A challenge..

[pyrre]

I just received a challenge from my It manager.

At my work we have client computers located behind a firewall and an iron gate server.
The computers do not have admin accounts local. All is managed by active directory.
And certain websites are blocked at request from management.

The servers are intelligent enough to identify any http traffic outside the ordinary. Like http tunnel traffic.

However, my challenge.

Set up a HTTP tunnel server at home.
and run the traffic via the https protocol and encrypt it.

The purpose of this is to be able to browse any website i want.
And of course, the challenge of  braking through the irongate.

can this be done?

[whabang]

Of course it can be done. Set up a server that fetches web pages and then passes them on over an encrypted connection, scrambling the names of pages and files in the process. Obviously, this could still be detected if someone detected unusual amounts of encrypted traffic to one specific server.

[Franko]

Sounds more like your boss was getting some unpaid work from you and you fell for it...

[Kesa]

All this effort just to download some porn at work... :rolleyes:

[Zac67]

Exactly where is the challenge in that?

[pyrre]

@ all

No it is not for porn. i do that at home
And my boss has nothing to do with it. at all...
it is just me and the it management.
The IT dude meant it could not be done. the irongate would scan the datastream and detect http tunneling and discard the traffic.

I claimd if i did it over https and encrypted the stream it would not detect it. and would not discard the transmissions...
I have no clue to how to do it. which is why i asked...

[Zac67]

He should be looking out for a new job...

As long as HTTP connections are not completely blocked or 'whitelist only' you can certainly circumvent ANYTHING. Those irongates are smart but not omniscient.

You could obfuscate the real URL you're querying into some wild session-id like number and put the response into, say a GIF image. Locally (behind the irongate) you'd run a rather simple proxy that obfuscates the URLs and extracts the responses from the GIFs. At home you'd have a proxy doing exactly the opposite. All the irongate would be seeing is you retrieving GIF images from some server.

If the irongate allows for HTTPS then everything is VERY simple: set up a standard HTTP proxy with an SSL listening port and connect to that. Done.

[pyrre]

He should be looking out for a new job...

As long as HTTP connections are not completely blocked or 'whitelist only' you can certainly circumvent ANYTHING. Those irongates are smart but not omniscient.

You could obfuscate the real URL you're querying into some wild session-id like number and put the response into, say a GIF image. Locally (behind the irongate) you'd run a rather simple proxy that obfuscates the URLs and extracts the responses from the GIFs. At home you'd have a proxy doing exactly the opposite. All the irongate would be seeing is you retrieving GIF images from some server.

If the irongate allows for HTTPS then everything is VERY simple: set up a standard HTTP proxy with an SSL listening port and connect to that. Done.

There is only one problem:
You have to use the internal proxy. If you change any proxy settings, the irongate blocks all of your traffic, even Lan activity.
You can only mask any traffic within the http(s) protocol.

[Zac67]

No problem - just change the internal proxy (your tunneling proxy) to use the IG proxy for connecting out. It'll haul the data without knowing what it's about.

[odin]

Setup SSH tunneling to your home server running a webproxy for port 80 or 443 or whatever port is allowed to go outside your company's network?