Markus
2016-02-01 08:56:03 UTC
I've got a Squid server (v. 3.5.x) configured that way, that only some
"banking sites" are allowed to be tunneled (spliced) - the rest of SSL
sites are bumped.
That works OK. I thought that it prevents me from illegal
tunneling-out by users. However recently I've realized that TeamViewer
is still able to establish connection over my Squid.
Moreover user's PC are totally blocked on my firewall - they only have
access to the web via Squid-proxy (their browsers are proxy aware).
Of course I can block out teamviewer.com domain by ACL - and that
works. But I'm wondering if there is any way to prevent such
tunnel-connection in future. (I mean another - mainly malicious
software)
I've captured some details using Etherreal and it looks like
Teamviewer app does a normal http GET request to the TeamViewer's ASP
script
http://master13.teamviewer.com/din.aspx?s=00000000&id=0&client=DynGate&rnd=144452645&p=10000001
TeamViewer's server response is an application/octet-stream , but it
contains an ID which is presumably used later in client's POST
request.
See: Loading Image...
(screenshot from Ethereal) and
TCP the stream http://dev.3d.pl/tmp/teamv.txt
My question is - does the TeamViewer tunnel traffic differ in any way
from normal http binary content transmission (eg. youtube or radio
streaming) ?
Can we somehow detect that this kind of transmission is probably a
tunnel traffic?
Sorry if my post is a bit chaotic, but I'm kinda confused now , how it works.
Please note - I'm not talking only about TeamViewer itself but in
general about HTTP-tunneled traffic. Maybe an ICAP server could be
useful here? but how do I know what to look for? (how should
ACLs/rules look like)
or you want to tell me, that the only possible way is continuous
observation what's new "on market" and adding new rules?
many thanks for explanation!
Markus
"banking sites" are allowed to be tunneled (spliced) - the rest of SSL
sites are bumped.
That works OK. I thought that it prevents me from illegal
tunneling-out by users. However recently I've realized that TeamViewer
is still able to establish connection over my Squid.
Moreover user's PC are totally blocked on my firewall - they only have
access to the web via Squid-proxy (their browsers are proxy aware).
Of course I can block out teamviewer.com domain by ACL - and that
works. But I'm wondering if there is any way to prevent such
tunnel-connection in future. (I mean another - mainly malicious
software)
I've captured some details using Etherreal and it looks like
Teamviewer app does a normal http GET request to the TeamViewer's ASP
script
http://master13.teamviewer.com/din.aspx?s=00000000&id=0&client=DynGate&rnd=144452645&p=10000001
TeamViewer's server response is an application/octet-stream , but it
contains an ID which is presumably used later in client's POST
request.
See: Loading Image...
(screenshot from Ethereal) andTCP the stream http://dev.3d.pl/tmp/teamv.txt
My question is - does the TeamViewer tunnel traffic differ in any way
from normal http binary content transmission (eg. youtube or radio
streaming) ?
Can we somehow detect that this kind of transmission is probably a
tunnel traffic?
Sorry if my post is a bit chaotic, but I'm kinda confused now , how it works.
Please note - I'm not talking only about TeamViewer itself but in
general about HTTP-tunneled traffic. Maybe an ICAP server could be
useful here? but how do I know what to look for? (how should
ACLs/rules look like)
or you want to tell me, that the only possible way is continuous
observation what's new "on market" and adding new rules?
many thanks for explanation!
Markus