unless allowed." If > employees want HTTP > access, they'd need to justify it, else they can roam only within the > confines your Intranet. > > Hope this insight helps. > > Rob > > > ********************************************************************** > The information in this message is confidential and may be legally > privileged. It is intended solely for the addressee. Access > to this message > by anyone else is unauthorized. If you are not the intended > recipient, any > disclosure, copying, or distribution of the message, or any action or > omission taken by you in reliance on it, is prohibited and > may be unlawful. > Please immediately contact the sender if you have received > this message in > error. > > ********************************************************************** > > _______________________________________________ > ISSForum mailing list > [EMAIL PROTECTED] > Please note that: 1. This e-mail may constitute privileged information. If you are not the intended recipient, you have received this confidential email and any attachments transmitted with it in error and you must not disclose, copy, circulate or in any other way use or rely on this information. 2. E-mails to and from the company are monitored for operational reasons and in accordance with lawful business practices. 3. The contents of this email are those of the individual and do not necessarily represent the views of the company. 4. The company does not conclude contracts by email and all negotiations are subject to contract. 5. The company accepts no responsibility once an e-mail and any attachments is sent. Allasso Ltd Theale House, Brunel Road, Theale, Berkshire RG7 4AQ UK T: +44 118 971 1511 F: +44 118 971 1522 _______________________________________________ ISSForum mailing list [EMAIL PROTECTED]
