Post Feed
Comment Feed

About Me

My MP3 Player

Kittie - Funeral for Yesterday Dream Theater - Train of Thought Nine Inch Nails - Ghosts I John Petrucci - Suspended Animation

New Comments

2017 Archives

July All Archives...

Sticking it to the State

Friday, March 10th, 2006

Recently Jason, who works for the state of NY, and I have been trying to get him on Instant Messenger at work. They seem to have cut the network off completely to the internet where he works. Since only internet activity allowed is browsing web pages, the ONLY way out of his network is through their proxy server that will only play nice on port 80 (for web sites) and 443 (for secure web sites).

After a couple weeks of trying different things we finally found a combination that worked. The first barrier was getting traffic in and out of his lan. For that we used an SSH tunnel. This would allow his office computer to make an encrypted "tunnel" to his home laptop and forward the IM traffic there. The default port for ssh however is 22 which was blocked of course. The sneaky part was setting up the ssh server on his laptop at home to listen on port 443 (remember that port is allowed because it is used for secure web sites). Since SSH uses the same technology as secure web site traffic, SSL, the proxy server at work won't notice that it isn't web traffic and will let it through.

The second barrier was how to relay the IM traffic from his laptop at home to the internet. For that we used a SOCKS proxy server. I found a free one called Antinat that would work as a windows service.

All he needs to do to get on IM now is to open Putty (a free windows SSH client) and connect to his laptop at home. Then when he sets his IM client to use the proxy on his laptop (throught the tunnel) it works like a charm! This can work for ANY application...you just need to tunnel the right ports. He could even set his web browser to use that proxy to get to websites his corporate proxy will block.

Comments (5) Subscribe

JR
#1 - Mar 10, 2006 at 9:06 PM
And that's a great reason why companies who want to enforce the policies they set should limit everyone to being a managed user of their machine. As a user he couldnt install AIM in the first place. It's kinda like setting a policy that your employees have to lock their computers when they walk away but then leaving the laptop sitting on the desk. It doesn't make sense to have such restrictive policies if you're going to leave big holes in the security anyways ya know?
joe
#2 - Mar 11, 2006 at 11:52 AM
Yeah but that isn't always going to work. Jason is a local admin for the machines in his organizational unit because he maintains them. Therefore you can't give him a non-admin account or prevent him from being able to install software.

Sure he should abide by the acceptable use policy...but even for non admin people this would work anyway because putty isn't a program you have to install. You can run it from a disk/cd/jump drive/anything. Then you could tunnel port 3389 and get a remote desktop connection to your home pc. Then you could run aim on your home pc through the remote desktop.

I agree it's stupid to put such restrictive policies on and have such a hole. But it would be very hard to plug this hold without blocking necessary functionality.
Cheryl
#3 - Mar 11, 2006 at 5:47 PM
You are definitely a computer geek.
joe
#4 - Mar 11, 2006 at 6:27 PM
Thanks Cheryl. AOL actually recently released a software development kit for IM. So I was thinking about writing a custom web-based client...so this tunnel thing isn't necessary.
Cheryl
#5 - Mar 12, 2006 at 12:46 PM
Ok, here is a computer geek question...you may or may not know an answer. I am trying to upload a powerpoint presentation (Powerpoint 2003, which can be done)to Robert's earthlink site and it won't work. One time I finally got something to upload, but it was html code. (powerpoint's conversion to web format)and I did as a file upload. Is there another way?

Make a comment!

Name
Numbers from below

Comment

Email Address

Website URL


Remember me