| |
Disclosure:
This article details one of many possible mechanisms that a savvy user can implement in order to bypass security controls put in place to ensure compliance with corporate security policy. While the information in this article can (and will) be used by others in order to achieve the end result of being able to anonymously and securely browse whatever he/she wants while at work, that is not its primary purpose. My aim is to educate administrators on the importance of network security in every aspect. In order to defend a network you must know how to compromise the network. If we, as security-focused administrators, refuse to think about our networks in the same way that our users and other attackers do we deserve what will eventually happen to us.
The Fine Art of the Smack Down
As a security administrator it is highly likely that you exercise some form of control over your user’s internet experience. Given the chance most users would spend the majority of their day browsing the web, entertaining themselves with things that are not beneficial to the organization.
How is this administrative control typically achieved? Here’s a quick list:
- Access Control Lists (ACL) on routers and Layer 3 switches to control both TCP port use and IP address destinations.
- This is only the most rudimentary of tools. You can make sure that users only use ports 80 and 443 when browsing and you can allow or deny specific IP addresses or ranges but trying to keep all of the bad stuff out via this method is a prime example of futile effort.
- Proxy Servers – By forcing users to access the internet through a proxy server you can control where they can go and what they can do. Microsoft’s ISA server will let you control things such as destination address, file extension, MIME type, time of day, etc. This is nice functionality. If you only want members of the accounting group to be able to download MIDI files during lunch hours, you can make it happen. With a little creativity, you can control a lot using proxy servers. Trying to control what sites a user goes to, however, is still a big challenge. There are too many porn sites out there to list. Trying to manually update a list is yet another exercise in futility (not to mention the fact that auction sites, sports sites, religious sites, etc. are just as big a waster of time as porn).
- If you want to be even more slick you can combine proxy servers and ACL’s together. If you configure the firewall/router to only allow outbound HTTP requests (destination port 80 and 443) from the proxy server, it will virtually eliminate the ability of a user to simply remove the proxy configuration settings of their web browser.
- URL Filtering – Now we’re getting somewhere! URL filtering products from companies like N2H2, Websense, and SurfControl give you much greater ability to control access to “inappropriate content” while at work. If you want to ban sites that have a religious affiliation, done! Want to block on-line auction sites but don’t know how many are out there? Done! Products like the Cisco PIX firewall and Microsoft’s ISA server integrate quite nicely with these URL filters.
The figure below illustrates one possible data-flow when using a proxy server (with or without URL filtering).
|
|
