How can I keep users from bypassing the filter using web proxies or "anonymizers"?

This article applies to:

• R3000

Question:

How can I keep users from bypassing the filter using web proxies or "anonymizers"?

Reply

Know thy enemy. Keep your friends close, and your enemies closer. If you are an IT administrator charged with the task of securing your network, the most important knowledge you possess is an in-depth understanding of the threats you’re working to counter.

Some are external threats: How does malware propagate? What techniques does spam email use to evade detection? Some are internal threats: Which of my employees has access to sensitive data? Which programs are my users installing and using to get their jobs done, how do those tools work, and how do I secure them? And of course …

How will my users circumvent the security infrastructure of my network, inadvertently or otherwise?

Well when it comes to your web filter and secure web gateway, the primary circumvention method your users are going to use is proxies. If you’re not familiar with the issues surrounding proxies, this whitepaper is a good place to start. I’m going to assume you already know why they need to be blocked. In this post, I’m going to focus on the what and the how.

There are basically five types of proxies:

Client-based proxies

1. HTTP web-based proxies
2. Secure public web-based proxies
3. Secure anonymous web-based proxies
4. Open proxies

Client-based Proxies

These are programs that users can download and run on their computers. Many of these programs are “green software”, which means they don’t require any installation or elevated privileges, so they can be run from a USB thumb drive by a user with limited privileges. Examples include XeroBank (aka TorPark, aka “Firefox on a stick”), Google Web Accelerator and McAfee’s Anonymizer.

(Note to students and employees looking for circumvention tips: I’m only going to reference proxy types that 8e6 already blocks, so don’t break company or school rules by using this stuff, you will get caught.)

Typically, these programs create a local proxy server on a non-standard port. Then they configure the browser to use the local proxy by changing its proxy server settings to something in the form localhost:port, like 127.0.0.1:9666 (see the discussion of open proxies below to get an explanation of the browser’s proxy server settings). Web requests are then tunneled through the proxy program to an accompanying proxy server using a custom protocol, which is typically encrypted. The gateway doesn’t see the browser-to-local proxy traffic, because it never hits the network. All the gateway sees is the custom protocol that encapsulates the user’s web request.

The network of proxy servers is either static, as is the case with commercial programs like McAfee’s Anonymizer and Google Web Accelerator; or it’s private and dynamic, as is the case with XeroBank. In the latter case, the network is typically built from individuals who volunteer their home computers for use by installing the corresponding proxy server software.

We block client-based proxies with a combination of packet signatures (”patterns”) and URLs and IPs in the 8e6 Database (the “Library”).

HTTP web-based proxies

These are web sites that have programs installed on them that are purpose-built to proxy web traffic. To use them, the user points his browser at the proxy web site, then types the URL that he wants to get to into a text box on the HTML page that site serves. The browser sends all traffic to the proxy site, but the proxy site returns the content of a different site, the one the user actually wants to see. The gateway only sees traffic to the proxy site.

There are a slew of software packages that provide this kind of functionality. PHProxy and CGIProxy are the most well-known. Some notorious proxy software like Peacefire’s Circumventor are installations built on top of one of these packages.

These packages are specifically built to evade filtering, so they go to great pains to ensure that it’s difficult to reverse engineer the URL of the proxied site from the HTTP traffic that’s flowing between the browser and the proxy.

The big thing to understand about this type of proxy is that its absolutely dead simple to install one of these on your home computer. A non-technical user can do it in a matter of minutes. Once he installs it, the user has a web-based proxy running on his home computer, which is presumably not filtered. He can then access his home computer from a filtered network (like a school) using just a browser, and circumvent your carefully crafted web filtering policy. And if no other web site in the world links to that user’s home computer, which is a good bet, then even Google won’t find it, much less a web-filtering vendor like us or Websense.

This is why we built a packet signature based approach. You simply can’t get all of these in a list. And even if you could get almost all of them, you still won’t have zero-day protection. Our proxy patterns provide zero-day protection.

We block HTTP web-based proxies primarily with patterns, backed up by URLs and IPs in the Library.

Secure public web-based proxies

These guys take it up a notch. They’re basically the same as the HTTP web-based proxies described above, except that they use HTTPS. There are two discreet cases of HTTPS proxies that I’ll describe separately: public and anonymous.

Public HTTPS proxies are built by organizations like Proxy.org and Peacefire and are publicized via mailing lists and the incredible word-of-mouth engine that is the Internet. They are created to look like completely legitimate sites, with properly constructed certificates that have been issued by trusted certificate authorities like VeriSign.

We block these using URLs and IPs in our Library, but you must have HTTPS filtering enabled, and it must be at the Medium level or higher.

Because we are not an SSL-terminating proxy (by design, those things are way more expensive and way less scalable), we do not get to look inside the HTTPS traffic. Instead we pull down the site’s certificate separately and use that to do lookups into our Library. If we have a site categorized by IP, which is very typical for these well known proxies, then we don’t have to take the performance hit of pulling down the certificate, we can just terminate the connection.

Secure anonymous web-based proxies

This is the much more interesting case of HTTPS web-based proxies. In this case, the user takes that same proxy software package used by the public proxy sites and installs it on his home computer. The package generates a certificate and listens on HTTPS. Now the user has a secure web-based proxy running on his home computer.

These proxy types combine the problems described above: they’re encrypted using HTTPS and they’re anonymous, in the sense that nobody links to them so they can’t be found by classic site discovery techniques like spidering links on known sites.

We provide zero-day protection for secure anonymous proxies with some fancy footwork in our HTTPS filtering logic. We basically use heuristics on the certificate and other aspects of the connection that have been built out of our long experience in blocking proxies. To get this, you must have HTTPS filtering enabled and set to the High level.

Note: We are releasing some significant improvements to our HTTPS filtering in the next release of the R3000, due out by year end. The improvements are by and large directly aimed at more effectively blocking secure anonymous web-based proxies.

Of course, once we learn about a secure anonymous web-based proxy, either because a customer informed us or we received it in an automated data feed of uncategorized sites back from a customer site, it goes in the Library and is blocked by regular URL filtering.

Open proxies

Open proxies are sites that you use by changing the configuration of your browser. Your browser can be configured to send all traffic to a proxy at a specific IP and port. Most often, this is used internally on a network as a way of facilitating web filtering. Some vendors require it; others (like us) do not.

To check it out on Firefox, go to Tools -> Options -> Network -> Settings. That’s where you would configure your browser to use an open proxy.

When configured to use an open proxy, the browser simply sends all of its HTTP requests to the proxy, as opposed to resolving the URL to an IP and sending the request directly to the destination web site. The open proxy then does the name resolution, connects to the destination web site and returns that content to the browser.

As a result, a web filter at the gateway can do regular old URL filtering. If the end user is attempting to access a blocked site through an open proxy, the name of the site is encoded right there in the request, and the filter works just as it would if the browser wasn’t configured to use an open proxy.

In fact, regular URL filtering works even better for HTTPS filtering when you use an open proxy. For HTTPS sites the browser will send a special HTTP request to the open proxy using the CONNECT method, as opposed to starting an SSL session with the destination web site. The rest of the HTTP request is encoded just as in a regular GET request. So there’s no need to go get the certificate, the filter can see exactly where the user is going from the CONNECT request.

Folks out on the Internet build open proxies and publicize them through mailing lists and other sites. Often, they are built with malicious intent, as a way to steal user credentials. The open proxy can see everything your sending, even HTTPS.

All filtering is done via regular URL filtering, no fancy features necessary. ———

In summary, there are three features of the filter that we use to block these five types of proxies:

Regular old HTTP URL filtering. Proxy web sites and IP addresses in the 8e6 Database. HTTPS filtering, which includes certificate and connection heuristics. Definitely make sure that you are using the Medium or High level. Pattern detection (aka packet signatures), which work on both binary protocols and text-based protocols like HTTP. Often, we use more than just one of these methods to stop a single proxy program, so make sure that you are using all of them! And make sure that you have configured the filter to look at traffic on all ports. A very simple enhancement to any of the above circumvention techniques is to use a non-standard port.

This article was previously published as:

8e6 KB 276520