Posted by: kurtsh | June 20, 2006

INFO: Getting around Websense & other web-blocking software

I keep hearing about companies that block web access from they’re Internet Gateways through the usage of domain filters or active monitors.  Fortunately for us, Microsoft doesn’t block web sites of any kind at our gateway – there’s really no reason to.  They do monitor activity – especially large amounts of traffic – and where that traffic is going, however there’s nothing stopping anyone from going to any site on the web. 
 
BAD:  DOMAIN FILTERING THE GATEWAY
Personally I think this is a futile effort and the wrong way to go about controlling how corporate Internet gateways are used.  I can understand how some IT departments, in a natural reaction of paranoia feel compelled to block certain sites they think could "hurt" the infrastructure through the mistaken download of a virus or the transmission of material that could other wise put the company at risk. 
 
But honestly, I’ve always felt the policy of blocking end users from accessing sites like YahooMail and MySpaces was blatently silly because treating employees like they were children only compels them to want to fight back.  At some point, you have to trust that your employees aren’t going to screw over the company.  And IT can’t ever claim that they’re doing it to "help the company protect itself" being that it’s just as easy to cause infrastructure damage from legitimate sites as from censored sites or from printing… or from faxing… or from the usage of a cell phone or from a camera… etc. 
 
GOOD:  SIMPLY AUDIT LOG EVERYTHING 
We’re all adults and all it takes is a little education around what FTEs should & should not do on company time:  You’re ultimately trusted to not do anything illicit either accidental or on purpose on company resources. 
And if you do, IT security will know.  The key is for IT to monitor all communications. log all communications, and flag connections and the user IDs that opened them that seem suspicious.  It’s called an audit log & everyone should be aware that IT’s is watching you.
 
AND FOR BONUS POINTS…
If you want to take it a step further, simply publish the database of "who accessed what" via an Intranet web site.  This is easy to do using Microsoft Access and can allow any end user to simply type in a name and see what it is that that person accessed through the company gateway.  There’s no expectation of privacy on the corporate network using corporate resources.
 
For those of you having a problem with domain filters, here’s some techniques I’ve used to get around web blocking software at other places.  This is hopefully proof enough that Internet domain filtering is the wrong way to go in protecting a company.
 
The Circumventor
This is a tool that resides on your home PC or any other PC with direct unfiltered web access.  It provides you with a redirecting proxy point (i.e. an unblocked URL) that will allow you to access any web site on it’s behalf.  This has the benefit of providing access via virtually unblockable URLs however the drawback of not being able to passthrough SSL encrypted data and requiring that the individual have a home Internet connection always up and running.
http://www.peacefire.org/circumventor/simple-circumventor-instructions.html
 
AntiProxy
Antiproxy is a list of publicly available Proxy sites to use to anonymize yourself.  Because it is HTTPS based and SSL encrypted, it’s possible to set your browser to not to use proxies for secure connections.  This method has the benefit of providing anonymous proxying over the Internet to anyone without client software and without setting anything at home, however it provides a connection with questionable security and it may have slow connection speeds.
 
HTTPTunnel

HTTP-Tunnel technology allows users to perform various Internet tasks despite the restrictions imposed by firewalls. This is made possible by sending data through HTTP (port 80). Additionally, HTTP-Tunnel technology is very secure, making it indispensable for both average and business communications.  This has the benefit of tunneling everything but the drawback of requiring client software to be installed.

 
Public Web Circumventors
This is the easiest method of circumventing domain filters:  Keep trying a bunch of Web Circumventors until you hit one that works.  Here’s some to check:
 
 
The bottom line is that companies use IT as a crutch some times.  Instead of depending on Technology to protect the company, there should be a lot more emphasis on establishing roles for people and proper process around Internet access monitoring.
 
———————————-
More Tools & References:

Categories

%d bloggers like this: