OmniTraining

If you’re wondering how well your Great Corporate Firewall is doing with regards to censoring employees, there are a few tricks you might want to be aware of.

Varying degrees of filtering are used by companies, normally mandated by the big boss upstairs. Some companies just try to block instant messaging programs to keep employees more focused, but others go to great lengths to ensure nobody is visiting questionable websites from work. In these environments, it is not uncommon for all but a few network ports to be blocked, and even those may be directed through a proxy server.

Numerous employees at your site may be exceptionally computer savvy, especially within companies who are part of the computer industry. These employees likely run Linux at home, and there isn’t much you can do to stop their unfettered web browsing habits.

CGIproxy is a program that can be run on any web server, and acts as a proxy itself. Users typically install this or similar CGI-based proxy scripts on their home web server, and then connect from work. Unless the corporate firewall is blocking the user’s home IP for some reason, they will now be able to access any http or ftp site. The CGI script will present a webpage with an input box, and all the user has to do is input a URL. Subsequent browsing is done within an html frame, which allows the user to visit any website through the CGI proxy.

There are quite a few tools like this out there, and it is possible to detect the common ones. A countermeasure would be to block any URL that has the name of a well-known CGI proxy in it, but the effort required to implement this isn’t justifiable. The users would simply rename the script when they realized what was happening, and that wouldn’t take long. You could also restrict access to the user’s IP address, but this too won’t gain much, as they would simply run it on a hosted server somewhere else.

It is clear that http proxies can be fooled quite easily. Companies are also commonly interested in blocking outgoing ports for other services as well. The most common, and frustrating to users, are the instant messaging programs.

While it is true that the default installations of these programs can be blocked quite easily, blocking these from skilled users is much more difficult. The big four instant messengers all use well-known ports, if the user hasn’t changed that setting. AOL, MSN, ICQ, and Yahoo! all support the option to change the ports they use, within a certain range. The only exception to the rule is Yahoo!, which uses port 80. If the port ranges these programs use are blocked, users will quickly notice the “configure a proxy” option in the settings. All of these messaging programs can operate through http and socks proxies, so blocking the ports is futile. You can, of course, disallow access to the login servers via your proxies, but tricky users will be able to piggyback on other proxy services, like DNS.

The only method to block instant messenger usage at the workplace is to deny network access to the login servers they use. This isn’t fool-proof either, as we’ll see shortly. To implement this, you’ll have to figure out the IP address ranges used by the various instant messaging login servers, and simply block network access to those subnets. Neither the proxy servers nor any internal host will be able to access them in this case.

The truly geeky employees will want to SSH to their home Linux servers, probably so they can run IRC chat clients, read email, or conduct any number of other activities. Blocking SSH (port 22) is easy enough, but again, doesn’t stop the determined user. ProxyTunnel allows SSH sessions to be tunneled over a proxy server to the user’s home server. Similar in nature to the CGIproxy for web surfing, this cannot be effectively blocked. People familiar with SSH will realize this means that the user can also tunnel anything over the SSH session, including http and instant messaging services. Furthermore, they can run a proxy server for all their coworkers, allowing everyone to use AIM and browse the web uncensored. This has been observed before, and the company started blocking the user’s home IP address. He started hosting it at a web-hosting company, and ran undetected for months before being caught again.

Maybe the uber-skilled employee isn’t a great concern in most organizations. Especially in the last case, these types are rare in numbers. There is however software available for purchase that makes circumventing the firewall/proxy as simple as a few mouse clicks. Hopster is targeting unskilled users, and promising they will be able to access anything from behind any type of proxy. Hopster works by tunneling everything though corporate proxies as innocent http requests back to their own servers, and then proxying anything that the user happens to be using. All a user has to do is configure Internet Explorer and AIM to use this program, and there are step-by-step instructions available on the hopster website. Hopster offers monthly subscriptions that vary in price based on how much bandwidth the user wants to utilize.

With clever services and applications in the vein of hopster, blocking productivity inhibiting programs from the workplace becomes harder and harder every day. For liability purposes, putting fourth a best-effort to deny accesses to harmful websites may be enough. Firewall administrators who deeply care about these circumvention techniques, however, will probably want to examine how applications like Hopster work in more detail. There's also another aspect to this proxy server manupulation that should raise the security personnel's eyebrows. We all know that VPNs are evil, and if users can tunnel through the proxy server with SSH, they can also use SSH to create a VPN, and poke a gigantic hole in your company’s network.