Author Topic: I need to be able to tunnel to home computer for web at work (Read 2016 times)

Brian Williams · « **on:** April 05, 2007, 04:10:07 AM »

I need to set up something on my home computer so I can get around the vpn/web blocker/tracker at work, just so I can hit my computer and run the web from there.
I hate the tracker they have on me at work and I want to be able to hit THR and here along with email while at work with out tracking.

I have websense blocker and an ATT hardware tunnel that I go thru.
Any help would be great.
I run verizon DSL at home.

Manedwolf · « **Reply #1 on:** April 05, 2007, 04:13:59 AM »

You probably don't need that for just the web. Use firefox and get the TOR package, plus the on/off extension. Or get TORpark, a version of the browser with it fully integrated.

It's a secure proxy, bypasses firewalls entirely.

AJ Dual · « **Reply #2 on:** April 05, 2007, 04:25:03 AM »

Honestly, if they've got most kinds of VPN and tunneling blocked too, unless your employer's firewall administrator is incompetent, or you're a small company, (or a cheap one) where it's an outside consultant who only comes in when there's a problem, they'll see pretty much any scheme you try. (many web security filters know about TorPark and block it...)

There might be something "new" out there that they won't find, but I doubt it. And if you do find the new technique, they'll catch on eventualy as it gets published in trade rags etc. And in most companies, you're in a lot more trouble for trying to subvert the firewall than you are for too much surfing. We had people using PC Anywhere and other VPN/Tunneling solutions for legitamate purposes without permission and they almost fired anyway.

If you're close to a window, or your building is thin enough that you've got cell signal at your desk, your best bet is to figure out how to use a public wireless broadband provider and surf on that. You might just want to go with a PDA or small tablet PC, since switching network connections and making sure your web data goes on your private wireless connection is tricky.

Gewehr98 · « **Reply #3 on:** April 05, 2007, 10:12:36 AM »

Ditto. If they're monitoring user activity at work, they'll see everything that goes in and out of the building, and whichever ports the packets went through.

I run WallWatcher at home here, and it logs the IP address of every incoming and outgoing connection seen by my LinkSys router. That's a freeware program, not even industrial strength.

Is your job worth it?

(Not trying to be coy - the agency I retired from was just as tight on their unclassified network, I couldn't even use some search engines, they were blocked...)

TarpleyG · « **Reply #4 on:** April 05, 2007, 11:13:39 AM »

Everything below is intended for someone with somewhat advanced knowledge of the Windows OS and home router config. I am NOT responsible if you screw something up. All you are doing here is changing the port that RDP listens to to a port that is very common. When a session is established, no one can see what you are doing and all they see is telnet "traffic". Someone may ask you why you have a bunch of telnet traffic but they cannot see anything else.

>Right-click MY COMPUTER, go to properties and go to the REMOTE tab.
>Check "Allow users to connect remotely" box.
>Click the SELECT REMOTE USERS button and make sure whatever account you use to log on with has access already or grant it.
>Set up your home computer to use port 23 for RDP ( http://support.microsoft.com/kb/306759 ) - this port number is very common (telnet) and likely not blocked.
>Make sure your firewall/modem/router/whatever directs/allows port 23 traffic to your computer.
>Make sure you either have a static IP at home (usually costs extra) or you load some sort of dynamic IP software to point to so that it looks static. DYNIP is good ( http://www.dynip.com/ )
>From work, go to START>RUN and type in MSTSC.EXE (assuming you have XP). This will launch RDP (Remote Desktop Protocol).
>Type in your IP address and :23 (like this 67.71.223.244:23) and click OK.
>When prompted, enter the credentials necessary to log on to your home computer and VOILA!

Greg

AJ Dual · « **Reply #5 on:** April 05, 2007, 11:27:45 AM »

That might work, but again, it's not quite that simple. You'd still need a firewall admin who's overworked (i.e. has to watch tons of other non firewall stuff like servers etc.), incompetent, or offsite, and only admin's the firewalls when there's a break/fix or maintenence issue.

Many traffic analysis packages IMMEDIATELY flag data types mismatched to the common uses of a particular port. RDP on port 23 fits the bill. An RDP connection will also general generate way more data than a text-only telnet connection ought to, another red flag.

If you have access to another workstation besides your own (and another login besides your own too) I'd try it there for a few weeks first. If you work has a small I.T. dept. like one guy does everything, and he's more server than LAN/WAN oriented etc. you might get away with it. A large professional I.T. dept. I give you a week, maybe a month tops.

Gewehr98 · « **Reply #6 on:** April 05, 2007, 12:02:33 PM »

If as firewall admin I saw an unusual rise in telnet traffic, I'd be on it like stink on ****, myself. Same if I recognized it as an RDP connection.

It looks like they're paying the admins at Brian's workplace to keep a tight lid on things. I'd have to assume they didn't just fall off the turnip wagon. undecided

Manedwolf · « **Reply #7 on:** April 05, 2007, 12:26:33 PM »

Quote from: Gewehr98 on April 05, 2007, 11:02:33 AM

If as firewall admin I saw an unusual rise in telnet traffic, I'd be on it like stink on ****, myself. Same if I recognized it as an RDP connection.

It looks like they're paying the admins at Brian's workplace to keep a tight lid on things. I'd have to assume they didn't just fall off the turnip wagon. undecided

I SSH out through port 443. Should be indistinguishable from https unless they're really looking hard, and security isn't that tight here.

Thor · « **Reply #8 on:** April 05, 2007, 01:39:30 PM »

I dunno, I'd think subverting the company's firewall would not be a good thing.

Sindawe · « **Reply #9 on:** April 05, 2007, 01:55:34 PM »

Quote

I dunno, I'd think subverting the company's firewall would not be a good thing.

Its not. It tends to make us Admins cranky, and meddling in their affairs is akin what is said about meddling in the affairs of Wizards.

Where I currently work, we don't have ANY policy on browsing and the the like. Head boss don't want to be bothered by it so we don't inspect any outbound traffic, only inbound traffic and not even that overly much. When I did discover one of the users surfing "questionable" sites at work, I just informed him that I could see where he was going and he might want to reconsider his habits.

Other place are not so forgiving as I am. I know one guy who had similar habits, IT caught it and said "We know somebody is doing this. It needs to stop. If you have a problem, we will work with you and get you help since we value our employees." He did not stop, got caught and trashed a promising career in BioTech. Last I heard he was cutting fish and meat in a grocery store. Far cry from cutting edge biopharmacutical production.

AJ Dual · « **Reply #10 on:** April 05, 2007, 02:27:29 PM »

I generally tend to agree with those sentiments, as you can see above, I've said most everything to show why the odds are stacked against Brian.

However, he's an adult, presumably knows the risks, and I don't judge.

I work in I.T. although not on the network. At my place of employment, the clique of "cool kids" has access to the test proxy that doesn't keep any logs. rolleyes

Sauce for the goose and all that.

TarpleyG · « **Reply #11 on:** April 05, 2007, 05:12:12 PM »

Quote from: AJ Dual on April 05, 2007, 10:27:45 AM

That might work, but again, it's not quite that simple. You'd still need a firewall admin who's overworked (i.e. has to watch tons of other non firewall stuff like servers etc.), incompetent, or offsite, and only admin's the firewalls when there's a break/fix or maintenence issue.

Many traffic analysis packages IMMEDIATELY flag data types mismatched to the common uses of a particular port. RDP on port 23 fits the bill. An RDP connection will also general generate way more data than a text-only telnet connection ought to, another red flag.

If you have access to another workstation besides your own (and another login besides your own too) I'd try it there for a few weeks first. If you work has a small I.T. dept. like one guy does everything, and he's more server than LAN/WAN oriented etc. you might get away with it. A large professional I.T. dept. I give you a week, maybe a month tops.

No, it does work but somebody will ask questions just like our Info Sec guy asked me. I just told him the truth and he didn't care. Not saying Brian's guys will be that cool. Chances are they'll never even know unless he's at a company that is anal about this sort of thing.

Greg

AJ Dual · « **Reply #12 on:** April 05, 2007, 05:37:03 PM »

Yes, I agree, it all depends on the size/professionalisim of his I.T. dept. Generally speaking, if your employer is large enough to require SOX compliance (all the Info-Sec auditing required by Fed. law post-Enron/Tyco/Worldcomm), that raises the bar quite a bit.

I should have been clearer, I meant "might work" in the "will not get caught" sense. I know that would work in the technical sense.

TarpleyG · « **Reply #13 on:** April 06, 2007, 03:42:32 AM »

Understood. BTW, I work for a pretty large company and worked for a large company before that and neither one of them had an issue with it. Then again, I was the security manager at my previous job and I am in the same office now with our Info Sec guys. Might help if you're in IT.

Greg

Perd Hapley · « **Reply #14 on:** April 06, 2007, 05:20:24 AM »

mtnbkr · « **Reply #15 on:** April 06, 2007, 05:30:34 AM »

Is that tunneling device AES256 encrypted and FIPS 140-2 certified? Cheesy

Chris

RevDisk · « **Reply #16 on:** April 06, 2007, 05:35:01 AM »

Quote from: Brian Williams on April 05, 2007, 03:10:07 AM

I need to set up something on my home computer so I can get around the vpn/web blocker/tracker at work, just so I can hit my computer and run the web from there.
I hate the tracker they have on me at work and I want to be able to hit THR and here along with email while at work with out tracking.

I have websense blocker and an ATT hardware tunnel that I go thru.
Any help would be great.
I run verizon DSL at home.

First off, is port 3389 open at work? If you're going from work to home, the outbound port may be open. If you're not the network admin (which I'm guessing not), you could ask them if it's allowed or not. If so, they may (or may not) open up a non-standard outbound port for your use.

Thing is, an RDP connection sticks out like a sore thumb. Unless your admins are too busy to keep an eye on their monitoring software, it'll get noticed. Even if you piped it through something like a TS gateway. Go legit.

At work, we're behind many many IDS's, firewalls, and proxies. For our normal network. We have a customer network, however. Dual T1's with rarely anyone using them. Open as can be. So I just put in two RJ-45 jacks in my office. angel

BrokenPaw · « **Reply #17 on:** April 06, 2007, 07:11:17 AM »

For informational purposes only, I will mention that the way I'd surf anonymously through a firewall (were I to do such a dastardly thing) is this: I would set up a secure-shell server on my home machine, and a secure-shell client (such as puTTY, if you're on a windows machine, or ssh if you're on linux), and forward your local machine's port 3128 through the ssh connection to your home machine's port 3128. You can, as someone pointed out, make your home SSH server listen on port 443 if you can't get out on port 22. Then, on your home box, run squid (a caching web proxy). Then, set your web browser to use a proxy, with the IP address 127.0.0.1, port 3128. You're done.

When you try to hit a web site (any website) your browser will connect to your local machine's port 3128, which will be forwarded (by ssh) through an encrypted tunnel, and you'll actually be connected to the squid program running on your home box, which will connect to the website on your behalf, and forward all of the content back to you through the encrypted tunnel.

You'll have to set up proxy exceptions for any webservers that are internal to your company network, telling your browser "for these sites, go direct, not through this proxy".

Disclaimers apply.

-BP

WeedWhacker · « **Reply #18 on:** April 08, 2007, 09:51:01 PM »

Any use of uncommon or alternate ports will be a red flag for anyone paying attention to 'net traffic.

A very robust solution for being able to hit web sites from behind a restrictive filter is to use an outside server (this can be an old PC you keep at home) which listens on an HTTP or HTTPS port (80 or 443, respectively). jmarshall.com is the home of CGIProxy, a very handy Perl script for use on (at least) Linux machines running apache. I've personally set up such a server with SSL enabled so that I can have access to any 'net site from any location which allows SSL traffic, which is pretty much everywhere. Heck, I'm using it now - it doubles as a privacy proxy. :)

yci · « **Reply #19 on:** April 09, 2007, 11:11:17 AM »

I've not used it myself, but Hamachi has been used with some success by some folks I know. Though I'd suspect, like several others have already pointed out, it may depend upon the security configuration you're faced with.

News:

Author Topic: I need to be able to tunnel to home computer for web at work (Read 2016 times)