On -> Monitor Employee's Http Traffic

dps · November 2007

Since we already know internet traffic can be monitored.. how can *WE* know if we are being monitored? If there is a program running set by the Boss or the Admin to monitor our activities.

Mishra · November 2007

Usually there is a transparent proxy running so you really can't find out. There might be a chance you could sniff the packets and see if a proxy server is editing some packets and/or if some websites are being blocked by your company more than likely you are being monitored.

PC --> switches --> transparent proxy --> router --> firewall --> internet

It is usually a stand alone box as my wonderful diagram shows above.

dtlokee · November 2007

Make sure ou are following the company's Acceptable Use Policy and you'll have no issues. If you work for one of those companies without one, well good luck and use your best judgement.

Netstudent · November 2007

NO P O R N AT WORK!!!!!! Wait untill you get home! Everyone has one of those fine ass desk job chics where they work, but just don;t do it!

ps. hope I don;t get in trouble for saying the P word.

blargoe · November 2007

Don't look at pr0n.
Don't look at monster.com
Don't conduct personal business for monetary gain
Don't do anything illegal or harmful to the business
Other non business web surfing in moderation.

Follow these guidelines and you will not need to worry about people watching you in 99.99999999999% of companies.

Aquabat [banned] · November 2007

blargoe wrote:

Don't look at pr0n.
Don't look at monster.com
Don't conduct personal business for monetary gain
Don't do anything illegal or harmful to the business
Other non business web surfing in moderation.

Follow these guidelines and you will not need to worry about people watching you in 99.99999999999% of companies.

Check.
Check.
Check.
and Check, and i've never been fired. what do i win!

seuss_ssues · November 2007

Aquabat wrote:

blargoe wrote:

Don't look at pr0n.
Don't look at monster.com
Don't conduct personal business for monetary gain
Don't do anything illegal or harmful to the business
Other non business web surfing in moderation.

Follow these guidelines and you will not need to worry about people watching you in 99.99999999999% of companies.

Check.
Check.
Check.
and Check, and i've never been fired. what do i win!

1. Navigate browser to my https: proxy
2. Surf where ever i want and not worry about being tracked or setting off the "This page is not permitted" warning.
3. Try to remain focused long enough to keep job

Darthn3ss · November 2007

seuss_ssues wrote:

Aquabat wrote:

blargoe wrote:

Don't look at pr0n.
Don't look at monster.com
Don't conduct personal business for monetary gain
Don't do anything illegal or harmful to the business
Other non business web surfing in moderation.

Follow these guidelines and you will not need to worry about people watching you in 99.99999999999% of companies.

Check.
Check.
Check.
and Check, and i've never been fired. what do i win!

1. Navigate browser to my https: proxy
2. Surf where ever i want and not worry about being tracked or setting off the "This page is not permitted" warning.
3. Try to remain focused long enough to keep job

+1. did that at school all the time.

sprkymrk · November 2007

Darthn3ss wrote:

seuss_ssues wrote:

1. Navigate browser to my https: proxy
2. Surf where ever i want and not worry about being tracked or setting off the "This page is not permitted" warning.
3. Try to remain focused long enough to keep job

+1. did that at school all the time.

That won't usually work on my (and most properly configured) networks.
#1 - We use content filtering with hueristics to block known or suspected anonymous proxies.
#2 - We have logs and alerts that tell us when such attempts are made.
#3 - You become the subject of much closer scrutiny if you ever do raise an alarm.
#4 - Our content filter is "inline", so you can't go around it.
#5 - You can't "tunnel" home to your personal PC - SSH, RDP, IPSec, PPTP, and other common ways of getting around or through a firewall are only allowed to know destinations, like other installations.

Other mechanisms are also in place, but I won't lie and say there is no possible way to do it. However, I haven't seen a method that will work more than a day or so before you get caught. Additionally, out of 400+ users accounts, there are less than 12 with admin rights, and they also get much closer scrutiny.

I'd be curious to hear of other suggestions on getting around firewalls, content filters and such. I would like to make sure I have all my bases covered to keep it from happening, or at least find out when someone does.

GT-Rob · November 2007

^ yes but really, you only know about the ones that have been caught.

Unfortunately, my job is extremely relaxed. We can do just about anything and everything (WoW, youtube, tv-links, torrents, etc) as long as some work gets done in the day.

sprkymrk · November 2007

GT-Rob wrote:

^ yes but really, you only know about the ones that have been caught.

Very true!

seuss_ssues · November 2007

sprkymrk wrote:

Darthn3ss wrote:

seuss_ssues wrote:

1. Navigate browser to my https: proxy
2. Surf where ever i want and not worry about being tracked or setting off the "This page is not permitted" warning.
3. Try to remain focused long enough to keep job

+1. did that at school all the time.

That won't usually work on my (and most properly configured) networks.
#1 - We use content filtering with hueristics to block known or suspected anonymous proxies.
#2 - We have logs and alerts that tell us when such attempts are made.
#3 - You become the subject of much closer scrutiny if you ever do raise an alarm.
#4 - Our content filter is "inline", so you can't go around it.
#5 - You can't "tunnel" home to your personal PC - SSH, RDP, IPSec, PPTP, and other common ways of getting around or through a firewall are only allowed to know destinations, like other installations.

sprkymrk,

I have a personal "private" webpage running https with a phproxy setup. It isnt a public page that should be crawled by google or any other respectible bot (that follows robots.txt) so it shouldnt pop up as a url to get block by any filtering companies that mantain lists of proxies.

Additionally with it running https how will your monitoring know what is going on in the encrypted traffic? I guess you could see numerous logs of me accessing this particular site and manually browse to it, but then you would be greeted with a login prompt.

ohh yeah maybe i should put a disclaimer *** dont do this at your school / job if it is against the rules ***

sprkymrk · November 2007

seuss_ssues wrote:

sprkymrk wrote:

Darthn3ss wrote:

seuss_ssues wrote:

1. Navigate browser to my https: proxy
2. Surf where ever i want and not worry about being tracked or setting off the "This page is not permitted" warning.
3. Try to remain focused long enough to keep job

+1. did that at school all the time.

That won't usually work on my (and most properly configured) networks.
#1 - We use content filtering with hueristics to block known or suspected anonymous proxies.
#2 - We have logs and alerts that tell us when such attempts are made.
#3 - You become the subject of much closer scrutiny if you ever do raise an alarm.
#4 - Our content filter is "inline", so you can't go around it.
#5 - You can't "tunnel" home to your personal PC - SSH, RDP, IPSec, PPTP, and other common ways of getting around or through a firewall are only allowed to know destinations, like other installations.

sprkymrk,

I have a personal "private" webpage running https with a phproxy setup. It isnt a public page that should be crawled by google or any other respectible bot (that follows robots.txt) so it shouldnt pop up as a url to get block by any filtering companies that mantain lists of proxies.

Additionally with it running https how will your monitoring know what is going on in the encrypted traffic? I guess you could see numerous logs of me accessing this particular site and manually browse to it, but then you would be greeted with a login prompt.

ohh yeah maybe i should put a disclaimer *** dont do this at your school / job if it is against the rules ***

Well not knowing exactly how phproxy works, I do know that proxies in general get stopped by our SGS appliance - not sure exactly how, but it even hoses legitimate connections that use it, in which case I have to create a filter to allow it to work.

Second possibility is that I mentioned hueristics. Our Content Filter uses dynamic document review, which looks on the site for keywords and graphics and will give the page a rating based on built-in dictionaries. For instance, if the page has the word "sex" on it, it gets a high rating. But if it also has the word "education", then it lowers the rating. Simple example but you get the idea. Your password protection and ssl might overcome that though.

Many sites, like ours, use an ssl bridge device to inspect the contents of https connections, some say that's a privacy issue, true, but it gets used nonetheless. In government and military installations you have no expectation of privacy (with a very few exceptions).

However, I am always looking to increase security, so I am going to install PHProxy at home and see what it looks like from my firewall's point of view when I use it.

Thanks!

Actually - this brings up a good topic for Keatron to address, the "everything over SSL" problem. Spyware has used this trick to evade detection. I don't know of anything besides an ssl bridge that can combat this effectively.

dtlokee · November 2007

I've seen Bluecoat SSL proxy defeat these types of personal or anonymous type proxy setups because they intercept the SSL connection and create a SSL connection on behalf of the inside client thereby allowing the actual http data to be seen and filtered as necessary. I would imagine there are others out there but I saw a demonstration using Bluecoat.

sprkymrk · November 2007

dtlokee wrote:

I've seen Bluecoat SSL proxy defeat these types of personal or anonymous type proxy setups because they intercept the SSL connection and create a SSL connection on behalf of the inside client thereby allowing the actual http data to be seen and filtered as necessary. I would imagine there are others out there but I saw a demonstration using Bluecoat.

Yup, that's what I was referring to when I mentioned the SSL Bridge. I didn't know Bluecoat did that, but it doesn't surprise me.

seuss_ssues · November 2007

Its not something that you install on your home based PC. It actually resides on a webserver (which needs to be off of the network thats being filtered).

You make a request to your page with phproxy, it retreives the page and formats it as though its coming from your site. Its kinda difficult to explain, but once you see it you will know what im talking about.

btw sprkymrk i sent you a message a few minutes ago - edit you already responded

blargoe · November 2007

Regarding the proxy, our software monitors trends like how long a person is spending on the Internet. Also, the amount of time connected to a site. If you have six hours of non-stop on some funky http or https site, we're going to pick up on it.

Darthn3ss · November 2007

also, anyone here that uses group policy or whatever to allow certain applicatoins to be ran and others not allowed, i'm not sure if they ever fixed it but back in highschool (almost 2 years ago) we could rename the program that they wouldn't let us run (say, IE) to msword.exe and it'd run beautifully.

blargoe · November 2007

Darthn3ss wrote:

also, anyone here that uses group policy or whatever to allow certain applicatoins to be ran and others not allowed, i'm not sure if they ever fixed it but back in highschool (almost 2 years ago) we could rename the program that they wouldn't let us run (say, IE) to msword.exe and it'd run beautifully.

That's because they are idiots and did not configure the group policy correctly.

sprkymrk · November 2007

blargoe wrote:

Darthn3ss wrote:

also, anyone here that uses group policy or whatever to allow certain applicatoins to be ran and others not allowed, i'm not sure if they ever fixed it but back in highschool (almost 2 years ago) we could rename the program that they wouldn't let us run (say, IE) to msword.exe and it'd run beautifully.

That's because they are idiots and did not configure the group policy correctly.

There's two issues here that I see. First, Keatron convinced me some time ago that while Group Policy is great for administration, you cannot rely on it for securing your network as there are too many ways to defeat it by knowledgable users - as Darthness pointed out, even high school kids can find work arounds.

Second, there was nothing wrong with the way the school set up Group Policy to restrict software - names/paths are an easy way to stop most people from running stuff you don't want them to, and it doesn't require a lot of maintenance, updating, or administration - set and forget. It also breaks less stuff. The other, more secure way to do it with GP, is by using hash rules or certificate rules. However, these can be tricky to configure and require updating every time a software version is upgraded.

On -> Monitor Employee's Http Traffic

Comments