If you’re wondering how well your Great
Corporate Firewall is doing with regards to keeping a lid on employee
activity, there are a few tricks you might want to be aware of.
Varying degrees of filtering are used by companies, normally
mandated by the big boss upstairs. Some companies just try to block
instant messaging programs to keep employees more focused or to keep
corporate information from leaking, but others go to great lengths to
ensure nobody is visiting questionable websites from work. In these
environments, it is not uncommon for all but a few network ports to be
blocked, and even those may be directed through a proxy server (define) .
Numerous employees at your site may be exceptionally computer savvy.
These employees likely run their own servers at home, and there isn’t
much you can do to stop their unfettered Web browsing habits.
Skirting Your Web Filters
instance, is a program that can be run on any Web server, and acts as a
proxy itself. Users typically install this or similar CGI-based proxy
scripts on their home web server, and then connect from work. Unless
the corporate firewall is blocking the user’s home IP for some reason,
CGIproxy will enable to access any http or ftp site. The CGI script
will present a Web page with an input box, and all the user has to do is
input a URL. Subsequent browsing is done within a HTML frame, which
allows the user to visit any website through the CGI proxy.
There are quite a few tools like this out there, and it is possible
to detect the common ones. Countermeasures include blocking any URL
that has the name of a well-known CGI proxy in it, but the effort
required to implement this is hard to justify. Users can simply rename
the script when they realize what’s happening, and that won’t take
long. You could also restrict access to the user’s IP address, but this
too won’t gain much, as they can simply run it on a hosted server
It is clear that HTTP proxies can be fooled quite easily. Companies
are also commonly interested in blocking outgoing ports for other
services as well. The most common, and frustrating to users, are the
instant messaging programs.
While it is true that these programs default installations can be
blocked quite easily, blocking them from skilled users is much more
difficult. The big four instant messengers all use well-known ports, if
the user hasn’t changed that setting. AOL, MSN, ICQ and Yahoo! all
support the option to change the ports they use, within a certain
range. The only exception to the rule is Yahoo!, which uses port 80. If
the port ranges these programs use are blocked, more sophisticated
users will quickly notice the “configure a proxy” option in the
settings. All of these messaging programs can operate through HTTP and
SOCKS proxies, so blocking the ports is futile. You can, of course,
disallow access to the login servers via your proxies, but tricky users
will be able to piggyback on other proxy services, like DNS.
The only method to block instant messenger usage at the workplace is
to deny network access to the login servers they use. This isn’t
fool-proof either, as we’ll see shortly. To implement this, you’ll have
to figure out the IP address ranges used by the various instant
messaging login servers, and simply block network access to those
subnets. Neither the proxy servers nor any internal host will be able
to access them in this case.
The truly geeky employees will want to use SSH (define) for encrypted, remote tunnels to
their home servers, probably so they can run IRC chat clients, read
e-mail or conduct any number of other activities. Blocking SSH (port 22)
is easy enough, but again, doesn’t stop the determined user.
SSH sessions to be tunneled over a proxy server to the user’s home
server. Similar in nature to the CGIproxy for web surfing, this cannot
be effectively blocked. People familiar with SSH will realize this
means that the user can also tunnel anything over the SSH session,
including HTTP and instant messaging services. Furthermore, they can
run a proxy server for all their coworkers, allowing everyone to use
AIM and browse the web uncensored. We know of one such instance where a
company started blocking a user’s home IP address. He started hosting
it at a Web hosting company, and ran undetected for months before being
One-Click Firewall Evasion
Maybe the uber-skilled employee isn’t a great concern in most
organizations. Especially in the last case, these types are rare. There
is however software available for purchase that makes circumventing the
firewall/proxy as simple as a few mouse clicks. Hopster is targeting unskilled
users, and promising they will be able to access anything from behind
any type of proxy.
Hopster works by tunneling everything though corporate proxies as
innocent HTTP requests back to their own servers, and then proxying
anything that the user happens to be using. All a user has to do is
configure Internet Explorer and AIM to use this program, and there are
step-by-step instructions available on the Hopster website. Hopster
offers monthly subscriptions that vary in price based on how much
bandwidth the user wants to utilize.
With clever services and applications in the vein of Hopster,
blocking productivity inhibiting programs from the workplace becomes
harder and harder every day. For liability purposes, putting forth a
best-effort to deny access to harmful sites may be enough.
Firewall administrators who deeply care about these circumvention
techniques, however, will probably want to examine how applications
like Hopster work in more detail.