The question is... is there any way to protect against this? I mean, how
would you differenciate on for example, a squid, the traffic of one of this
tunnels from the real traffic you want to allow?
There is a way to protect any particular form of tunnelling (i.e., if you
know that a particular tunnel is there, you'll find a way to disrupt it).
But there is no practical way to prevent covert communications of an inside
user to the outside world, if any reasonable connectivity, through whatever
firewall or whatever, exists. You can minimize the risk by monitoring
everyone's activity 24hours, but even then you don't have 100% guarantee.
And if you close the network, the person can smuggle diskettes in and out,
creating a high-latency link. Or use the state of his office lighting (on or off)
at every 17th minutes to signify whether the next bit of the message is 0 or 1.
Not too good to transmit a picture, but enough to eventually relay a secret
encryption key to someone out there watching. You've got the idea...