Hi Amos
Thank you for the concern =2C but for your kind information we are doing this with the permission of management and ofcourse it is limited to our office only.
Our main concern is to provide internet to the users without slow response so that they can fully utilize the time .We just want that our users have the max bandwidth for their productive work rather than some dumb people browsing for no reason and waste the bandwidth.
Merrymax
Date: Wed=2C 21 Mar 2012 02:16:54 +1300
> > From: squid3_at_treenet.co.nz
> > To: squid-users_at_squid-cache.org
> > Subject: Re: [squid-users] Restrict HTTP Tunnel softare
> >=20
> > On 20/03/2012 8:23 p.m.=2C Maqsood Ahmad wrote:
> > > Hi all
> > >
> > >
> > > Is there any way or acl example through which i can block http tunnel s=
> oftware.
> > >
> > >
> > > One more thing =2C We are running time base acls and one of our user ha=
> s full time access=2C he is running proxy on his system through which he al=
> lowed internet to those users which are blocked in our acl.
> > >
> > > Is there any way we can block this.
> >=20
> > Assuming that you have already tried reporting this to your management=20
> > and had them apply the usage policy for people violating (you have one=20
> > of those right?)
> >=20
> >=20
> > Given the proper permissiosn have been give=2C you can be mean=2C evil=2C=
> very=20
> > evil or a BOFH.
> >=20
> > mean: rate-limit his traffic. or bump him into the time-limited group.
> >=20
> > evil: connection-count limit his traffic. One browser on defaults makes=20
> > no more than 6 connections to a proxy at once=2C and can operate fine wit=
> h=20
> > less.
> >=20
> > very evil: rate-limit with random connection aborting on a low threshold=
> =20
> > for disconnect.
> >=20
> >=20
> > BOFH: SSL-bump his connections. Then filter or ACL process the decrypted=
> =20
> > traffic.
> >=20
> > NOTE: be sure you have your managements permission to do this=2C and=20
> > your country allows you legal right to do so on this network. Some=20
> > countries ban it outright=2C and some permit corporate and home=20
> > environments to manage their own staff security. Doing it on=20
> > public-access networks is almost never permitted and doesn't work anyway.
> >=20
> > Bonus: all his non-HTTPS tunnelled traffic will break. Squid does not=
> =20
> > support non-HTTP inbound protocols. And if you can identify the original=
> =20
> > users requests you should be able to apply the proper time-based limits=20
> > on them despite their attempt to avoid. Voiding the benefit he offers.
> >=20
> > ** I am interested to know if and how easy you find it to spot=20
> > individual users requests and apply ACL to them inside the decrypted=20
> > CONNECT streams.
> >=20
> >=20
> > Amos
> =
>
> --_d4188f7f-99f6-4021-9429-661f170cabd2_
> Content-Type: text/html; charset="iso-8859-1"
> Content-Transfer-Encoding: quoted-printable
>
> <html>
> <head>
> <style><!--
> .hmmessage P
> {
> margin:0px=3B
> padding:0px
> }
> body.hmmessage
> {
> font-size: 10pt=3B
> font-family:Tahoma
> }
> --></style></head>
> <body class=3D'hmmessage'><div dir=3D'ltr'>
> Hi Amos=2C<br><br><br>Thank you for the concern =2C but for your kind infor=
> mation we are doing this with the permission of management and ofcourse it =
> is limited to our office only.<br><br>Our main concern is to provide intern=
> et to the users without slow response =3B so that they can fully utiliz=
> e the time .<br>We just want that our users have the max bandwidth for thei=
> r productive work rather than some dumb people browsing for no reason and w=
> aste the bandwidth.<br><br><br>Merrymax<br>
>  =3B<br>
> <br><br><div><div id=3D"SkyDrivePlaceholder"></div>>=3B Date: Wed=2C 21 M=
> ar 2012 02:16:54 +1300<br>>=3B From: squid3_at_treenet.co.nz<br>>=3B To: s=
> quid-users_at_squid-cache.org<br>>=3B Subject: Re: [squid-users] Restrict HT=
> TP Tunnel softare<br>>=3B <br>>=3B On 20/03/2012 8:23 p.m.=2C Maqsood A=
> hmad wrote:<br>>=3B >=3B Hi all<br>>=3B >=3B<br>>=3B >=3B<br>&g=
> t=3B >=3B Is there any way or acl example through which i can block http =
> tunnel software.<br>>=3B >=3B<br>>=3B >=3B<br>>=3B >=3B One mor=
> e thing =2C We are running time base acls and one of our user has full time=
> access=2C he is running proxy on his system through which he allowed inter=
> net to those users which are blocked in our acl.<br>>=3B >=3B<br>>=3B=
> >=3B Is there any way we can block this.<br>>=3B <br>>=3B Assuming t=
> hat you have already tried reporting this to your management <br>>=3B and=
> had them apply the usage policy for people violating (you have one <br>>=
> =3B of those right?)<br>>=3B <br>>=3B <br>>=3B Given the proper permi=
> ssiosn have been give=2C you can be mean=2C evil=2C very <br>>=3B evil or=
> a BOFH.<br>>=3B <br>>=3B mean: rate-limit his traffic. or bump him int=
> o the time-limited group.<br>>=3B <br>>=3B evil: connection-count limit=
> his traffic. One browser on defaults makes <br>>=3B no more than 6 conne=
> ctions to a proxy at once=2C and can operate fine with <br>>=3B less.<br>=
> >=3B <br>>=3B very evil: rate-limit with random connection aborting on =
> a low threshold <br>>=3B for disconnect.<br>>=3B <br>>=3B <br>>=3B =
> BOFH: SSL-bump his connections. Then filter or ACL process the decrypted <b=
> r>>=3B traffic.<br>>=3B <br>>=3B NOTE: be sure you have your manag=
> ements permission to do this=2C and <br>>=3B your country allows you lega=
> l right to do so on this network. Some <br>>=3B countries ban it outright=
> =2C and some permit corporate and home <br>>=3B environments to manage th=
> eir own staff security. Doing it on <br>>=3B public-access networks is al=
> most never permitted and doesn't work anyway.<br>>=3B <br>>=3B Bonus=
> : all his non-HTTPS tunnelled traffic will break. Squid does not <br>>=3B=
> support non-HTTP inbound protocols. And if you can identify the original <=
> br>>=3B users requests you should be able to apply the proper time-based =
> limits <br>>=3B on them despite their attempt to avoid. Voiding the benef=
> it he offers.<br>>=3B <br>>=3B ** I am interested to know if and how =
> easy you find it to spot <br>>=3B individual users requests and apply ACL=
> to them inside the decrypted <br>>=3B CONNECT streams.<br>>=3B <br>>=
> =3B <br>>=3B Amos<br></div> </div></body>
> </html>=
>
> --_d4188f7f-99f6-4021-9429-661f170cabd2_--
Received on Tue Mar 20 2012 - 18:27:05 MDT
This archive was generated by hypermail 2.2.0 : Wed Mar 21 2012 - 12:00:03 MDT