[lug] HTTP Tunneling

[Nate Duehr]

Dan Ferris wrote:
> Dear List,
> 
> I have helped a friend set up a DansGuardian Proxy filtering system for 
> her school district in Missouri.  The Firewall blocks all traffic to the 
> internet period.  The only traffic allowed to the net is via the 
> DansGuardian Proxy server.  When I say everything is blocked, I mean 
> everything.  None of the common VPN protocols will work (IPSec, PPTP, 
> L2TP etc), HTTPS will not work, and I'm pretty sure that OpenVPN won't 
> work (I'm not 100% sure about this we would have to test).
> 
> I'm convinced the only way around the proxy server is via a CGI proxy 
> which we can deal with via DansGuardian, or by HTTP tunneling.
> 
> So my question to the list is:
> 
> Does anybody know an easy way to detect HTTP tunneling?  I have never 
> used it before.  At the moment I'm thinking the easiest way is to look 
> for long periods of large data transfers via HTTP.  Am I on the right 
> track?
> 
> Thanks,
> 
> Dan Ferris
> 

The generic rule holds true here; Never try to fix a people problem with 
technology.

If he has kids smart enough to figure out how to tunnel out of his 
network via HTTP, you can block it, but they'll just find another way 
around it.

Policy with real consequences from "management" is the only hope here, 
long-term.  The kids and parents sign an acceptable-use agreement, and a 
serious infraction spells suspension and eventually expulsion.

If he doesn't have policy and consequences covered, nothing else 
matters.  Basic psychology -- people respond only to their perceived 
outcomes, and the outcome of bypassing the school district's network 
setup maliciously or non-maliciously needs to result in dire 
consequences for the student.  (Well, also for teachers if they're the 
problem.)

You're probably on the right track, from a purely technical standpoint, 
but he's not looking at the big picture.

Engineers can build effective blocks and surveillance systems. 
Politicians, Statesmen, Administrators, and rule-makers need to make the 
rules.  Ask them to do so and to back their rules up with real actions 
before you (or your friend) proceed further.

He'll sleep better at night knowing there's a real threat he can pull 
out of his back pocket that will be enforced evenly and consistently if 
he finds someone doing something inappropriate like bypassing the 
mandated proxy server.

(In other words, if management wants the Internet filtered then they 
need to finish the job and decide what will be done if the filter is 
bypassed -- and he needs it down in writing to hand to end-users and 
parents if those end-users are minors.  "Just do it" without backing him 
up is not an appropriate or professional job by the administration and 
he should resist the temptation to think he can handle it -- kids will 
find ways around the firewall/proxy/filter/whatever.  Guaranteed.)

Nate