IT Question - bypass web blocking
Moderators: nickj, Lady of Mystery, Mandrake, bananafish, support
19 posts
• Page 2 of 2 • 1, 2
by TargetZero » Jan 30th, '09, 16:06
Thank You Organi
The Co. I work for seems to be blocking all websites - can't even get on the Lottery page - I could be a multi millionaire but don't even know it!
I managed to view Youtube one afternoon in work only because they were upgrading the network - I'm missing on on some great viewing!!
Regards
TZ
- TargetZero
- Preferred Member
- Posts: 246
- Joined: Jan 31st, '07, 22:37
- Location: Bristol / South Wales (36:AH)
by aporia » Feb 4th, '09, 11:50
I guess the question that you are really asking is how to circumvent the logical controls without getting caught? Assuming that you are not senior enough in your company to be able to absorb your peccadillo you need to be able to do this in such a way that you either bypass any protective monitoring or can claim plausible deniability.
Most companies will have a computer usage policy which will specifically bar you from circumventing their controls and will state what you may and what you may not do. If they do challenge you under these you might be get some wriggle room if they do not have HR policies that support them. For instance, many companies will ban Internet (adult, legal) pornography but won't bar art books or The Sun newspaper (please don't flame me about the ethics of porn, it's only an example). But if you really want to bypass these controls then it's possible.
As has been mentioned, the block is at your company's network perimeter. Many companies will proxy Internet traffic through a DMZ using Microsoft ISA or a UN*X equivalent which means that you don't have direct access to the Internet. You can check this by using nslookup and trying to telnet through port 80. Assuming that they do have a proxy then they will either have a static black list of sites (they could have a white list but unlikely) or they will use a third party product like Websense. If they do use Websense then you may find that not only is the site blocked but also the Google cache is blocked too.
Your best bet is to use an anonymising proxy. Unfortunately, Websense can be configured to block proxy avoidance websites which means both those sites that you go to find information about proxy avoidance as well as the proxy sites (like Anonymouse). Morover, you need to consider if you trust any third party with your browser history or any credentials that you submit over the service. Do bear in mind that all your browsing could be monitored by your company's IT department. Many of the anonymising proxies put the true destination in the URL so you need to bear that in mind if you do find a proxy on the Internet that isn't blocked. There are also companies that will sell you anonymising proxy services. A simple Google search will throw up a plethora of free sites (like NCCW) and paid-for services. Some of the paid for services run via SSL, so until your company deploys SSL termination devices at the network edge you could go for that.
You do still have to bear in mind that you could get sacked for this, so you don't really want to have to argue your case. Far better to find a non-authenticating proxy at work or an anonymous wireless connection. If you have wireless then you can change your MAC address (or use a specific WNIC so that you can't be tracked easily).
Or, the best thing (IMHO) is to build your own. You say you don't have Internet access at home, but if you did or if you were to pay a hosting company that can give you a server on the Internet (you can get these for about £20pa) you could run an SSH server and then enable port forwarding on SSH. Set your SSH server to listen on port 443, run RDP over 443 onto your SSH box and then you can have a remote desktop that you access straight through your corporate firewall. You can browse whaterver you like then (providing your proxy doesn't specifically look for SSH, but if it does you can use OpenSSH, change the headers and recompile but now we are getting silly). The only thing the audit logs will show is SSL traffic to your proxy which won't flag alerts. Just make sure your colleagues don't grass you.
Or as a final solution you could buy a cheap internet device / micro laptop and get a PAYG 3 broadband modem. £10 per month for 1Gb. You can get whatever dodgy content you want. 3 do not mandate any identity proof with their PAYG packages and provided you pay in cash you are reasonably protected.
Bear in mind the computer misuse act which is a strict liability offence: "A person is guilty of an offence if— (a) he causes a computer to perform any function with intent to secure access to any program or data held in any computer;
(b) the access he intends to secure is unauthorised; and
(c) he knows at the time when he causes the computer to perform the function that that is the case."
I look forward to reading about you in The Register.
Most companies will have a computer usage policy which will specifically bar you from circumventing their controls and will state what you may and what you may not do. If they do challenge you under these you might be get some wriggle room if they do not have HR policies that support them. For instance, many companies will ban Internet (adult, legal) pornography but won't bar art books or The Sun newspaper (please don't flame me about the ethics of porn, it's only an example). But if you really want to bypass these controls then it's possible.
As has been mentioned, the block is at your company's network perimeter. Many companies will proxy Internet traffic through a DMZ using Microsoft ISA or a UN*X equivalent which means that you don't have direct access to the Internet. You can check this by using nslookup and trying to telnet through port 80. Assuming that they do have a proxy then they will either have a static black list of sites (they could have a white list but unlikely) or they will use a third party product like Websense. If they do use Websense then you may find that not only is the site blocked but also the Google cache is blocked too.
Your best bet is to use an anonymising proxy. Unfortunately, Websense can be configured to block proxy avoidance websites which means both those sites that you go to find information about proxy avoidance as well as the proxy sites (like Anonymouse). Morover, you need to consider if you trust any third party with your browser history or any credentials that you submit over the service. Do bear in mind that all your browsing could be monitored by your company's IT department. Many of the anonymising proxies put the true destination in the URL so you need to bear that in mind if you do find a proxy on the Internet that isn't blocked. There are also companies that will sell you anonymising proxy services. A simple Google search will throw up a plethora of free sites (like NCCW) and paid-for services. Some of the paid for services run via SSL, so until your company deploys SSL termination devices at the network edge you could go for that.
You do still have to bear in mind that you could get sacked for this, so you don't really want to have to argue your case. Far better to find a non-authenticating proxy at work or an anonymous wireless connection. If you have wireless then you can change your MAC address (or use a specific WNIC so that you can't be tracked easily).
Or, the best thing (IMHO) is to build your own. You say you don't have Internet access at home, but if you did or if you were to pay a hosting company that can give you a server on the Internet (you can get these for about £20pa) you could run an SSH server and then enable port forwarding on SSH. Set your SSH server to listen on port 443, run RDP over 443 onto your SSH box and then you can have a remote desktop that you access straight through your corporate firewall. You can browse whaterver you like then (providing your proxy doesn't specifically look for SSH, but if it does you can use OpenSSH, change the headers and recompile but now we are getting silly). The only thing the audit logs will show is SSL traffic to your proxy which won't flag alerts. Just make sure your colleagues don't grass you.
Or as a final solution you could buy a cheap internet device / micro laptop and get a PAYG 3 broadband modem. £10 per month for 1Gb. You can get whatever dodgy content you want. 3 do not mandate any identity proof with their PAYG packages and provided you pay in cash you are reasonably protected.
Bear in mind the computer misuse act which is a strict liability offence: "A person is guilty of an offence if— (a) he causes a computer to perform any function with intent to secure access to any program or data held in any computer;
(b) the access he intends to secure is unauthorised; and
(c) he knows at the time when he causes the computer to perform the function that that is the case."
I look forward to reading about you in The Register.
- aporia
- Senior Member
- Posts: 529
- Joined: Jan 15th, '06, 00:16
- Location: OETKB:SS
by TargetZero » Feb 4th, '09, 16:00
Aporia - thanks for the feedback / advice
Think I will go with the new lap top and dongle wotsitthingymajig
I only want to look at some Magic / Hypnotism on Youtube and nothing porno.
If I want to look at T*** and A***S during the day I only have to look over the partition in my orifice. Sorry, office.
Think I will go with the new lap top and dongle wotsitthingymajig
I only want to look at some Magic / Hypnotism on Youtube and nothing porno.
If I want to look at T*** and A***S during the day I only have to look over the partition in my orifice. Sorry, office.
- TargetZero
- Preferred Member
- Posts: 246
- Joined: Jan 31st, '07, 22:37
- Location: Bristol / South Wales (36:AH)
by Dominic Rougier » Feb 4th, '09, 16:18
PM-d you, as I think there's a fair-to-middling chance I'm one of the people blocking your internet access...
Your reality, sir, is lies and balderdash, and I'm delighted to say that I have no grasp of it whatsoever.
-
Dominic Rougier - Senior Member
- Posts: 531
- Joined: Nov 17th, '08, 12:02
- Location: Bristol, UK
19 posts
• Page 2 of 2 • 1, 2
Who is online
Users browsing this forum: No registered users and 0 guests
