I would like to stop people bypassing Opendns and squid proxy blocks to get on facebook using ssh tunnel to their pc home.
I know I can fix this talking to boss but I'd also like to understand better how is technically possible.
If you have users that are capable of creating ssh tunnels to their home equipment then you are not going to be able to do this using technology unless you can take away the tools that allow them to do this. All you can do is enter into an arms race with them.
You will have to get your management involved - it really is their issue to deal with.
You need to setup egress (outbound) filtering on your firewall for all TCP and UDP ports except where permitted by requirement (mail server, proxy server, DNS server, etc.).
Basicly, you can't fix this. When there 's an open port, people can create tunnels. I myself use OpenVPN via tcp 443, because that's always open. Alternatives are via other protocols, like icmp or dns.
With clever enough users, you cannot block parts of the internet. (Ok, maybe China can ;)) If you don't want workers to go online, block webbrowsing. If they need it for their job, you have to live with the fact that they can get onto facebook. Last resort is creating penalties for everyone who does go to facebook, but I personally wouldn't want to work at a company like that...
Otherwise, maybe DPI (Deep Packet Inspection) could have a pattern to identify tunnels from other SSH traffic but those appliance are costly.
Maybe you could use the TOS (Type of Service) to identify bulk SSH from interactive SSH and apply some bad QoS rules. The down side is that you would impact scp/sftp sessions too.
This is more of a policy issue than a technical one. You correctly point out an obvious method for users to bypass any restrictions you may place on the network technically.
Some percentage of users will not be able to figure out the tunnel approach and those should be easier to contain with DNS blacklists or equivalent. The technical users who would bypass your restrictions need to be dealt with in a different method.
Consider why you need to block this traffic before you travel too far down this road.
If you have users that are capable of creating ssh tunnels to their home equipment then you are not going to be able to do this using technology unless you can take away the tools that allow them to do this. All you can do is enter into an arms race with them.
You will have to get your management involved - it really is their issue to deal with.
You need to setup egress (outbound) filtering on your firewall for all TCP and UDP ports except where permitted by requirement (mail server, proxy server, DNS server, etc.).
Basicly, you can't fix this. When there 's an open port, people can create tunnels. I myself use OpenVPN via tcp 443, because that's always open. Alternatives are via other protocols, like icmp or dns.
With clever enough users, you cannot block parts of the internet. (Ok, maybe China can ;)) If you don't want workers to go online, block webbrowsing. If they need it for their job, you have to live with the fact that they can get onto facebook. Last resort is creating penalties for everyone who does go to facebook, but I personally wouldn't want to work at a company like that...
Gravyface is right.
Otherwise, maybe DPI (Deep Packet Inspection) could have a pattern to identify tunnels from other SSH traffic but those appliance are costly.
Maybe you could use the TOS (Type of Service) to identify bulk SSH from interactive SSH and apply some bad QoS rules. The down side is that you would impact scp/sftp sessions too.
Tunnels should fall in bulk.
This is more of a policy issue than a technical one. You correctly point out an obvious method for users to bypass any restrictions you may place on the network technically.
Some percentage of users will not be able to figure out the tunnel approach and those should be easier to contain with DNS blacklists or equivalent. The technical users who would bypass your restrictions need to be dealt with in a different method.
Consider why you need to block this traffic before you travel too far down this road.