How Good is Your Great Wall?
Executive Summary: Enterprises spend a lot of time tuning the corporate firewall to keep a lid on employee activity. Users, however, have a few tricks of their own.
If you're wondering how well your Great Corporate Firewall is doing with regards to keeping a lid on employee activity, there are a few tricks you might want to be aware of.
Varying degrees of filtering are used by companies, normally mandated by the big boss upstairs. Some companies just try to block instant messaging programs to keep employees more focused or to keep corporate information from leaking, but others go to great lengths to ensure nobody is visiting questionable websites from work. In these environments, it is not uncommon for all but a few network ports to be blocked, and even those may be directed through a proxy server (define) .
Numerous employees at your site may be exceptionally computer savvy. These employees likely run their own servers at home, and there isn't much you can do to stop their unfettered Web browsing habits.
Skirting Your Web Filters
CGIproxy, for instance, is a program that can be run on any Web server, and acts as a proxy itself. Users typically install this or similar CGI-based proxy scripts on their home web server, and then connect from work. Unless the corporate firewall is blocking the user's home IP for some reason, CGIproxy will enable to access any http or ftp site. The CGI script will present a Web page with an input box, and all the user has to do is input a URL. Subsequent browsing is done within a HTML frame, which allows the user to visit any website through the CGI proxy.
There are quite a few tools like this out there, and it is possible to detect the common ones. Countermeasures include blocking any URL that has the name of a well-known CGI proxy in it, but the effort required to implement this is hard to justify. Users can simply rename the script when they realize what's happening, and that won't take long. You could also restrict access to the user's IP address, but this too won't gain much, as they can simply run it on a hosted server somewhere else.
It is clear that HTTP proxies can be fooled quite easily. Companies are also commonly interested in blocking outgoing ports for other services as well. The most common, and frustrating to users, are the instant messaging programs.
While it is true that these programs default installations can be blocked quite easily, blocking them from skilled users is much more difficult. The big four instant messengers all use well-known ports, if the user hasn't changed that setting. AOL, MSN, ICQ and Yahoo! all support the option to change the ports they use, within a certain range. The only exception to the rule is Yahoo!, which uses port 80. If the port ranges these programs use are blocked, more sophisticated users will quickly notice the "configure a proxy" option in the settings. All of these messaging programs can operate through HTTP and SOCKS proxies, so blocking the ports is futile. You can, of course, disallow access to the login servers via your proxies, but tricky users will be able to piggyback on other proxy services, like DNS.
The only method to block instant messenger usage at the workplace is to deny network access to the login servers they use. This isn't fool-proof either, as we'll see shortly. To implement this, you'll have to figure out the IP address ranges used by the various instant messaging login servers, and simply block network access to those subnets. Neither the proxy servers nor any internal host will be able to access them in this case.
The truly geeky employees will want to use SSH (define) for encrypted, remote tunnels to their home servers, probably so they can run IRC chat clients, read e-mail or conduct any number of other activities. Blocking SSH (port 22) is easy enough, but again, doesn't stop the determined user.
ProxyTunnel allows SSH sessions to be tunneled over a proxy server to the user's home server. Similar in nature to the CGIproxy for web surfing, this cannot be effectively blocked. People familiar with SSH will realize this means that the user can also tunnel anything over the SSH session, including HTTP and instant messaging services. Furthermore, they can run a proxy server for all their coworkers, allowing everyone to use AIM and browse the web uncensored. We know of one such instance where a company started blocking a user's home IP address. He started hosting it at a Web hosting company, and ran undetected for months before being caught again.
One-Click Firewall Evasion
Maybe the uber-skilled employee isn't a great concern in most organizations. Especially in the last case, these types are rare. There is however software available for purchase that makes circumventing the firewall/proxy as simple as a few mouse clicks. Hopster is targeting unskilled users, and promising they will be able to access anything from behind any type of proxy.
Hopster works by tunneling everything though corporate proxies as innocent HTTP requests back to their own servers, and then proxying anything that the user happens to be using. All a user has to do is configure Internet Explorer and AIM to use this program, and there are step-by-step instructions available on the Hopster website. Hopster offers monthly subscriptions that vary in price based on how much bandwidth the user wants to utilize.
With clever services and applications in the vein of Hopster, blocking productivity inhibiting programs from the workplace becomes harder and harder every day. For liability purposes, putting forth a best-effort to deny access to harmful sites may be enough. Firewall administrators who deeply care about these circumvention techniques, however, will probably want to examine how applications like Hopster work in more detail.