Filter Avoidance and Anonymous Proxy

March 21, 2011
Author:
SWAT Team
Audience:
Evaluator
Product:
Cymphonix® Network Composer EX Series, XLi™ OS version 9
Filter Avoidance and Anonymous Proxy Guard
Filter Avoidance
The award winning XLi technology allows you to detect filter avoidance techniques and subsequently
can prevent even sophisticated filter bypass techniques that work against traditional Secure Web
Gateways.
Requirements:
Completion of “TC-5 Full SSL Inspection”. In order to block some of the more advanced filter
avoidance technologies it requires full SSL inspection of the content.
Common filter avoidance technologies:
Below are some common filter avoidance techniques. You will see how these techniques are utilized
and then learn how to block them.
Perform the following steps from a workstation that is passing traffic through the Network Composer.
Note: The following steps assume that you’re utilizing group membership and Internet Usage Rules
created when following “Network Composer Setup and Basic Configuration”; your network node is a
member of ‘Test Group 1’ which is assigned the ‘Test Group 1’ Internet Usage Rule’. If you’re
performing this test case from a network node or with a directory user that is not a member of “Test
Group 1”, make sure you edit the ‘Internet Usage Rule’ that is associated to your current group
membership in ‘Policy Manager’.
HTTPS encrypted sessions
1.
2.
3.
4.
5.
Log in to Network Composer.
Navigate to ‘Manage -> Policies & Rules -> Internet Usage Rules -> Test Group 1’.
Change the ‘Traffic Flow Rule Set’ to ‘App + Web Filter Monitor’.
Add ‘Filter Avoidance’ as a ‘Blocked Category’.
Finally click on the ‘Save’ button to save the changes you’ve made to the ‘Test Group 1’ Internet
Usage rule.
8871 Sandy Parkway | Salt Lake City, UT 84070 | 866.511.1155 | www.cymphonix.com
2
6. Within your browser go to the website https://www.peacefire.org .
7. You’ll notice that you didn’t’ receive a blocked page and you were able to go directly to the
website even though the website is categorized as a ‘Filter Avoidance’ URL and the ‘Filter
Avoidance’ category is being blocked. This is because you were connecting to the site via an SSL
tunnel that is encrypted and the Network Composer hasn’t been configured to inspect SSL
traffic.
8. To prevent SSL tunneling as a filter avoidance technique you must enable the SSL filtering
engine. Making the following changes ensure that SSL traffic is subject to the same content
filtering as HTTP traffic.
a. Log in to Network Composer
b. Go to ‘Manage -> Policies & Rules -> Internet Usage Rules -> Test Group 1’.
c. Change the ‘Traffic Flow Rule Set’ to ‘App + Web Filter + SSL Filter’.
8871 Sandy Parkway | Salt Lake City, UT 84070 | 866.511.1155 | www.cymphonix.com
3
d. Go to the ‘HTTPS/SSL Filtering’ tab and check the radial button next to ‘Enable SSL
certificate-based content filtering’ and check the box next to ‘Enable block page for SSL
certificate-based filtering’.
Note: Please refer to Test Case 4 for a complete step-by-step process to enable FULL
SSL inspection method.
e. Finally click the ‘Save’ button to save and apply your new settings to the ‘Test Group 1’
Internet Usage rule.
9. Again, within your web browser go to the following URL https://www.peacefire.org .
10. This time you should receive a Blocked page from the composer indicating the site was blocked
because now the SSL (https) traffic was subject to the filtering process. The site was categorized
as ‘Filter Avoidance’ and subsequently blocked.
Note: If you don’t receive a block page it’s because your traffic isn’t subject to the Internet usage rule
configured to block the ‘Filter Avoidance’ category. Verify your group membership and the Internet
Usage Rule applied to your group via ‘Policy Manager’.
8871 Sandy Parkway | Salt Lake City, UT 84070 | 866.511.1155 | www.cymphonix.com
4
IP address instead of DNS name
Another technique commonly used to circumvent content filtering is to connect to a website using its IP
address rather than by host name. In the composer you have the option to ‘Enable Reverse DNS
Lookups’ ensuring the website is analyzed by the content filter (rather than just checking against a
database for a known URL) regardless if connection is made by IP or host name. You can also choose to
completely ‘Block IP Address URL’s’.
1. Verify connectivity to the filter avoidance web site http://www.peacefire.org via their IP
address.
a. Within your browsers’ address bar enter http://69.72.177.140 .
2. Enable reverse DNS Lookups within Composer
a. Log-in to Network Composer
b. Go to ‘Manage -> Policies & Groups -> Internet usage rules -> Test group 1’
c. Go to the ‘Advanced Filtering’ tab and then the ‘Web Policy’ tab. Once within the ‘Web
Policy’ tab check the box next to ‘Enable Reverse DNS Lookups’.
8871 Sandy Parkway | Salt Lake City, UT 84070 | 866.511.1155 | www.cymphonix.com
5
3. Verify that you have the category ‘Filter Avoidance’ blocked under ‘Content Filtering -> Blocked
Categories’ tab.
4. Finally click the ‘Save’ button.
5. Within your browsers’ address bar enter in http://69.72.177.140 . You will now receive a
blocked page indicating the address was “Found by: Reverse Host Name in URL Database”.
8871 Sandy Parkway | Salt Lake City, UT 84070 | 866.511.1155 | www.cymphonix.com
6
Web-based proxies
These web sites host proxy applications which circumvent filters by allowing the user to connect to the
internet over the standard HTTP ports (80,443,8080), and then hide all subsequent web requests
behind the original web site. Example, www.ninjabypass.com , proxify.org , www.xioi.info ,
unblockzweb.com
1. Enable the technology which blocks all web-based proxies.
a.
You have previously blocked the web category ‘Filter Avoidance’. Verify that you are
still blocking this category within the internet usage rule
b.
Verify that the ‘Filter Avoidance’ settings are also enabled on the ‘Advanced Filtering’
tab and save any changes that you’ve made.
Note: Having these settings enabled ensures Network Composer inspects content at the
deepest level and subsequently identifies any Web-based Proxies whether they use the most
simple techniques or more complex techniques such as PHP scripting or through use of a Proxy
Chain.
8871 Sandy Parkway | Salt Lake City, UT 84070 | 866.511.1155 | www.cymphonix.com
7
2. Within your browser try going to the website www.proxify.org . You should receive a block
page that notifies you the site was blocked due to the detection of Filter Avoidance.
Clients (for example, TOR, UltraSurf, FreeGate, GPass)
1. First you will install the ‘UltraSurf’ client application on to your workstation.
a. Click or go to the following link to download Ultra Surf 9.96 exe.
http://www.ultrareach.com/downloads/ultrasurf/u996.zip
Note: There may be a more recent version of Ultra Surf available after the time of publishing.
b. When the ‘File Download – Security Warning’ dialogue box appears click on ‘Save’.
8871 Sandy Parkway | Salt Lake City, UT 84070 | 866.511.1155 | www.cymphonix.com
8
c. Save it to your desktop or a place that will be easy to access the exe, u996, to execute
later.
d. When presented with the ‘Download complete’ dialogue box click ‘Open’.
e. Click on the u996 exectuable presented in the new window.
8871 Sandy Parkway | Salt Lake City, UT 84070 | 866.511.1155 | www.cymphonix.com
9
f.
When presented with the ‘Security Warning’ dialogue box click ‘Run’.
g. You should now see the Ultra Surf control panel open and the Ultra Surf yellow lock
appear at the bottom right of your screen. The ‘Status’ on the control panel should
indicate ‘Successfully connected to server’.
8871 Sandy Parkway | Salt Lake City, UT 84070 | 866.511.1155 | www.cymphonix.com
10
2. Test the connectivity to the internet through the newly installed UltraSurf client application.
Within your browser go to www.google.com .
3. Close your connection to UltraSurf by clicking the ‘Exit’ button, and then ‘Close IE and Exit’.
8871 Sandy Parkway | Salt Lake City, UT 84070 | 866.511.1155 | www.cymphonix.com
11
4. Now you will Configure Network Composer to block the Ultra Surf client as well as other clients
that attempt to circumvent content filtering through masquerading HTTP data.
a. Log –in to Network Composer
b. Navigate to ‘Manage -> Policies & Groups -> Internet usage rules -> Test group 1’
i. Change the ‘Traffic Flow Rule Set’ to ‘Allow only web filter traffic’.
5. If you haven’t already blocked the category of ‘Filter Avoidance’, make sure it is listed as a
blocked category.
8871 Sandy Parkway | Salt Lake City, UT 84070 | 866.511.1155 | www.cymphonix.com
12
6. Verify under the ‘Advanced Filtering > Web Policy’ tab that you have cleared the selection next
to ‘Allow non HTTP traffic through the web filter’. To block Ultra Surf and other third party
application that masquerade HTTP data you MUST block non HTTP data from passing through
the web filter (port 80, 8080, 443).
7. Click ‘Save’ at the bottom of the Add/Edit Internet Usage Rule page to save your changes.
Note: You must have SSL inspection turned on as noted at the very beginning of this document.
At a minimum you must have ‘Enable SSL certificate-based content filtering’ selected under the
‘HTTPS/SSL Filtering’ tab.
Tip: If you have other applications that you want users to be able to pass through the Network
Composer, other than HTTP, and you are using the ‘Allow only web filter Traffic’ Traffic Flow Rule
Set (Such as FTP or RDP) you’ll need to add those applications with a target of ‘Pass Thru’ to this
TFR.
You can do this by navigating to ‘Manage > Applications > Applications’. Then create a new
signature for the application(s) that you want to allow through. Then navigate to ‘Manage >
Applications > Traffic Flow Rule Sets’ and select ‘Allow only web filter traffic’. You will see the
applications you created on the left side as available applications to add. After you add them to
this Traffic Flow Rule set they will be allowed to pass through.
8871 Sandy Parkway | Salt Lake City, UT 84070 | 866.511.1155 | www.cymphonix.com
13
8. Test your connection to the Ultra Surf application again. After you launch the application this
time you should notice that it cannot establish a reliable connection.
a. Locate and then Double click on the file named u996 (u996.exe) to launch the
application.
b. When the Security warning dialogue box appears click ‘Run’.
c. You should see the application launch, but notice the ‘Status’ remains at ‘Contacting
Server’. This indicates that Ultra Surf is no longer able to connect to the internet and
provide anonymous browsing to the user.
8871 Sandy Parkway | Salt Lake City, UT 84070 | 866.511.1155 | www.cymphonix.com
14
Anonymous Proxy Guard
The Anonymous Proxy Guard technology will ensure that HTTP traffic is subject to the filtering rules you
have in place; users are unable to hide their usage or circumvent acceptable use policies.
Anonymous Proxies, SOCKS Proxies, Nonstandard ports
New proxies are published daily or even sometimes hourly. Therefore, it is critical to have a technology
that gives you zero-hour protection against any and all unauthorized HTTP connection attempts.
Typically this unauthorized access is accomplished by utilizing a proxy that is application based and
configured through browser settings. With the Network Composer you have the technology to block
access to these Anonymous Proxies by enabling the ‘Anonymous Proxy Guard’.
8871 Sandy Parkway | Salt Lake City, UT 84070 | 866.511.1155 | www.cymphonix.com
15
1. Obtain the details of an Anonymous Proxy, both IP and port, and configure your browser with
this information.
a. Go to http://www.proxz.com/proxy_list_anonymous_us_0.html and pick one of the
IP/port combinations listed under the section ‘US Anon proxies’ as seen below. This web
site is one of many available that provide a list of the most recent proxies.
8871 Sandy Parkway | Salt Lake City, UT 84070 | 866.511.1155 | www.cymphonix.com
16
2. Configure your browser to utilize the internet proxy and non-standard port combination
referred to as an ‘Anonymous Proxy’.
Note: This assume that you’re using Internet Explorer
a. Within Internet Explorer Go to ‘Tools -> Internet Options -> Connection tab’.
b. Click on the ‘LAN settings’ button.
c. On the ‘LAN settings’ page check ‘Use a proxy server for your LAN’. Enter in the IP
obtained from proxyz.com into the ‘Address’ field as well as the port into the ‘Port’ field.
d. Finally click on ‘OK’. Now any http request will be forwarded to this internet proxy on
the non-standard port.
3. Make a web request to Google by entering http://www.google.com into your web browser.
Verify the request to Google completes before proceeding to step 4.
4. Engage the anonymous proxy guard within Network Composer.
a. Log –in to Network Composer
b. Go to ‘Manage -> Policies & Groups -> Internet usage rules -> Test group 1’
8871 Sandy Parkway | Salt Lake City, UT 84070 | 866.511.1155 | www.cymphonix.com
17
c. Change the ‘Traffic Flow Rule Set’ to ‘App+Web Filter + Anonymous Proxy Guard’
d. Finally click ‘Save’.
5. Make sure you open a new browser window and then go to www.google.com . This time you
will not be able to load the web page (your browser will give a time-out message) or any other
site because the Anonymous Proxy guard is turned on preventing HTTP access to the internet
(anonymous) proxy on a non-standard port.
8871 Sandy Parkway | Salt Lake City, UT 84070 | 866.511.1155 | www.cymphonix.com