What can a IT admin see on a network?

MikeHiow · 18 Oct 2008 at 01:09

People say IRC, MSN etc. is blocked, however, several companies I've used IRC and MSN as a resource for information (I have many people, "in the know" available on IRC and MSN) as well as a method of chatting/socialising. I've always done it with Putty's SSL proxy feature, with SSH running on 443, which is nearly impossible to block without killing all SSL sites (I say nearly, as some proxy software can deny the "CONNECT" command, however, it's rarely done).

s0ck · 18 Oct 2008 at 01:54

If you've got a valid business case for using it, you shouldn't need to tunnel to the moon and back

Pigeon_Killer · 18 Oct 2008 at 11:28

Raymond Lin said:
I am just curious as to if it list say the ocuk forums as 1 link or does it list every page i go to, with every URL stated

If they use anything like the hardware we use they'll be able to see everything.

It'll give them your username, your IP, the sites you visited as well as any scripts that were run and pictures/other sites that are linked to, any words that you typed in to search engines or links that you click on and what time you visited each site.

Basically, depending on the hardware and software they use anything and everything could be logged. OcUk certainly wouldn't appear as one link, it would appear as multiple entries even if you just visited the homepage.

bigredshark · 18 Oct 2008 at 11:36

MikeHiow said:
People say IRC, MSN etc. is blocked, however, several companies I've used IRC and MSN as a resource for information (I have many people, "in the know" available on IRC and MSN) as well as a method of chatting/socialising. I've always done it with Putty's SSL proxy feature, with SSH running on 443, which is nearly impossible to block without killing all SSL sites (I say nearly, as some proxy software can deny the "CONNECT" command, however, it's rarely done).

Actually it's pretty easy to do with any modern deep inspection firewall (that'll be any decent firewall then)

TheKnat · 18 Oct 2008 at 11:53

MikeHiow said:
People say IRC, MSN etc. is blocked, however, several companies I've used IRC and MSN as a resource for information (I have many people, "in the know" available on IRC and MSN) as well as a method of chatting/socialising. I've always done it with Putty's SSL proxy feature, with SSH running on 443, which is nearly impossible to block without killing all SSL sites (I say nearly, as some proxy software can deny the "CONNECT" command, however, it's rarely done).

I REALLY wouldn't advise anyone to do this. If you company has an internet policy that states that chat clients are going to be blocked, then you will get in a lot of trouble by getting around it. At the end of the day, its the companies internet connection, if they want you to spend your time chatting then they will let you. By getting around it you could possibly be breaking your contract and I have seen a couple of people get sacked when they thought they were being smart like this.

I admit it is a PITA when companies block stuff when you can ligitimately use it for work, but thats there decision whilst they are paying you, not yours.

Deleted member 77746 · 18 Oct 2008 at 14:16

TheKnat said:
I REALLY wouldn't advise anyone to do this. If you company has an internet policy that states that chat clients are going to be blocked, then you will get in a lot of trouble by getting around it. At the end of the day, its the companies internet connection, if they want you to spend your time chatting then they will let you. By getting around it you could possibly be breaking your contract and I have seen a couple of people get sacked when they thought they were being smart like this.

I admit it is a PITA when companies block stuff when you can ligitimately use it for work, but thats there decision whilst they are paying you, not yours.

100% back you up on this one. Whatever a company say goes. You break the rules disciplinary ction may be taken.

MikeHiow · 18 Oct 2008 at 15:40

bigredshark said:
Actually it's pretty easy to do with any modern deep inspection firewall (that'll be any decent firewall then)

Can you explain how they do this on an SSL connection?

fonzee · 18 Oct 2008 at 18:51

we monitor everyone real-time/live... see absolutely everything they do. everything.

some people have, as a result, been in big trouble.

bigredshark · 18 Oct 2008 at 21:19

MikeHiow said:
Can you explain how they do this on an SSL connection?

Because only payload is encrypted?? Because traffic profiles are vastly different??

FordPrefect · 23 Oct 2008 at 01:21

MikeHiow said:
Can you explain how they do this on an SSL connection?

Actually its stupidly simple and many products do it off the box. The SSL from your client is terminated on the firewall and the firewall establishes a connection to the SSL site directly and proxies the traffic. You can even get around certificate errors by setting up a CA of your own and importing that root cert into your desktops(many products will also function as a limited CA to do this).

I have even heard of people using SSL blades on one side of a network and then sending the unencrypted HTTP traffic through content filtering, proxies, firewalls etc before another SSL card on the other side of the network sends the request back out encrypted to the internet. Never assume that SSL is safe when you dont have total control of either the desktop or network you are using.

About the only secure ways to get stuff out if you so wish would be SSH so long as you check the SSH keystring to ensure you are talking to the SSH server you think you are talking too(again it would be theoretically possible to proxy it) or an IPSEC VPN. Both of which are unlikely to be open on most networks.

As for the level of sophistication of logs it really depends on the systems deployed. Its more than possible to log every url requested and have a fairly good idea with most modern dynamic webpages how long the site was open for. There are a number of products such as websense which categorise websites that will give a rough idea to anyone looking what you have been spending your time looking at without someone trawling through every site you have visited. There are a number of systems that can report back on unusual traffic, large amounts of traffic etc etc. It really depends on your company, but most places so long as your work isnt affected, and your browsing isnt causing other problems such as over utilization or downloading viruses then its unlikely people are going to check too deeply.

mejinks · 23 Oct 2008 at 14:16

Read your staff handbook, it should explain everything there. The company I currently work for has a fairly relaxed approach. Basically, I can't read your e-mails covertly without express permission from a managing partner. However, if I suspect something business affecting going on, I can as long as I document everything.

Sooner rather than later, the documentation will be changed to "we own the E-mail system, so we can access it when we like"

As for web browsing, its left up to the webproxy as to which sites to allow and we have a nice report generated giving us the top ten users.

I could set it up so that I can focus on a particular user if they come to my attention and set up monitoring to see how many blocked site a user has tried to access or whatever, but people here are generally well behaved.

As for MSN et al, you can't even set up a proxy back to your home pc here. There is one pc that sits on the DMZ for downloading patches/large files, even the IT machines don't have full internet access.

Surfer · 23 Oct 2008 at 14:30

how can they say "you were surfing all day surfer and did no work"

if all i did was leave the window open... ill have about 8 windows open mabye half or 3/4 are work-related others are ocuk, bbc etc

Confused · 23 Oct 2008 at 16:05

Because they'll look at how often you loaded pages - opening one page in the morning and you're OK - do 20 page-loads in a minute browsing OcUK and yeah, it's pretty obvious you're just browsing whilst not doing anything else

Surfer · 23 Oct 2008 at 16:16

no, no, no no no i dont want to hear that ********!! :eek:

i constantly jump between 6 windows atm every 5minutes refreshing/loading them all.

Skidilliplop · 23 Oct 2008 at 16:55

Can Try tunneling out over SSH or something to an external proxy (Easily set up at home for just browsing). If your IT admins arn't as smart as me then they'll only be looking at the common ports i.e 80, 8080, 443.

Failing that you could tunnel out RDP to your home PC the same way and browse from there.

bigredshark · 23 Oct 2008 at 16:58

Skidilliplop said:
Can Try tunneling out over SSH or something to an external proxy (Easily set up at home for just browsing). If your IT admins arn't as smart as me then they'll only be looking at the common ports i.e 80, 8080, 443. Failing that you could tunnel out RDP to your home PC the same way and browse from there.

Failing that you could actually do what they're paying you for...

Skidilliplop · 23 Oct 2008 at 17:05

bigredshark said:
Failing that you could actually do what they're paying you for...

Meh what would the world be like if everyone did that?... Boring I tell you.

DRZ · 23 Oct 2008 at 19:09

There is only one way through a L7 filter unmolested (that I know of) but the traffic profile will be unbelievable and will be noticed immediately, although they wont have a damn clue what is going on

TrX · 23 Oct 2008 at 19:13

DRZ said:
There is only one way through a L7 filter unmolested (that I know of) but the traffic profile will be unbelievable and will be noticed immediately, although they wont have a damn clue what is going on

...Especially if you also VPN inside that specific method.

BigRedShark has a point though, you should probably save your newly gained 'leet tunneling skillz' for random nameless coffee and fastfood outlets.

//TrX's (questionably) epic one line comeback. [Edit, b******s, now it's two]

DRZ · 23 Oct 2008 at 19:16

...or certain major ISPs?