Author: Colin Weaver Company: ITdojo, Inc. Last Revision: 12/14/05

The Enemy Demoralized

If you are an administrator using ISA Server 2004 along with Websense (or something of a similar nature), you have a lot of power over what your users can do on the internet.  Your users will say, “Man, they have got us locked down!  We can’t access jack.  Besides, if I were to try … they’d know.  I’m not willing to get fired over that!” 

Not only do they know that they can’t use the web for wasteful things during the day, your super-slick reporting allows you to punk them out for trying to go places they shouldn’t be going.  Delivering reports to management on the attempted access of employees, followed by closed door conferences in which the Acceptable Use policy is again discussed are an excellent way of getting your point disseminated through the user population.  Your message:  YES, WE ARE WATCHING!!!

Punk’d by a Punk

Now, imagine that I’m hired as a sales rep at your company.  You’re sitting at your desk feeling secure in the fact that users aren’t doing anything on the internet they shouldn’t be.  You have executed your demoralization strategy with surgical precision.  If they want to browse porn or bid on pirated DVD’s they’ll have to do it on their own time.  Just when you think you can’t love yourself anymore (without lotion and some alone time) your boss pokes her head in the office and tells you that the surf controls you put in place aren’t working.  She just walked by Colin’s desk and noticed that he’s browsing eBay auctions.  “Impossible!” you say.  You know for sure that eBay is blocked.  You didn’t even build special rules for yourself to allow access to auction sites (administrator perk:  access rules don’t apply to us, right?)  You and your boss casually sneak up on Colin’s desk and sure enough, he’s busy winning auctions!

You sit down at a different computer and try to access eBay.  Denied! 
You wait for Colin to go to lunch and log in to his computer and try to access eBay.  Denied!
When Colin comes back from lunch you ask him to log on to his computer.  You try to access eBay using his login.  Denied! 
Colin pleads ignorance and insists that you saw something else.  You check his web cache and can’t find any record of eBay.  No cached images.  No cookies.  No URL history.  You check your server reports and, sure enough, no one has been to eBay (and your reporting doesn’t show any denied attempts from Colin to get to eBay). 

Colin has gotten around the rules but you don’t know how…

How Can I Punk Thee?  It’s so easy, you see…

If you’ve already got some rockstar skills integrated with your IT mojo you’ve come up with more than a few ways Colin may have done this.  Here are a few:

1. Colin has enabled some form of remote login on his computer at home.  Using the Remote Desktop functionality built into Windows XP  (http://www.microsoft.com/windowsxp/using/mobility/default.mspx)
   he is using the RDP client (installed by default on WinXP) on the work computer to connect to his house and browse the internet from home.  
2. Colin has installed VNC (Virtual Network Computing, http://www.realvnc.com or http://www.tightvnc.com) on his home computer.  He is using a VNC client on the work computer to connect to his house and browse the internet from there.  The VNC client can run without any files being installed onto the local computer.
3. Colin established a VPN connection to his home network and tunnels HTTP traffic through the VPN connection, again bypassing your controls.  The traffic leaves your network in an ESP/IP packet (protocol ID 50), not a TCP/IP packet (TCP port 80 or 443).  Note:  It could leave your network using TCP port 10,000.  Cisco VPN’s sometimes do this.  It’s also possible that it leaves your network as a UDP/IP packet (UDP port 4500 (NAT-T) or 10,000 (another Cisco VPN port)).  Either way (ESP/IP or UDP/IP), your rules and filters don’t inspect it because they never see it.
4. Colin tunnels all HTTP traffic from his work computer through SSH.  The SSH tunnel terminates at his home computer where it is then proxied out using one of many possible services running on his home PC.

I have confidence that we can keep going for some time.  Needless to say, there are many ways in which Colin will bypass your rules.  Your job is to stop him …if you can.