Gladiator Research and Security

With the number of web exploits rising every day, organizations are discovering that some type of content or web filtering solution is necessary.  Content filters provide a number of excellent benefits to an organization, including the ability to block access to domains that are known to house malware or exploits.  Organizations are also finding that the content filter is an excellent way to ensure that sites that are not necessary for operations and that have the potential to divert attention from users are denied.  However, many organizations are seeing users that have found that content filtering and web usage logging can be bypassed with the use of anonymous proxy servers.

Some anonymous proxy servers provide the ability to forward all web requests through themselves first, then on to the requested web server.  So if, for instance, www.myspace.com is blocked on the organization’s network, users can visit the anonymous proxy server (for example www.proxy.com) first, and then request the www.myspace.com page.  In this way, the organization’s content filter will only see the web connection to proxy.com as opposed to myspace.com.  Connections to the proxy server can be made in different ways, including access through a web browser or an application installed on a local machine.  An example of the proxy and normal web connections can be viewed below.

There are many risks associated with anonymous proxy usage, and some of them pose the threat of serious harm to the network or the organizations intellectual property.  First of all, most proxy servers will not filter the traffic that passes through.  So if a user visits a site running malicious code via a proxy server, the code could still potentially run on the user’s PC.  Also, despite the fact that the proxy server may not be filtering traffic, it could still be recording traffic.  Any traffic passed through a web server over the HTTP port (80) will be unencrypted and in clear text.  So if a user visits a site that requires a login, the proxy server could potentially log this data.

With some diligent network administration, anonymous web proxy usage can be contained and kept to a minimum.  It is important to review and ensure that web usage data and logs are kept.  The logs may not be able to view the connections to pages viewed from a proxy server, but the logs can see the initial connection made to a proxy server.  These domains could then be entered into the content filter to block the initial access to the proxy server’s URL.  Search engines such as Google (www.google.com) are also an excellent source for popular proxy servers, as this will most likely be how users find them.  There are also many sites like Proxyblind (www.proxyblind.org) that will list many popular proxy sites.  These lists could then be copied into the Content Filter’s blocked sites list.  Unfortunately many vendors today use WebEx and Bomgar for network support and these solutions also appear as anonymous proxy connections.  This means that any signatures in a Network IPS solution denying web proxy traffic could potentially interfere with these support applications.  However, if the signatures are editable and are based on a solution similar to Snort, the rules could be configured to allow or deny connections to specific IP addresses or domains.  There is an excellent article written by John Brozycki of trueinsecurity.com that also includes some more detailed examples of detecting proxy usage.  The link to the article can be found below.

Of course, proper user awareness training is also necessary because many users may not be aware of the problems proxy usage can create.  In fact, many users may only see proxy usage as a way to get to their favorite Internet site.  Although there are some research and other security benefits that web proxies can potentially provide, none of these apply in the business environment, especially for normal Internet usage.

Related Links

• IT World Article (http://www.itworld.com/network-access-control/56345/anonymous-proxy-servers-necessary-or-evil)
• SANS Institute – John Brozycki (http://www.sans.org/reading_room/whitepapers/detection/32943.php)