Block port 80 outbound RDP

scottnguyen · Feb 5, 2010, 1:13 AM

My boss just found out that one of the user is connecting to their home or remote site Windows Server via RDP over port 80. How can I restrict this particular application (RDP) without affecting real HTTP traffic? We obviously can't block port 80 - how do we stop the application trying to use HTTP or even HTTPS?

blak111 · Feb 5, 2010, 3:33 AM

You will probably need to implement squid as a transparent proxy server.

scottnguyen · Feb 5, 2010, 4:14 AM

Would you mind elaborating on how exactly Squid will handle this? Thanks.

Efonnes · Feb 5, 2010, 6:05 AM

I suppose the idea was that as a transparent proxy, it would force connections on that port to use the intended protocol, not allowing other protocols over that port.

wallabybob · Feb 5, 2010, 7:20 AM

I'd ask the boss for the details and his evidence. It would be a shame to put a lot of effort if the user was actually using the https port rather than the http port (for example).

If there are a small number of servers accessed and they have static IP addresses you could add firewall rules to block (and log?) access to those IP addresses (and ports?).

@ShadowFlare:

I suppose the idea was that as a transparent proxy, it would force connections on that port to use the intended protocol, not allowing other protocols over that port.

Right. If you watch (say by tcpdump) the first few exchanges of a web browser connecting to a server and downloading a page I expect you will see it is quite noticeably different from the similar exchanges with a RDP server. This could be used to distinguish "real" web accesses from rdp access masquerading as web accesses. This difference might cause a web proxy to choke on the rdp masquerade, effectively blocking it. Alternatively, something like a web proxy (but much simpler) could just log and close the masquerade attempts.

jimp · Feb 5, 2010, 7:36 PM

Not that it's viable yet, but on 2.0 you should be able to use the layer 7 filtering to pick out non-HTTP traffic going over port 80 and block it.

Otherwise it's very difficult, if not impossible, to block that kind of traffic.

Though it is unlikely that a person needs to connect to a web server on a residential network, you could find out what subnet/netblock that the home user's PC is on and block anything to port 80 heading there.

(Then they could just use a bounce daemon on a real server somewhere, etc, etc.) It's a cat-and-mouse game.

It's easier to just fire the person for violating employee policies. :)

zhoffman · Feb 15, 2010, 8:40 PM

Nice Jimp!!

Wouldn't it be nice if that really was the protocol! Make my life easier.