The Glade 4.0

It finally happened. Websense finally decided to block The Glade. I'll still be checking from home, but my frequency will be down a lot until I come up with an alternative way to browse and post.


Gorse

_________________
Gorse

Doh. Sorry to hear that Gorse.

_________________
“Strong people are harder to kill than weak people, and more useful in general”. - Mark Rippetoe

Sorry Gorse

Bummer dude.
Hope you find that alternate way soon! Mobile device perhaps?

_________________
"Therefore do not worry about tomorrow, for tomorrow will worry about itself. Each day has enough trouble of its own." Jesus of Nazareth

Yeah, for sure. Get a nice cellphone =D

_________________
Ron Paul 2012

_________________
The Dude abides.

Um, yeah, that doesn't work behind a Websense firewall here. I'm busted!

_________________
This cold and dark tormented hell
Is all I`ll ever know
So when you get to heaven
May the devil be the judge

1. Get shell account on *nix system running Squid
2. Use SSH to tunnel through to the Squid server
3. ???
4. Profit!

Seriously, I have no idea how I would survive without my various shell accounts. So very, very useful.

_________________
Sail forth! steer for the deep waters only!
Reckless, O soul, exploring, I with thee, and thou with me;
For we are bound where mariner has not yet dared to go,
And we will risk the ship, ourselves and all.

Ooh, this is slick:

If you happen to have the ever-popular Linksys WRT-54Gxxx line of wireless router at home, you can install the DD-WRT firmware and set it up to run SSH. Then all you need at work is PuTTY to create your own little private socks proxy:

http://jstrassburg.blogspot.com/2006/01/howto-tunneling-http-over-ssh-with-dd.html

Edit:
Also, it's a good idea to do this with Firefox and set network.proxy.socks_remote_dns to true in about:config. This will prevent your browser from leaking DNS queries over the local network instead of forwarding them through the tunnel.

_________________
Sail forth! steer for the deep waters only!
Reckless, O soul, exploring, I with thee, and thou with me;
For we are bound where mariner has not yet dared to go,
And we will risk the ship, ourselves and all.

Where I work, installing unauthorized software on your machine sends an alert to IT and they come up and reformat your machine, quickly. No, I don't know how they detect that, something about a quick scan of the directory on network hook-up compared to what you are authorized to have. I haven't been subject to the process. I learned from others making the mistake and getting written up and losing their laptops (traveling staff).

One of the (non offender) guys doesn't even take the work laptop into the field anymore, he takes his own, downloads any work he does to a thumb-drive and uploads to his work laptop before he comes in.

_________________
The U. S. Constitution doesn't guarantee happiness, only the pursuit of it. You have to catch up with it yourself. B. Franklin

"A mind needs books like a sword needs a whetstone." -- Tyrion Lannister, A Game of Thrones

Yeah... that's a good use of resources.

**** IT people.

_________________

Holy shitsnacks!

The beauty of all this is that PuTTY is a stand-alone app that requires no installation. In fact, if you grab the PuTTY portable version, you can run the whole thing of a USB drive (or whatever) and never even touch the host system's registry or filesystem. What's more, you can pair it with Firefox Portable or the portable version of Iron (basically just Google Chrome) and keep everything on your thumb drive for good measure.

_________________
Sail forth! steer for the deep waters only!
Reckless, O soul, exploring, I with thee, and thou with me;
For we are bound where mariner has not yet dared to go,
And we will risk the ship, ourselves and all.

Sorry to hear about this Gorse...



Couple of things...

1.) If they are bothering to run websense, I would imagine they are only allowing SSH by exception.

2.) Bypassing corporate security policies can get you in more trouble than the browsing itself.

Given that I work in IT and supposedly know my way around this stuff, I could probably do it safely. Not quite worth the effort, though. I'll just go through withdrawal if/when they cut me off. They're actually pretty genial about browsing and whatever use we put our laptops to.

As far as Micheal's work goes, that's a different beast entirely - State of CA. They have to see that my taxpayer dollars are put to good use, you know. I know a lot of places that maintain very strict control over the desktop - had a new employee come over from one of those places lately, and after ordering some software for him, he left it on my desk for me to install on his machine. I did it, but after a few minutes, he asked, "Could I have just done this myself?" Yup.

Wait, Gorse - Did they also cut you off of FunTrivia? That could be catastrophic!

_________________
This cold and dark tormented hell
Is all I`ll ever know
So when you get to heaven
May the devil be the judge

1.) Probably not, actually.

Websense itself uses SSH for administration, and as far as I know, its default policy does not block SSH. As well, the default deployment for websense (even the "Web Security Gateway" version) appears to be a proxy/firewall-on-a-stick topology rather than a true gateway. In so many words, it's at the mercy of 3rd-party enforcement to force users to actually use it (ex. group policy + internet explorer), and/or a 3rd-party firewall to prevent users from accessing the internet directly.

In most environments, there's a pretty good chance that no one went out of their way to block SSH. Not least of all, SSH is very handy administration tool used frequently by IT staff to access (for instance) company mail or web servers that are located outside of the LAN. Few of them go through the hassle of blocking SSH and then carving out exceptions for individual IT workstations, especially where it is difficult or impossible to predict the IP addresses that will need SSH access (ex. because of a shared DHCP pool for the whole office).

In any case, most firewalls don't do really deep packet inspection. They usually only examine the protocol, port number (where applicable) and sorce/dest address. Even if the default port for SSH is blocked, you can probably find a TCP port that isn't. For instance, port 53 for DNS is frequently a free-for-all. If you set up your SSH server to listen on one of these ports, most firewalls can't tell the difference between a SSH session on port 53 and a DNS query on port 53.

2.) I'm just offering information. What you do with it is your business. Weigh the risks yourself, etc., etc. But FWIW, most corporate networks are really not that interested in putting up more than a token barrier to thwart the average cubicle-dweller.

_________________
Sail forth! steer for the deep waters only!
Reckless, O soul, exploring, I with thee, and thou with me;
For we are bound where mariner has not yet dared to go,
And we will risk the ship, ourselves and all.

No Gorse response? Not even posting from home now?

_________________
"Therefore do not worry about tomorrow, for tomorrow will worry about itself. Each day has enough trouble of its own." Jesus of Nazareth

Once upon a time, a young engineer with a large aerospace firm had an MMO addiction. Wanting to play at work (on break time only, of course) he installed a certain game on his work computer. Unfortunately, the required ports were blocked by the corporate firewall. He was not very well versed in the ways of routing, firewalling and connecting, but he was plucky. He found some approved software on the corporate server that allowed vendors access to the corporate system and discovered that it allowed him access out of the system.

For a while he was pleased until that program was phased out and the network gods used some new voodoo that he couldn't overcome. The young engineer had become a sad panda.

One day while not playing online games at work, his phone rang. He had an epiphany, and was once again a happy gamer. Over the years, the plucky young engineer became family supporting middle-age engineer and no longer is willing to jeopardize his career over stupid games. However, he still appreciates that sometime old tech can overcome the barriers put forth by the newer and shinier, as long as one is willing to slow down a bit and take some extra time.

EPILOGUE

VoIP would have made the engineer sad again...if he still cared.

Yes, FunTrivia too (and pretty much every site I frequent, except for EQTraders, but I have not even been hitting it much lately, so meh). I've been trying to play (FunTrivia) from home some, but it's been hit or miss (and mostly miss).


As for games at work, I have no desire to lose the job and as these are government PCs with tons of software monitoring, safety and decurity features, I have no desire to attempt to test to bypass. Yeah, sometime I might buy some sort of cellular with web-access, but doing so just so I can hit The Glade while at work would be a hard sell to the wife.


P.S. Yes I'm posting during work hours, but that is because I'm not at work today (took a few days off while my daughter has spring break off so we can do things as a family).

_________________
Gorse

I use mine for so much more than hitting the glade at work

_________________
I prefer to think of them as "Fighting evil in another dimension"

In other news, I can now access the glade at work as before it was blocked. No more typing from my iphone. Much better.

_________________
"It is true that democracy undermines freedom when voters believe they can live off of others' productivity, when they modify the commandment: 'Thou shalt not steal, except by majority vote.' The politics of plunder is no doubt destructive of both morality and the division of labor."

Websense is interesting. It doesn't sit inline, which is it's biggest flaw. When you send data to the glade, your PC actually receives the web page. It's just that Websense spams your computer with TCP resets and hopes that the resets hit your machine before the actual data is returned. Your browser sees the resets, and so assumes the data doesn't ever arrive.

But it does.

If someone ever wrote a program that could take that data that still hits their PC and compile it into a usable format, it would put websense out of business. They have no way of stopping that data from reaching your machine.

_________________
Les Zombis et les Loups-Garous!

As an IT person, I will respond with:

**** Users.

I let the people that know what they're doing do it, and I lock down those stupid assholes who think it's ok to install every idiotic app and kids game on their system, then have the audacity to be pissed off when "OMG MY LAPTOP DON'T WORK NOW I NEED IT FOR WORK WHY CAN'T IT DO ANYTHING RIGHT"

**** Users.

Actually, this isn't quite the case. For FTP, HTTP, and HTTPS, Websense acts as a simple in-line proxy server. When it encounters something it doesn't like, it simply refuses to proxy it, offering up its Websense error page in place. The data never reaches the proxy client's network interface unless the client is in the same Ethernet collision domain as the Websense server (i.e. connected by a non-switching hub/repeater).

With respect to other protocols (ex. IRC), Websense does use TCP RST forging in a "sideline" configuration to kill the connection rather than acting as an in-line SOCKS5 proxy. This is the same trick used by Comcast to kill its users' BitTorrent sessions. Detecting a forged TCP reset is not exactly trivial unless you're on the same Ethernet broadcast domain as the Websense server, and thus can differentiate between forged TCP resets coming from Websense vs. *real* TCP resets coming in via the network's gateway. If you aren't in the same Ethernet broadcast domain as Websense, you can still use the IP packet's TTL value to make an intelligent guess about forgeries. Forged resets from nearby Websense server will have a larger TTL than non-forged resets from a distant internet host. However, this is merely heuristic.

In any case, detection is rather moot. Websense forges the TCP RST in both directions. Once the sender is squelched by Websense, it doesn't matter if you continue to listen for data past the forged RST.


Topologically speaking, this is still correct:


WebSense operates in promiscuous mode, rather than being in-line with the gateway. WebSense itself can't really do anything to prevent a PC from initiating a non-proxied FTP/HTTP(S) session directly with a remote host. To enforce the use of WebSense as a proxy server, you generally have two options:

1) rely on a client-side "governor" of some kind on the PC (ex. Group Policy can enforce the use of a proxy for IE, but that won't help with non-IE browsers)

2) Place a firewall directly in front of/behind the gateway which can drop web traffic not originating from the WebSense server. Something like:



There's an amusing DoS attack on WebSense that exploits its TCP forgery behavior, but I'll leave that as an exercise for the reader.

_________________
Sail forth! steer for the deep waters only!
Reckless, O soul, exploring, I with thee, and thou with me;
For we are bound where mariner has not yet dared to go,
And we will risk the ship, ourselves and all.

AT our work this is not the case. Mus and I work in Telecom, there are tools we are required to have. But the morons in OUR MIS group have him locked down so tight he cannot even install the needed software. They have been told about this by the Operations Director, as well as the manager of the specific department which Mus is in and they just sit there with their thumbs up their arses.

And it is only new people they are doing this to. Those of us who have been here for a few years are not under the same restrictions. But I personally am not above calling them at **** hours saying "Hey; I need to load this piece of monitoring software from our switch vendor, so I can have the access to the xxx switch to perform maintenance.. you want to come install it for me?"

_________________
Darksiege
Traveller, Calé, Whisperer
Lead me not into temptation; for I know a shortcut

Oh I agree, security is a double edged sword, I was just posting from the other viewpoint. In general, the more freedom people are given, the more they do to screw it up. (present company excepted)

I'm sure if they get enough calls at those hours asking for software, they'll do something about it. Like package it and have it available for you guys to install with a click, like I do.