FUIT: Company block a port you need? Change it to 443 and sneak it by. Or set up a proxy.

Odds are that any streaming video served up via the web from CBSSports.com is blocked so you can';t watch the games on your computer, but I had a trick up my sleeve.

 

We haven't had an FUIT article in a while, but with March Madness over the past few weeks, I was reminded of something I used to do when I had a real job. Nowadays, you can watch games online, and the cool companies will just let that happen. Of course, those companies aren't all that productive during that time, so the odds are that any streaming video served up via the web from CBSSports.com is blocked so you can't watch the games on your computer. Such was the case for me a few years ago, but I had a trick up my sleeve.

I had a Slingbox at home, and while I knew I couldn't access it at work via its default port (5001) because the firewall only allowed outbound ports 80 and 443, I decided to try running the Slingbox on port 443. My cable company didn't block that port inbound, and my company's firewall didn't actually validate that the traffic on that port was SSL traffic. It worked, and in my basement dungeon of an office that week, we had a bit of a party :)

I know that at that time, what I did was above the head of most normal users (let's call them "normies"), but it's been six or seven years. An increasing number of users are familiar with ports from online games, and an increasing number are becoming confident in their ability to skirt IT policies and procedures. Of course you can get fired, and of course it's against the rules, but only if you get caught.

Nowadays, you have other uses, too, like Dropbox, that companies block even though employees want to use it. With nothing more than a google search for "how to access dropbox behind a firewall," users can get step-by-step instructions for how to set up a proxy server.  The short version of it is to set up an SSH server at home, connect to it to establish a secure tunnel (which means IT can’t classify it as anything other than secure traffic on port 443), and tell dropbox to use your new proxy setup for data instead of the normal internet connection (one address in the config screen). 

Even a normie could set it up in just a few minutes using PuTTY. Yes, it's still probably for above average users, but the instructions are clear and unassuming, and as I've said before, it only takes one user (and one proxy!) before anyone can do it. And keep in mind, this also works for more than just dropbox!

It's just something to keep in mind as you're fleshing out your consumerization strategy. There's seemingly always a way around things, and policies only go so far. The roadblocks put in place don’t work in all scenarios, and when you think you’ve got all your bases covered, someone will either skillfully or luckily find their way around them. Do you embrace their uniqueness and try to enable it in a secure way, or do you attempt to go into lockdown and hope that nobody can get past?

 

Join the conversation

3 comments

Send me notifications when other members comment.

Please create a username to comment.

Punching through your companies firewall is pretty severe (and possibly a federal offense depending on what your company does). That being said, In the past I have used settings to disrupt SSH tunnels every 5 minutes for 15 seconds and also used QoS to shape them so they only support very weak streams by adjusting latency. This was back in the days of bandwidth being very expensive and needed for operations. Now, we can use deep packet inspection and kill SSH tunnels that are streaming. Your time is better spent making a good  (and correct) argument that people are more productive when they get to goof off a little and that network administrators time is best spent making the infrastructure better and not artificially worse. Dropbox in the enterprise is a whole different thing and sends shivers down my spine from when I was at NASD, HIPPA, or DoD regulated entities.


Cancel

and like many of the "consumerization" articles on here...many of the things we should be so sure are happening are defeated by simply not giving users local admin rights on their pc's.  Pretty tough to run dropbox (or anything else) over non-standard ports if you can't install it.


Cancel

i am currently using Dropbox as well but i am thinking of switching to Putty. What do you guys think ?


Cancel

-ADS BY GOOGLE

SearchVirtualDesktop

SearchEnterpriseDesktop

SearchServerVirtualization

SearchVMware

Close