RE: [squid-users] Something i found hard

My understanding of the problem is that the issue is not that users are
accessing their home PCs from work, but vice versa. This presents a
security concern because company resources are potentially accessible to
anyone who can compromise that website, not to mention every employee of
gotomypc.com.

I am not at all positive, but I would be willing to bet that the host PC has
to log into the service in order for everything to work (similar to P2P).
Another assumption is that it is using a URL and HTTP to do so. If it isn't
using HTTP, then this is a firewall, not a proxy, issue. If it doesn't use
DNS, then it has to have an IP list somewhere; very unlikely. Can you see
the traffic coming through squid?

I would verify that the agent uses HTTP to log into the central server, and
then take steps to block that process. In that case, simply use a regex ACL
to block access to the site (example below), and it is probably NOT
www.gotomypc.com, but something else. Next, use the logs to find out which
hosts have the agent installed (which systems are trying to connect) and
then sic your desktop support folks on them to get that software removed.

Robert is absolutely correct in saying that this is as much a political
problem as it is a technical one. The technical challenge is more
interesting to me, and in this case seems an easier one to tackle.

acl all src 0.0.0.0/0.0.0.0
acl gotomypc url_regex "/usr/local/squid/etc/gotomypc"
http_access deny all gotomypc
http_access allow all

Where /usr/local/squid/etc/gotomypc has:

gotomypc.com

Good luck,

Grant

-----Original Message-----
From: Robert Adkins [mailto:raa@impelind.com]
Sent: Friday, January 03, 2003 3:22 PM
To: Edward Mann; mailinglistsquid-users@squid-cache.org; Sturgis, Grant
Cc: squid-users@squid-cache.org
Subject: RE: [squid-users] Something i found hard

Edward,

        I think the main problem that you are having here is that your
end-users
are abusing, either a spoken, or unwritten company policy. If it is not
written into the company handbook, then talk to HR about adding something
disallowing access to home PCs, from the office, partially due to
security issues, mostly due to the fact that the users shouldn't be doing
their home computing on company time.

        Depending upon how you have Squid setup, if you are running it with

users authentication, then a quick look through your logs would, or
should reveal who is doing this and at what times they are doing this. It
would then be a simple matter of denying them access to the proxy server.
You could even create a special squid error message that would explain
why they have been denied access and for how long, if you are doing that
for short length of time.

        Another thing you could do is locate the listing of IP addresses
utilized by all Home Cable, DSL and other broadband type providers.
Unfortunately, I am unfamiliar with the ranges that they use. However, I
know that there are specific ranges of NON-COMMERCIAL IP Addresses used
by these companies for their subscribers. It should be a simple matter of
blocking those ranges in an ACL or at your firewall.

        From my brief reading of the gotomypc web-site, it appears that the

users would have to go to that web site in order to access their
computers through that system. You could also create an ACL to block the
www.gotomypc.com web-site. If you have a porn/noporn ACL already setup,
simply add www.gotomypc.com to the porn list and restart the squid
service.

        I cannot tell you how often I need to add additional sites and
combinations of words to my porn and noporn lists. They are both becoming
rather large, thankfully the logs are quite useful in that respect.

        I know that the brief information I detailed above is covered in a

variety of FAQs regarding Squid.

Regards,
Robert Adkins II
IT Manager/Buyer
Impel Industries, Inc.
Ph. 586-254-5800
Fx. 586-254-5804

 -----Original Message-----
From: Edward Mann [mailto:ed.mann@choicepoint.net]
Sent: Friday, January 03, 2003 11:24 AM
To: mailinglistsquid-users@squid-cache.org; Sturgis, Grant; Robert Adkins
Cc: squid-users@squid-cache.org
Subject: RE: [squid-users] Something i found hard.

That is what i have been working on, but the ip address keeps changing.
I want to know if there is some way that i can block what it is getting
the the url path or something.
On Fri, 2003-01-03 at 11:06, Sturgis, Grant wrote:
> Can't you just put that in your ACL?
>
> -----Original Message-----
> From: Edward Mann [mailto:ed.mann@choicepoint.net]
> Sent: Friday, January 03, 2003 10:00 AM
> To: squid-users@squid-cache.org
> Subject: [squid-users] Something i found hard.
>
>
> it has been brought to my attention that some users on my network are
> using a tool that you can get at gotomypc.com. I have tried to block
the
> port that it starts on 8200, but it then will change to port 443 and
> continue to work. Can someone help me figure out how to stop this. i
> have also tried the ip address, but it seems to change that as well.
>
>
> Thanks.
>
> This electronic message transmission is a PRIVATE communication which
> contains information which may be confidential or privileged. The
> information is intended to be for the use of the individual or entity
named
> above. If you are not the intended recipient, please be aware that any
> disclosure, copying, distribution or use of the contents of this
information
> is prohibited. Please notify the sender of the delivery error by
replying to
> this message, or notify us by telephone (877-633-2436, ext. 0), and
then
> delete it from your system.

This electronic message transmission is a PRIVATE communication which
contains information which may be confidential or privileged. The
information is intended to be for the use of the individual or entity named
above. If you are not the intended recipient, please be aware that any
disclosure, copying, distribution or use of the contents of this information
is prohibited. Please notify the sender of the delivery error by replying to
this message, or notify us by telephone (877-633-2436, ext. 0), and then
delete it from your system.
Received on Fri Jan 03 2003 - 15:50:04 MST