08-05-2010, 03:52 PM
|
#21
|
Had an idea!
|
You could call it a specific request. There is a little bit more involved though, in terms of how I'm associated with them.
The sheer number of websites being accessed each day is staggering, so in terms of starting a blacklist or whitelist, even if only for SSL, if that is possible, would be a huge headache.
I realize that we're never going to be able to block all objectionable content, so we're just looking at ways to block programs like Tor that create bottlenecks because they send all their data over SSL.
|
|
|
08-05-2010, 04:02 PM
|
#22
|
Franchise Player
Join Date: Aug 2005
Location: Calgary
|
Remove admin rights from everyone.
Install a web filter device to block anything not company related - devices come with premade white and black lists so the monitoring goes down considerably. Yes its alot of work at the beginning but you have to start somewhere.
If you are on a Windows domain modify your login script to remove all instances of the software.
Send an email out to all users advising of an update IT policy. Dont mention onion routers specifically but make sure its in the document.
Add admin rights on a case by case basis and get HR to fire anyone who installs an onion router on their computer as its a violation of the corporate IT policy.
__________________
MYK - Supports Arizona to democtratically pass laws for the state of Arizona
Rudy was the only hope in 08
2011 Election: Cons 40% - Nanos 38% Ekos 34%
|
|
|
08-05-2010, 04:31 PM
|
#23
|
The new goggles also do nothing.
Join Date: Oct 2001
Location: Calgary
|
It's not a company situation mykalberta, look down a few more posts
__________________
Uncertainty is an uncomfortable position.
But certainty is an absurd one.
|
|
|
08-05-2010, 04:52 PM
|
#24
|
The new goggles also do nothing.
Join Date: Oct 2001
Location: Calgary
|
Quote:
Originally Posted by Azure
The sheer number of websites being accessed each day is staggering, so in terms of starting a blacklist or whitelist, even if only for SSL, if that is possible, would be a huge headache.
|
Well a blacklist wouldn't be too bad if you could find a decent source for the info. I haven't been able to find anything tho.
Quote:
Originally Posted by Azure
I realize that we're never going to be able to block all objectionable content, so we're just looking at ways to block programs like Tor that create bottlenecks because they send all their data over SSL.
|
The SSL packets themselves shouldn't be creating any kind of bottleneck that I can think of, SSL puts a load on a server when that server has to actually decrypt it (like on the web server), otherwise it's just a normal packet as far as a router or whatever is concerned isn't it?
If the Tor users are setting up the app as a server though that will generate extra bandwidth, though Tor usually tries to be pretty light in that respect, only 20KB/s by default I think (though they can crank that up).
__________________
Uncertainty is an uncomfortable position.
But certainty is an absurd one.
|
|
|
08-05-2010, 05:07 PM
|
#26
|
Atomic Nerd
Join Date: Jul 2004
Location: Calgary
|
I'm curious, what kind of objectionable content are we talking about here? If possible, a complete and fully detailed list if possible
Are we talking about people downloading music/movies? Or more morally objectionable content? I'm curious from a socialogical point of view of how these communities are dealing with modernity.
What filters do you already have in place? Are they resorting to these methods to get around them?
|
|
|
08-05-2010, 06:35 PM
|
#27
|
Had an idea!
|
Quote:
Originally Posted by Hack&Lube
I'm curious, what kind of objectionable content are we talking about here? If possible, a complete and fully detailed list if possible
Are we talking about people downloading music/movies? Or more morally objectionable content? I'm curious from a socialogical point of view of how these communities are dealing with modernity.
What filters do you already have in place? Are they resorting to these methods to get around them?
|
Again, I'm not sure what is actually being accessed using Tor. Could be anything. Could be some paranoid guy who thinks he has to use onion routers to encrypt everything he does on the internet because big brother is out to get him.
The filter in place is the iPrism from St. Bernard. I do also think that they use the Sonicwall content filter, although each community has their own Sonicwall, and would control it themselves.
Oh, if you have other questions I'd be happy to answer them over PM. Don't really want to drive this thread more off-topic.
|
|
|
08-05-2010, 06:38 PM
|
#28
|
Had an idea!
|
Quote:
Originally Posted by photon
The SSL packets themselves shouldn't be creating any kind of bottleneck that I can think of, SSL puts a load on a server when that server has to actually decrypt it (like on the web server), otherwise it's just a normal packet as far as a router or whatever is concerned isn't it?
If the Tor users are setting up the app as a server though that will generate extra bandwidth, though Tor usually tries to be pretty light in that respect, only 20KB/s by default I think (though they can crank that up).
|
Well that is my question too. I was told the onion routers are causing bottlenecks in the network because of something involved with SSL.
I would assume it has something to do with everything being decrypted? I'm not sure.
It definitely has something to do with SSL. I'll have to find out more. Reason I say that is because during the Grey Cup, Olympics, when a lot of people were watching online events and using bandwidth, the hardware in place had no problem designating priority bandwidth to VOIP or IPTV, which ran flawlessly during that time.
Of course none of those things were over SSL.
|
|
|
08-05-2010, 08:38 PM
|
#29
|
The new goggles also do nothing.
Join Date: Oct 2001
Location: Calgary
|
Quote:
Originally Posted by Azure
Well that is my question too. I was told the onion routers are causing bottlenecks in the network because of something involved with SSL.
I would assume it has something to do with everything being decrypted? I'm not sure.
It definitely has something to do with SSL. I'll have to find out more. Reason I say that is because during the Grey Cup, Olympics, when a lot of people were watching online events and using bandwidth, the hardware in place had no problem designating priority bandwidth to VOIP or IPTV, which ran flawlessly during that time.
Of course none of those things were over SSL.
|
The routers can't decrypt the packets though, that's the whole point of the encryption is the only one that can decrypt it is the browser and the web server.
It could be that the SSL packets aren't being shaped because they don't know what they are and they leaving port 443 at a high priority, but that'd be a choice because I'm sure they could push the priority of the encrypted packets down even if they can't be decrypted. Might slow down online banking too, but that's probably low enough usage that it'd be a fair enough tradeoff to ensure the entire network doesn't deteriorate.
But yeah need more info, and I'm not a network guy either so I could be completely off track.
__________________
Uncertainty is an uncomfortable position.
But certainty is an absurd one.
|
|
|
08-05-2010, 08:59 PM
|
#30
|
#1 Goaltender
|
I wonder if this would be a solution - since Tor is essentially a proxy, what would happen if ALL web traffic had to utilize a proxy at the ISP to access the web?
Since a browser can only use one proxy, would this effectively kill Tor? I haven’t looked into the client design enough - perhaps Tor clients know to relay requests to upstream proxies.
Edit: nope, not a solution: https://trac.torproject.org/projects...PorSOCKSproxy.
Edit #2:
I think the approach you need to begin with, and that would demonstrate due diligence to your customer, is to block access to the Tor Directory Servers. These are the authoritative servers that the Tor client uses to find available Tor routers. If the client can’t fetch this list, it can’t connect.
Presumably, a hard core user could manually obtain the list from a mirror site, however, blocking access to the directory servers is a good first step. You could also build a script that would access these same directory servers and retrieve the list, and update your blocks for the actual Tor routers too. Schedule that to run hourly, and you’re going to be moving just as quickly to stamp out Tor activity as users will be able to find new Tor routers.
An important thing to keep in mind is that you don’t have to achieve a 100% technically airtight solution - if you can effectively block all of Tor every hour or so, via a combination of directory server and known Tor router IP’s, you’ll make using Tor painful enough that people will find another approach.
And then the game starts again, but that’s another story...
__________________
-Scott
Last edited by sclitheroe; 08-05-2010 at 09:19 PM.
|
|
|
08-05-2010, 09:28 PM
|
#31
|
Had an idea!
|
I am going to recommend blocking access to the Tor Directory Servers, and to start blocking ports that may be in any way associated with Tor.
Also going to recommend like you said blocking and constantly updating the actual Tor routers.
Even if that doesn't solve the problem, which it won't, if I can help make it a headache on the technical side for someone to use Tor, I'm one step further ahead.
One step in a ladder that I'm never going to be able to climb.
I'll try to get further information why using Tor and such services creates a problem at the gateway level. Pretty sure I understood correctly that it was.
A while back there was an article in Linux Magazine that talked about a Proxy server basically killing services like HSS and Tor. I'll have to dig that up again.
Lots of good information here. Thanks for the replies so far!
|
|
|
08-05-2010, 09:34 PM
|
#32
|
Had an idea!
|
Quote:
Originally Posted by photon
The routers can't decrypt the packets though, that's the whole point of the encryption is the only one that can decrypt it is the browser and the web server.
It could be that the SSL packets aren't being shaped because they don't know what they are and they leaving port 443 at a high priority, but that'd be a choice because I'm sure they could push the priority of the encrypted packets down even if they can't be decrypted. Might slow down online banking too, but that's probably low enough usage that it'd be a fair enough tradeoff to ensure the entire network doesn't deteriorate.
But yeah need more info, and I'm not a network guy either so I could be completely off track.
|
Like I said I'll have to ask for more information. But it could be that because the SSL packets weren't being shaped, numerous people using onion routers were using up bandwidth that they couldn't restrict.
I would assume you CAN buy an appliance that will shape SSL traffic though.
Tor might only run at 20KB/s, but if you have numerous DIFFERENT people using it, or HSS, or FreeVPN, or any other similar service, it all adds up.
|
|
|
08-05-2010, 09:43 PM
|
#33
|
#1 Goaltender
|
Keep us posted, it’s an interesting thread for sure.
__________________
-Scott
|
|
|
08-05-2010, 09:54 PM
|
#34
|
Franchise Player
Join Date: Nov 2006
Location: Supporting Urban Sprawl
|
Quote:
Originally Posted by Azure
Like I said I'll have to ask for more information. But it could be that because the SSL packets weren't being shaped, numerous people using onion routers were using up bandwidth that they couldn't restrict.
I would assume you CAN buy an appliance that will shape SSL traffic though.
Tor might only run at 20KB/s, but if you have numerous DIFFERENT people using it, or HSS, or FreeVPN, or any other similar service, it all adds up.
|
Arbor-Ellacoya e30
I have heard (I think on dslreports.com) that this is what Shaw uses (used?) to shape traffic in area where the infrastructure is not sufficient to guarantee enough bandwidth for phones. If there is anything that can shape SSL traffic it might be a good place to start looking.
There is also a more robust e100 model, but I have no idea how it differs.
__________________
"Wake up, Luigi! The only time plumbers sleep on the job is when we're working by the hour."
|
|
|
08-05-2010, 10:51 PM
|
#35
|
The new goggles also do nothing.
Join Date: Oct 2001
Location: Calgary
|
Quote:
Originally Posted by Azure
I would assume you CAN buy an appliance that will shape SSL traffic though.
|
I'd assume the one already purchased would be able to too, but that's just an assumption too.
The proxy idea is interesting, though it has it's own sets of wrinkles to maintain I think I've read, besides needing a box robust enough to run the proxy on.
__________________
Uncertainty is an uncomfortable position.
But certainty is an absurd one.
|
|
|
08-06-2010, 02:29 AM
|
#36
|
First Line Centre
Join Date: Aug 2009
Location: Coquitlam, BC
|
Quote:
Originally Posted by Azure
It definitely has something to do with SSL. I'll have to find out more. Reason I say that is because during the Grey Cup, Olympics, when a lot of people were watching online events and using bandwidth, the hardware in place had no problem designating priority bandwidth to VOIP or IPTV, which ran flawlessly during that time.
Of course none of those things were over SSL.
|
Do you have access to the Sonicwalls to inspect the configuration?
Our company uses Sonicwalls too, and in some or our locations we reserve a percentage of bandwith for our core business services using the built in "Ethernet BWM" settings in the Firewall -> Access Rules. When our users misbehave and start streaming world cup soccer our registers still function normally, similar to your experience with VOIP and IPTV.
Now it's an assumption that your sonicwalls are configured to prioritize bandwidth in the same way, but I guess my point here is I can relate a theoretical example of how VOIP and IPTV could work flawlessly during peak usage times and therefore don't see how this points to SSL or TOR as culprits.
|
|
|
08-06-2010, 02:50 AM
|
#37
|
First Line Centre
Join Date: Aug 2009
Location: Coquitlam, BC
|
Quote:
Originally Posted by Azure
I would assume you CAN buy an appliance that will shape SSL traffic though.
|
The Sonicwalls can probably do it, but probably in a more rudimentary fashion than an appliance dedicated to the task. They also might need to have Enhanced OS instead of Standard OS.
Just theory, but in the Sonicwalls firewall access rules (LAN -> WAN zone, or VPN -> WAN zone, depending on your setup) you could create a new rule to allow https traffic. It's already allowed, of course, but by creating a new rule for just https you can then play around with it and not affect anything else.
And then, on the Ethernet BWM tab of the rule, reserve 0% bandwidth for https BUT change the Bandwidth Priority setting to "7 lowest".
If that has the desired affect, then later you could add yet another https rule of higher priority that "whitelists" known online banking sites.
Like I said, just a theory since I've never attempted it myself.
EDIT: You won't get pretty charts like on the Arbor device though, and if money is no object...
Last edited by BloodFetish; 08-06-2010 at 02:55 AM.
|
|
|
The Following User Says Thank You to BloodFetish For This Useful Post:
|
|
08-06-2010, 02:52 AM
|
#38
|
First Line Centre
Join Date: Aug 2009
Location: Coquitlam, BC
|
Quote:
Originally Posted by photon
I'd assume the one already purchased would be able to too, but that's just an assumption too.
The proxy idea is interesting, though it has it's own sets of wrinkles to maintain I think I've read, besides needing a box robust enough to run the proxy on.
|
Plus it would introduce another point of failure for the entire network.
|
|
|
The Following User Says Thank You to BloodFetish For This Useful Post:
|
|
08-06-2010, 11:12 AM
|
#39
|
#1 Goaltender
|
Quote:
Originally Posted by BloodFetish
Plus it would introduce another point of failure for the entire network.
|
Not if done properly - money was not a constraint for this problem.
__________________
-Scott
|
|
|
The Following User Says Thank You to sclitheroe For This Useful Post:
|
|
08-06-2010, 03:15 PM
|
#40
|
Had an idea!
|
Quote:
Originally Posted by sclitheroe
Not if done properly - money was not a constraint for this problem.
|
Peak connection of the network is 150mbps. Too much for a proxy server? Or what kind of hardware would I be looking at?
I'm going to go find the Linux Magazine article on proxy servers right now.
|
|
|
Posting Rules
|
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts
HTML code is Off
|
|
|
All times are GMT -6. The time now is 04:44 AM.
|
|