On Wednesday 28 August 2002 07.56, Billy Macdonald wrote:
> So I'm reading slashdot and see an add for this Loophole
> product and think hmmm doesn't seem good so I visit their page.
> Does anyone know how to block this traffic? I'm going to dig
> further tomorrow and tonight and maybe install the trialware to
> test.
General approach:
1. Check if the software is somehow identitifying itself. The HTTP
standard reocmmends different applications to identify themselves via
the User-agent header, but most "black" software like the above
intentionally fakes this by using the same User-agent strings as
normal browsers.. log_mime_hdrs is your friend.
2. Most times the use of such software can be identifyed by
identifying peculiar request patterns in access.log. If you then have
a decent policy of use of the Internet for your organisation it
should not be too hard to reprimand the user sufficiently to stop
this from happening again. In many companies actions like
intentionally running such programs is sufficient to get fired with
the argument serious intentional breach to the security policy.
It is very hard to fully stop people from abusing the company
resources or policies, but is often not too hard to figure out that
they have done so and who. It is really not much different from other
kinds of internal abuse, except that computers are good at leaving
traces of who did what to whom and when.
loopholesoftware is not the only one doing this. There is several
different applications tunneling traffic over HTTP with the intention
to bypass firewall policies. Some are easy to identify automatically,
others are harder, all depending on how intent the software vendor is
on hiding the use of the software from the firewall/security policy
administrators.
Regards
Henrik
Received on Wed Aug 28 2002 - 01:44:13 MDT
This archive was generated by hypermail pre-2.1.9 : Tue Dec 09 2003 - 17:09:51 MST