0
My new company has a monitor position. What a monitor does, is to monitor what anyone is doing. No IM, USB, phone with camera are allowed. I wonder within a WLAN, if a monitor can intercept my email, and see its content? Can he see my what I am browsing? Is it possible to use SSH to bypass all the data packages intercepting ?
Sawyer
Posted 2010-06-21T07:43:12.987
Reputation: 287
8
Yes, all communications out of the LAN will go through the firewall and can be intercepted/monitored.
Encryption is one way to "hide" such communication, but it seems to me that if they're that paranoid about spying on you, then they'd simply block all encrypted connections anyway.
I would suggest that you do not try to circumvent their monitoring. If you don't like what they're doing, then you're free to find another job. While I certainly don't agree that limiting employee access to "personal" use of the internet is a good idea, companies are free to implement whatever policies they like and your circumvention of that policy could certainly be cause for dismissal.
Dean Harding
Posted 2010-06-21T07:43:12.987
Reputation: 361
2+1 "if they're that paranoid about spying on you, then they'd simply block all encrypted connections anyway" – msanford – 2010-06-27T22:42:30.220
Depending on your jurisdiction, law might prevent them from monitoring everything or even anything. However, since you obviously chose to work there, legal might not be the way to go. Also, IANAL. – Daniel Beck – 2010-08-26T22:16:19.677
3
If they have physical access to place a monitor node between the gateway and the switch or router that serves up your IP address, they have the ability to capture any data you send across the net.
For example: To monitor eMail data being sent across the pipe:
Web browsing is similar:
It's really not that hard to do, especially since all email and HTTP typically aren't encrypted.
There are ways around such a system. Such as using a VPN, or encrypting your data and encapsulating it in one of the protocols that aren't blocked on the firewall (ex. HTTP) but it would require a certain level of programming skill as well as knowledge of the networking domain. Plus, if you use something that doesn't get transmitted across one of the 'usual' networking ports (HTTP, SMTP, POP, IMAP) you might get red-flagged and/or blocked/investigated by the person doing the monitoring because of 'suspicious' activity.
Networking-security specialists usually know a lot of little tricks to find ways around a system. Unfortunately, a general systems programmer wouldn't know them because they usually take an intimate knowledge of the protocols and their vulnerabilities.
You can 'tunnel' encrypted data through a standard port using SSH but it requires that you have a dedicated SSH server running in a remote location. Just remember that, they can see everything you send across the net. If they consistently see gibberish (encrypted data) being sent across the pipe, you'll probably/eventually get red-flagged for it. Otherwise, they wouldn't go to all the effort to dedicate a person to monitoring the connections.
Evan Plaice
Posted 2010-06-21T07:43:12.987
Reputation: 1 387
1
Thats a pretty big question, look at the capabilities of products like "IronPort" and see how anonymous you feel. :-) It's a really bad idea to try to subvert your employers security policy.
Jubal
Posted 2010-06-21T07:43:12.987
Reputation: 111
1
A new firewalls now also support SSL interception that means they can even see your HTTPS data now, however this is not legal in some countries, but yes almost all communications can be logged and monitored with firewalls.
1They can see your HTTPS data - but the original SSL certificates will be invalid. In a controlled setting (such as the OP's workplace), it is possible to add a company-internal root CA to everyone's browser and re-sign the stream with that; that way, SSL cert will be valid, but it will be different from the certificate seen normally from that site. – Piskvor left the building – 2010-06-21T08:02:53.440
0
First of all, being able to circumvent policy is not the same as allowed to do that, and different yet from a good idea: I'm pretty sure, with such policies, circumventing them would be punishable.
Even if you manage to get a tunnel up, passive traffic analysis will flag you: "This Tony guy has no outgoing connections, except these: long-lived, all to the same host, high-traffic, encrypted." Good luck persuading your employer ('s lawyers) you were not squirreling away the company's databases (having willingly and knowingly circumvented company policy isn't going to win you any points either).
Piskvor left the building
Posted 2010-06-21T07:43:12.987
Reputation: 2 277
6I hope you did not post this from work, or now they'll watch you even closer. – None – 2010-06-21T08:12:42.387
1Remember too that this monitor has to justify his existence. A nice, juicy policy violator is his raison d'être. So not only is your monitor well placed, he's strongly motivated. – msw – 2010-06-21T08:42:03.110
Yes man, I said my new company, I am not in there now, lol. – Sawyer – 2010-06-21T08:56:43.783
1I presume that attempting to circumvent your monitoring policy is itself a violation of the policy? They'll eventually catch you. "Hey, so why does this guy have 2 gigs of ssh data in and out every hour?" – msanford – 2010-06-27T22:44:57.450
Tunnel traffic through ssh if you reallllly need a way. – Chris – 2010-08-26T20:44:46.350