Komodia's Redirector parental control guide
This guide will cover how to configure the Komodia's Redirector for parental control and will cover some common questions.
Bypass techniques and how to protect against them
Removing/stopping the SDK
ANY SDK can be stopped if the user is administrator, in a perfect world the administrator would install the software and the user will not have administrative privileges, but that's not the case on most computers.
To protect against the user removing the LSP, SDK, you need to use either:
- Double guarding services, each protecting each other and each check if the LSP/SDK is installed and install it if it's removed.
- Use a Kernel based driver such as Komodia's Watchdog to protect the SDK.
General notes on SDK removal
Komodia's Redirector can be removed like any other SDK, it would not matter if the SDK was: NDIS, WFP, or TDI based. It would still need to be protected against removal, so using another filtering technology doesn't guarantee it will not be removed.
Proxy can be used to attempt in bypassing the SDK, there are number of ways proxies can be used and you need to design your filtering rules differently to protect against each method.
Proxy on localhost
The scenarion: User setups a proxy on the localhost and sets its browser to redirect all traffic to this proxy.
- Allow localhost intercepting and intercept (or block) the data in transit to the proxy, keep in mind that because of the proxy, the data will be formatted a little bit differently and if you wrote a filter you need to be ready to parse this data.
- In case the proxy is a normal proxy (not connecting by SSL/SSH to another location) you can intercept its traffic and filter it there.
- In case the proxy is encrypted one, then you can either use item 1 (intercept localhost data), or block this proxy altogteher.
Proxy on the internet
The scenario: User sets its browser to redirect all traffic to a network proxy.
Solution: Traffic is intercepted on route to proxy (incase you intercept all traffic, or by browser name), just make sure you know how to handle HTTP Connect or HTTP Proxy requests:
- Make sure you intercept by the browser level, or intercept all traffic.
- In case of HTTP Proxy, you will see almost normal HTTP, then you will detect it like regular HTTP.
- In case of HTTP Connect you will see: HTTP Connect URL:Port HTTP/1.1 then decide if to block or inspect
- Socks 4/5 is a simple protocol, inspect the traffic and check if it's socks, if it's, decide what to do.
Web based proxy
The scenario: User browses to a web based proxy that you can enter the URL you want, for example: http://www.proxy.com/www.sitetogo.com
Solution: There aren't many types of these proxies, because open proxies are a liability, so when you know the proxy URL you can just block access to it.
The scenarion: User sets up an anonymizer that uses encryption to redirect the traffic.
- Use Komodia's Watchdog to protect all the locations the anonymizer can be installed such as: LSP (dont automatically), network drivers.
- Use the firewall module to allow only certain applications to communicate, this will block the anonymizer.
- You can detect the process of the anonymizer you are trying to block (by name/port) and block all of its outgoing connection which sill block the network access.