Bypassing Corporate Acceptable Use Policy When Web Browsing at Work

Colin Weaver ITdojo, Inc. [email protected] December 14, 2005 Disclosure This article details one of many possible mechanisms that a savvy user can implement in order to bypass security controls put in place to ensure compliance with corporate security policy. While the information in this article can (and will) be used by others in order to achieve the end result of being able to anonymously and securely browse whatever he/she wants while at work, that is not its primary purpose. My aim is to educate administrators on the importance of network security in every aspect. In order to defend a network you must know how to compromise the network. If we, as security-focused administrators, refuse to think about our networks in the same way that our users and other attackers do we deserve what will eventually happen to us. The Fine Art of the Smack Down As a security administrator it is highly likely that you exercise some form of control over your users internet experience. Given the chance most users would spend the majority of their day browsing the web, entertaining themselves with things that are not beneficial to the organization. How is this administrative control typically achieved? Heres a quick list: 1. Access Control Lists (ACL) on routers and Layer 3 switches to control both TCP port use and IP address destinations. This is only the most rudimentary of tools. You can make sure that users only use ports 80 and 443 when browsing and you can allow or deny specific IP addresses or ranges but trying to keep all of the bad stuff out via this method is a prime example of futile effort. 2. Proxy Servers By forcing users to access the internet through a proxy server you can control where they can go and what they can do. Microsofts ISA server will let you control things such as destination address, file extension, MIME type, time of day, etc. This is nice functionality. If you only want members of the accounting group to be able to download MIDI files during lunch hours, you can make it happen. With a little creativity, you can control a lot using proxy servers. Trying to control what sites a user goes to, however, is still a big challenge. There are too many porn sites out there to list. Trying to manually update a list is yet another exercise in futility (not to mention the fact that auction sites, sports sites, religious sites, etc. are just as big a waster of time as porn). If you want to be even more slick you can combine proxy servers and ACLs together. If you configure the firewall/router to only allow outbound HTTP requests (destination port 80 and 443) from the proxy server, it will virtually eliminate the ability of a user to simply remove the proxy configuration settings of their web browser. 3. URL Filtering Now were getting somewhere! URL filtering products from companies like N2H2, Websense, and SurfControl give you much greater ability to control access to inappropriate content while at work. If you want to ban sites that have a religious
1

affiliation, done! Want to block on-line auction sites but dont know how many are out there? Done! Products like the Cisco PIX firewall and Microsofts ISA server integrate quite nicely with these URL filters. The figure below illustrates one possible data-flow when using a proxy server (with or without URL filtering).

The Enemy Demoralized If you are an administrator using ISA Server 2004 along with Websense (or something of a similar nature), you have a lot of power over what your users can do on the internet. Your users will say, Man, they have got us locked down! We cant access jack. Besides, if I were to try theyd know. Im not willing to get fired over that! Not only do they know that they cant use the web for wasteful things during the day, your superslick reporting allows you to punk them out for trying to go places they shouldnt be going. Delivering reports to management on the attempted access of employees, followed by closed door conferences in which the Acceptable Use policy is again discussed are an excellent way of getting your point disseminated through the user population. Your message: YES, WE ARE WATCHING!!! Punkd by a Punk
2

Now, imagine that Im hired as a sales rep at your company. Youre sitting at your desk feeling secure in the fact that users arent doing anything on the internet they shouldnt be. You have executed your demoralization strategy with surgical precision. If they want to browse porn or bid on pirated DVDs theyll have to do it on their own time. Just when you think you cant love yourself anymore (without lotion and some alone time) your boss pokes her head in the office and tells you that the surf controls you put in place arent working. She just walked by Colins desk and noticed that hes browsing eBay auctions. Impossible! you say. You know for sure that eBay is blocked. You didnt even build special rules for yourself to allow access to auction sites (administrator perk: access rules dont apply to us, right?) You and your boss casually sneak up on Colins desk and sure enough, hes busy winning auctions! You sit down at a different computer and try to access eBay. Denied! You wait for Colin to go to lunch and log in to his computer and try to access eBay. Denied! When Colin comes back from lunch you ask him to log on to his computer. You try to access eBay using his login. Denied! Colin pleads ignorance and insists that you saw something else. You check his web cache and cant find any record of eBay. No cached images. No cookies. No URL history. You check your server reports and, sure enough, no one has been to eBay (and your reporting doesnt show any denied attempts from Colin to get to eBay). Colin has gotten around the rules but you dont know how How Can I Punk Thee? Its so easy, you see If youve already got some rockstar skills integrated with your IT mojo youve come up with more than a few ways Colin may have done this. Here are a few: 1. Colin has enabled some form of remote login on his computer at home. Using the Remote Desktop functionality built into Windows XP (http://www.microsoft.com/windowsxp/using/mobility/default.mspx) he is using the RDP client (installed by default on WinXP) on the work computer to connect to his house and browse the internet from home. 2. Colin has installed VNC (Virtual Network Computing, http://www.realvnc.com or http://www.tightvnc.com) on his home computer. He is using a VNC client on the work computer to connect to his house and browse the internet from there. The VNC client can run without any files being installed onto the local computer. 3. Colin established a VPN connection to his home network and tunnels HTTP traffic through the VPN connection, again bypassing your controls. The traffic leaves your network in an ESP/IP packet (protocol ID 50), not a TCP/IP packet (TCP port 80 or 443). Note: It could leave your network using TCP port 10,000. Cisco VPNs sometimes do this. Its also possible that it leaves your network as a UDP/IP packet (UDP port 4500 (NAT-T) or 10,000 (another Cisco VPN port)). Either way (ESP/IP or UDP/IP), your rules and filters dont inspect it because they never see it. 4. Colin tunnels all HTTP traffic from his work computer through SSH. The SSH tunnel terminates at his home computer where it is then proxied out using one of many possible services running on his home PC. I have confidence that we can keep going for some time. Needless to say, there are many ways in which Colin will bypass your rules. Your job is to stop him if you can.
3

A Magician Reveals His Secrets The SSH tunneling option listed above is perhaps the most difficult to implement so Id like to show you exactly how Colin did it. Once you know how to do it, you have a better chance of stopping it. Here are the tools Colin used against you: On the corporate PC: An SSH client. In this example I will use F-Secure SSH, a Windows SSH client. On his home PC: An SSH Daemon (SSH server). In this example I will use F-Secure SSH, an SSH server for Windows. F-Secure SSH is now AttachmateWRQ (http://www.attachmate.com/enUS/Products/Reflection/SSH+Clients+and+Servers/SSH+Clients+and+Servers.htm). My version of SSH is from when they were still F-Secure, though. The AttachmateWRQ version still looks the same. JAP (http://anon.inf.tu-dresden.de/index_en.html). Im using JAP because it will proxy web traffic for multiple computers in a network. There are other solutions out there search for them. Note: JAP is MUCH MORE than just a proxy. You need to read. Colins Disdain for Your Rules: Part One: Setting up Colins Home PC Follow these steps to configure JAP: 1. Download and install JAP from http://anon.inf.tu-dresden.de/win/download_en.html. 2. RTFM. JAP is A LOT more than just a proxy!

3. Launch JAP.

4. Click Config. 5. From the Settings menu select Network > Portlistener. Leave the listener port set to 4001. Clear the Allow access to Jap from localhost only (recommended) check box. Click OK.
4

This will allow JAP to act as a proxy for the other computers on the home network (and our tunneled SSH connection).

6. From the main JAP window, click the On radio button in the Anonymity section.

7. (Optional) On your home PC, set your browser to use localhost as the proxy server and point to port 4001. If using Internet Explorer:

Is using Firefox 1.5:

8. Verify that you have internet connectivity through JAP. You should. Follow these steps to configure the SSH server on the home PC (F-Secure SSH server in this example): 1. Install the SSH server. You can get a trial version at (http://www.attachmate.com/enUS/Products/Reflection/SSH+Clients+and+Servers/SSH+Clients+and+Servers.html. 2. RTFM. 3. If necessary, create a Windows user account on the home server. You will use this account to grant SSH login permission. In this example, I created a user called deity. 4. From the Start Menu, open the SSH Server configuration tool. Navigate to Server Settings > Tunneling. Select the Allow TCP Tunneling check box. In the Allow TCP Tunneling for users window, enter the name of the user account(s) you want to have access. In this example, I use the deity account I created a moment ago.
6

Click Apply. Click OK.

Colins home computer is now ready to go.

Colins Disdain For Your Rules: Part Two: Setting up Colins Work Computer 1. Install the SSH client. You can get a trial version at (http://www.attachmate.com/enUS/Products/Reflection/SSH+Clients+and+Servers/SSH+Clients+and+Servers.html. This could be the hardest part for Colin to accomplish if he doesnt have install rights on his PC. He can get around that, though. Well save that for another day. 2. Open the SSH client 3. Select the Profiles button from the button bar. Click Add Profile

4. In the Add Profile dialog type a name for the new profile (mine is SSH JAP Tunnel in the screen shot below). Click Add Current Connection to Profiles.

5. Select the Profiles button from the button bar again. Click Edit Profile 6. Select the profile from the list on the left. Select the Connection tab. Type in the IP address of your home PC (the external interface IP address). In the username field, enter the name of the authorized user you created when configuring the SSH server (deity in my example)

7. Select the Local Forwarding tab. Click Add.

8. In the Add New Local Tunnel dialog, configure the following values: Display Name: Web Browser Source Port: 8888 (this can be any unused port over 1024. I chose 8888). Destination Host: localhost Destination Port: 4001 (this is the listening port on the JAP server at Colins house) Type: TCP Application to start: <Leave Blank>

9. Click OK twice.

Follow these steps to configure the work PC to use localhost as the proxy server and point to port 8888. If using Internet Explorer:

If using Firefox 1.5:

Testing the connection 1. From the Client PC (the one at work), establish the SSH Tunnel by selecting the SSH JAP Tunnel profile from the Profiles drop-down and then clicking Connect from the File drop-down menu. 2. When prompted to accept the key, click Yes. 3. When prompted for a password, enter the password for the account you created on the home computer (and gave permission for TCP Tunneling on the SSH server). In this example, the user is deity. Click OK.

10

4. The connection is established. Minimize this window.

5. Open your web browser. You should be able to access the internet. Open a command prompt. Type netstat n. Observe the results. You have connections to the localhost on port 8888 and a connection to Colins home PC on port 22 (SSH).

Its official! Your security controls have been bypassed! All of Colins internet traffic is being sent through an SSH tunnel to his home PC where it is then sent out to the internet. He is free to browse the internet without worrying about you being able to monitor or control what he is doing and where he is going (unless you walk up behind him, of course). Here is a diagram that illustrates the connection described above.

11

Flip Ya! Flip Ya For Real! How do you stop Colin from doing something like this? There are many ways, actually. All of them involve you taking a defense-in-depth approach to security. Keep in mind that really motivated (and smart) users will always come up with new an innovative ways to bypass your controls. This should highlight that fact that technical controls are NEVER enough. You have to have administrative controls. Colin is a vigilante user. Hes too clever to be kept down forever using technical controls. Physical access is 95% of own3r5h1p. The fact that Colin works for the company is his biggest advantage. He gets to put his hands on the actual equipment. Administrative controls can cure that (e.g. termination of employment). Fortunately, thats not usually our department. Some technical controls might include: Only allow outbound SSH connections from authorized subnets or PCs. Secure Shell (SSH) is not secure when its being used for the wrong reasons. It is common for admins to think its safe having rules that allow all outbound SSH traffic (Example:
12

Cisco ACL access-list 101 permit tcp any any eq 22). This is a bad idea. If admins are the people who use SSH then only admin stations should be able to establish SSH connections. This requires some very deep and thoughtful consideration about how protocols are used in your network. You have to know your network. Disable Colins ability to change his proxy settings. This can be done quite easily through Group Policy in Windows. Dont let Colin have admin rights on his local machine. It is stunning how many companies let users have admin rights on the local machine. You deserve the hell youre going through if you let this happen. If its the policy of your company to let users have admin access, find a different company to work for. Seriously. These same notions apply to RDP, VNC and VPN connections. Why do your network devices allow users to establish VPN connection from their desk? Why RDP (Terminal Services)? Why VNC? Is it required to meet a business need? If not, dont allow it. If so, is it possible to identify the IP addresses that they NEED to be able to VNC to and just allow those? Its a lot more effort on your part but you have got to follow the deny all, selectively allow rule to traffic LEAVING your network. Many admins only take that approach on traffic coming IN. You have to make sure you dont let bad stuff OUT, also.

What is the likelihood that Mary over in accounting would be able to do this? Slim, I admit. But many organizations, especially larger ones, have aspiring hackers/crackers and all-around geek wannabes. They dont like it that they cant do what they want when they want. As a result, they will find a way around your rules. You have to be ready for them to do it, know how your network is configured and be knowledgeable enough to analyze and intervene. This is, after all, a sport for us, right? Peace. Colin Weaver ITdojo, Inc. [email protected]

13