bypass internet firewall

Introduction
More and more employers and universities are becoming aware of the amount of time their employees or students are spending using the Internet for personal reasons. Obviously employers want to discourage this behavior and may implement a number of different ways to do so. These can include;

* Restricting people from installing programs on their workstation. This usually won't stop someone from accessing websites, but it may keep people from playing games or using instant messaging software.
* Using a firewall or proxy server to restrict access to websites or other Internet protocols. All your Internet communication passes through your network's firewall, so it's a great place to monitor and restrict access. How complex or restrictive it is largely depends how tech savvy your IT department is.
* Using a network monitoring system to "spy" on Internet access. This is a form of firewall monitoring, where your employer can intercept and read/save anything flowing through their firewall. Your IT department may call this an Intrusion Detection System, which is primarily used to monitor for attempted hacker attacks or viruses.
* Installing programs on workstations that monitor Internet access. This is probably the toughest thing to get around because there are so many different vendors that offer this type of software. In addition, there is software that simply records every keystroke you press. In most cases, there's no way around this other than disabling the software.

This guide discusses a way an employee or student can securely access the Internet while at work or school, and also get around some common firewall restrictions that prevent you from using most networked programs. My definition of "securely" means that there should be no mean by which your employer can know which websites you have visited or are currently visiting, and can not view or decipher the content of those sites (without actually standing over your shoulder.)

Keep in mind that the method I discuss here will protected you from NETWORK monitoring, not actual computer or keystroke monitoring. So if your IT department has some security software installed on your PC, you probably shouldn't even be looking at this page.

In addition to protecting you from network monitoring, this method can be used to get around a number of other security protections that may be in place;

* Your employer or school allows access to most of the Internet but blocks certain websites that they consider non-work related. Using this method you can access them.
* Your employer or school blocks you from chatting at work using AIM or ICQ or similar instant messaging programs. Follow my instructions and you may be able to get around the firewall and chat at work.
* You want to access your employer or school's Intranet from home. Setup the shunnel in the reverse order as I describe, with the SSH server on your work computer, and Putty at home. You'll may be able to access Intranet websites from home just like you were sitting at your work computer.

This is version 2 of the Surf At Work guide. This version details how to encrypt your network traffic using an SSH tunnel with Dynamic Forwarding. Version 1 of the guide was similar, but in addition to SSH used an Apache HTTP Proxy server. The addition of Dynamic Forwarding in Putty removed the need for an external proxy server, assuming your applications can use a SOCKS proxy instead of an HTTP proxy. The old version is still available here for reference.

Using this method will actually allow you to do more than just surf the web privately. You can bypass a firewall and encrypt the network traffic of any program that can use SOCKS proxy. This includes most instant messaging software like AIM, Yahoo!, MSN, IRC, mIRC and others.

As MySpace.com is now so popular, many schools now comletely block MySpace to keep kids from socialzing online and to sidestep any controversy. Since MySpace is just a website like any other, this method should let you access MySpace freely around most firewalls.

Overview
The objective is to encrypt your network traffic so it can not be read as it passes through over employer or school's network. To do this, we will;

* Run an SSH server on your computer at home.
* Use an SSH client on your computer at work to create a secure tunnel between your home and work computers.
* Enable Dynamic Forwarding in the SSH client to simulate a SOCKS Proxy.
* Configure Internet Explorer to use a SOCKS Proxy for network traffic instead of connecting directly.

After this is all setup, the process for browsing a website will be as follows. Internet Explorer at work connects to the SSH client running on your computer at work. The SSH client connects to the SSH server running on your computer at home. Internet Exlorer will make requests for websites using the SOCKS protocol, which SSH will intercept and handle for you. Thus, the SSH server talks to the website and returns the web page to the SSH client. The SSH client returns the web page to Internet Explorer.

In essence, you are tricking Internet Explorer into thinking you have a proxy server running on your local machine, when in fact the proxy is running on your computer at home. Since all communication over your work network takes place through SSH, it can not be read. The SSH traffic CAN be seen or detected, but it will look like a garbled mess of letters and numbers. Other than being a little slower than usual, you shouldn't notice any difference when surfing the web when using the secure method.

Some people that are familiar with SSH and may be asking, "How can Internet Explorer talk to SSH?". Well, SSH has a great little function called Connection Forwarding. You setup SSH to accept TCP connections on a port and forward them to a port on another computer. SSH takes ALL the network traffic on that port, wraps it in a secure package, and forwards it somewhere else. I refer to this as a "shunnel"; a secure tunnel.

The other trick to this setup is the Dynamic Port Forwarding. Newer versions of SSH can emulate a SOCKS proxy server. A SOCKS Proxy server is a server that acts like a "middleman." It accepts requests from a client, and connects to the target server on your behalf. Take a look at these links on Webopedia for a little more information;

Labels: