HTTP Tunnelling

[Rikku]

My users are not being nice.

They are using tunnelling software to convert their traffic so that it flows freely through my HTTP Proxy.

This is mainly used for peer to peer file sharing programs, which are fun, but they chew up the bandwith bigtime!

A couple examples:

http://http-tunnel.com/HT_Products_Consumer.asp

http://worker3.miner.nu

In the last example, users actually 'socksify' their traffic (convert TCP to SOCKS) then the Socks2http program tunnels it through the proxy.

AARGH!!!

Any ideas??

(I'm using Novell BorderManager 3.6)

 

[Rockn]

Kick their butts off the network.....if the boss won't support you QUIT!! Sounds like a bunch off loose cannons at your office. You might want to try a real firewall instead of a proxy server? Another option would be to put http on port 81 or some other port their software won't work on.

 

[littlemar]

How locked down are these pc's? Don't you have the ability to block or lock down? I have one user that thinks he's an expert because he works part time at Best Buy and I had to lock his pc down so he can't do anything without permission. It sounds like you have more then one and I agree with Rockn but maybe tell the boss ahead of time so he knows when the flack starts coming in.

 

[Rockn]

I love that littlemar....LOL
The Best Buy PC guru....too funny

She is correct tho, you can pretty much sut down their ability to install software and make any network changes, administering it does get to be a headache at time tho.

 

[Rikku]

Thanks all, for your comments

but......

This is in a College environment. The users have thier own computers... (and stay up late, trying to hack me)

We have Novell BorderManager which is a pretty heavy duty firewall - I'm able to deny all packets and permit specific exceptions, log everything, create access rules...

The problem is, even if I deny everything and only allow proxy traffic, the users can still tunnel their stuff through.

AND to make matter worse, peer to peer traffic shows up a almost completely different IPs each time, so there's no way to block a certain range of IPs or something like that.

<sigh>

 

[littlemar]

Looks like you're going to have to sit back and wait for them to royally screw up your system before the "big" guys decide that you need more security and control. Just make sure you keep a record of all the fixes and time it took. Got to cover your a** too.

The students should be allowed to do what they want at home not at school. Ok, I'll get off the soapbox again. (for a while)

 

[Rockn]

Sounds like the hackers need to be hacked. What do you have for monitoring software? Seems you could easily isolate the traffic to a segment on the network. What are they using the tuneling for...games...FTP....?? What about changing the port # for http? That's what qwest did rececntly to thwart the Code Red virus on Cisco DSL routers.

 

[Rikku]

We log EVERY http request made through the proxy.

We could change the proxy port, but that would mean telling people so they'd be able to browse the web

If I could isolate the traffic somehow, then I could limit it, or cap it. Right now its swallowing our T1 whole!!

 

[Rockn]

If you had some software like Sniffer Pro from Network associates you could see per IP address where the majority of the traffic is coming from. Are any of your network switches managed? If they are they can be monitored very easily...most newer equipment can be monitored for bandwith etc. There are some really awesome monitoring tools out ther if the school wants to dole out the cash.

 

[Toddles18]

Here's a list of server IP's that most peer to peer connect to to authorize passwords or what not, along with possible ways to block them. http://oofle.com/FileSharing/index.htm

 

[Rikku]

GREAT INFO Toddles!

Thank you!!

*humming to self happily while locking little hoodlums out*