Posted: 4/12/2005 3:15:06 PM EDT
| ok if i wanted to surf porn or access a messenger that is block by a smart filter at work? is this possible through any tunneling softwear? |
| Most known external proxy servers would also be blocked by any good filters. If you want to get creative, you can some of the translation sites (which often allow you to enter a URL for translation) and just do an english-to-english translation. However, these are also usually categorized as proxy servers (and presuming were refering to the product called SmartFilter, it does have a block category for those) and may be blocked as well, although it is easier to ask for these to be opened up than some pr0n. If your company has any international dealings, it wouldn't be hard to come up with a business justification. We still won't unblock them at my workplace, however. |
|
If the IT dept. at the company knows its stuff, you won't be able to do it. Or if you do get around it, they'll be able to see where you went. A company might work from a "black list" or a "white list." A black list is where they have a list of bad web sites or bad words...those sites are blocked. A white list is the opposite, those are the sites that you are able to visit, any unknown sites are blocked. Usually some place like a school would use the more expensive white list. This prevents somebody from surfing to a brand new porn site or something. A black list will let you bring up unknown sites, so if there's a brand new porn site out there or something that isn't on anybody's list, the black list network will let you bring it up, while the white list will block it. Same story for somebody's personal site they just put up. Ok, so suppose you can't get to a site...they may have only blocked the name. If you Google NSLOOKUP you'll find some pages that will convert names to IP address numbers. So you may be able to get to those sites by the IP number. Depending on how the site was written, some of them won't work when you click on a link to go to another page, but others will. And the last part...don't be getting into trouble! 
|
Nope. You can get all the software you want in the world and you're not going to bust through a corporate firewall. It's simply traffic logic. Our firewall is configured by default to block tons of crap, so all we really had to do is configure additional settings, IP Addresses, Port Forwarding, passwords, etc., and we were good to go. If you really want to get through your companie's Firewall, find out the password to the Firewall Interface, type in the IP Address of the firewall, enter the admin password, and bam... you get past every blocked port/filter you can think of. And even though they can trace it, it's highly doubtful that they will even check the logs. There's so much more important crap to do that check security logs and stupid crap like that unless a manager specifically asks us to "check this person's activity" out. Other than that, telling ppl, "Big brother is watching" is more than a scare tactic than anything. Honestly it's a hack of crap from what I've experienced w/ colleagues in other companies/industries. Get that password bro and... BE FREE!!! LOL
|
Ehh... If you just have a packet filtering firewall, most ACL's for outbound access are relatively loose - at least compared to inbound. I would not be surprised if outbound VPN traffic was allowed on many networks. And even if not intended to be allowed, if you are running your own VPN endpoint you can simply have it listen on a non-standard port that is permitted. Of course, if you are running your own VPN endpoint, you could also simply run your own web proxy server on a permitted port as well. Once again assuming packet filtering firewall and not an application proxy. Attempting to what, brute force the password to the firewall? That's a quick way to get fired, and you are assuming single-factor auth. Can't believe any decent-sized corporation would think there are more important things to do that monitor authentication attempts on their Internet ingress/egress point. I think you're confusing monitoring web access with "real" IDS. Getting access to the fw isn't going to mean jack shit, either, unless you know how to rewrite the ACL for that device. In regards to "blacklists" vs. "whitelists", I've never heard of such, and I've used and evaluated most of the big players - Websense, N2H2/Bess, SmartFilter. Typically they will have a default list of categories, which you can broadly block and then add exceptions (whitelist), but no product I'm aware of operates with a default deny all, allow specified policy. Schools will often opt for the least expensive solution - we used Websense originally, since it was, at the time the only product that integrated with a Cisco PIX and ran on Linux. It was around $30/seat per year - very expensive. We moved to N2H2/Bess when they added PIX integration. N2H2/Bess was very popular with educational institutions because it 1) ran on Linux (free) and 2) is about 1/2 the price of Websense. However, attempting to circumvent your company's security policy is bad juju if you want to remain employed. Except for sweeping layoffs, you pretty much have to kill at least three people to get fired from my company.... Unless you are caught violating or attempting to circumvent our security policy. And ever more increasingly, as companies become more security-aware (infosec being one of the remaining prosperous IT fields) Big Brother is watching. I consider the security policy and web usage policy to be completely different, but at my company, if HR does get a burr up their butt about someone, the first thing they ask for is a web usage report. It is not the real reason they want to fire someone, but is often the excuse. HR loves nothing more than a nice paper trail documenting policy violations to use as a cause for termination. |
See, that's just not the case w/ us. Our WAN is now 500 Workstations compared to 400 Workstations a year ago and come another year, we'll be pushing 650 - 700 Workstations with at least 100 more employees than workstations. We're growing that fast!!! I AM Big Brother, along w/ 3 other guys (or I should say 2 other guys and 1 gal). My primary responsibilities in addition to administering to the WAN is the hardware in the company (primarily Laptops) and virus outbreaks (Trend has been doing me well). The other 3 also have primary responsibilites in addition to taking care of the WAN. Our WAN is so huge for just 4 of us that we don't have the time to play "Big Brother" unless HR like you said "gets a burr up their butt about someone". Our firewall is more than sufficient and considering the technical expertise of nurses, doctors, counselors, etc., they ain't getting through it. Packet filtering? They don't know the "Back Slash" to the "Forward Slash" on your keyboard. So in our case, Big Brother is not watching. Logs are kept, but we're just way to busy to mess w/ them.  |
Basically the same story here. Labor's been trimmed over the years, there's just no money/time to resource for Big Brother work. A special case may come through from HR now and then, but it usually starts with somebody walking by and seeing something on somebody else' monitor. |
|
Question (from the slightly technologically challenged): There used to be an secure anonymous http proxy software package called TriangleBoy that was available for free. If I could get the source code for the software, could I run it on my personal at home web box and use it as a personal secure proxy server -- i.e., surf from work to my computer at home over a secure connection so my packets can't be examined, and use my home computer to obtain all the dirty evil porn I want? |
I guess I'm making a distinction between playing "Big Brother" (i.e., simply monitoring all employee activity for pseudo-questionable use) and real IDS. I.E., monitoring web usage vs. monitoring for unauthorized access attempts on your critical infrastructure devices. The former, is for the most part, simply a productivity issue - the latter is infosec. I dunno - I guess I just naturally recoil at the thought not looking for that sort of activity. In an organization as small as yours (we've got about 14k devices under our care), your management may not think it worthwhile to have a dedicated infosec resource, but if the shit ever hits the fan one day, they'll probably end up blaming you anyway. I would at least notify and appropriate parties that your company is lacking resources in that area as a CYA move, if nothing else. Anyway, on to triangle boy... I haven't heard anything about it for several years. And since it is a distributed app, you need lots of other folks for it to really work. |
| My workplace can use it to encourage people to quit... but not as a reason. Their reasoning is that as soon as someone is fired for it, they could subpoena all the records and insist on equal treatment for others who were surfing at work... which could end up costing them a lot of otherwise good employees. |
It depends on your firewall and the ACLs that are in place. Every company is different. I don't have any restriction on where I go because I'm the one who sets those policies :) Most companies allow traffic on port 443 which is commonly used for secure webpages. If you follow this tutorial www.buzzsurf.com/surfatwork/ you will be able to bypass about 99% of the firewalls in place today and as an added bonus 'Big Brother' does not see the content you are viewing because it is encrypted. |