March 21, 2011 Author: Audience: SWAT Team Evaluator Product: Cymphonix Network Composer EX Series, XLi OS version 9 Filter Avoidance and Anonymous Proxy Guard Filter Avoidance The award winning XLi technology allows you to detect filter avoidance techniques and subsequently can prevent even sophisticated filter bypass techniques that work against traditional Secure Web Gateways. Requirements: Completion of TC-5 Full SSL Inspection. In order to block some of the more advanced filter avoidance technologies it requires full SSL inspection of the content. Common filter avoidance technologies: Below are some common filter avoidance techniques. You will see how these techniques are utilized and then learn how to block them. Perform the following steps from a workstation that is passing traffic through the Network Composer. Note: The following steps assume that you re utilizing group membership and Internet Usage Rules created when following Network Composer Setup and Basic Configuration ; your network node is a member of Test Group 1 which is assigned the Test Group 1 Internet Usage Rule. If you re performing this test case from a network node or with a directory user that is not a member of Test Group 1, make sure you edit the Internet Usage Rule that is associated to your current group membership in Policy Manager. HTTPS encrypted sessions 1. Log in to Network Composer. 2. Navigate to Manage -> Policies & Rules -> Internet Usage Rules -> Test Group 1. 3. Change the Traffic Flow Rule Set to App + Web Filter Monitor. 4. Add Filter Avoidance as a Blocked Category. 5. Finally click on the Save button to save the changes you ve made to the Test Group 1 Internet Usage rule.
2 6. Within your browser go to the website https://www.peacefire.org. 7. You ll notice that you didn t receive a blocked page and you were able to go directly to the website even though the website is categorized as a Filter Avoidance URL and the Filter Avoidance category is being blocked. This is because you were connecting to the site via an SSL tunnel that is encrypted and the Network Composer hasn t been configured to inspect SSL traffic. 8. To prevent SSL tunneling as a filter avoidance technique you must enable the SSL filtering engine. Making the following changes ensure that SSL traffic is subject to the same content filtering as HTTP traffic. a. Log in to Network Composer b. Go to Manage -> Policies & Rules -> Internet Usage Rules -> Test Group 1. c. Change the Traffic Flow Rule Set to App + Web Filter + SSL Filter.
3 d. Go to the HTTPS/SSL Filtering tab and check the radial button next to Enable SSL certificate-based content filtering and check the box next to Enable block page for SSL certificate-based filtering. Note: Please refer to Test Case 4 for a complete step-by-step process to enable FULL SSL inspection method. e. Finally click the Save button to save and apply your new settings to the Test Group 1 Internet Usage rule. 9. Again, within your web browser go to the following URL https://www.peacefire.org. 10. This time you should receive a Blocked page from the composer indicating the site was blocked because now the SSL (https) traffic was subject to the filtering process. The site was categorized as Filter Avoidance and subsequently blocked. Note: If you don t receive a block page it s because your traffic isn t subject to the Internet usage rule configured to block the Filter Avoidance category. Verify your group membership and the Internet Usage Rule applied to your group via Policy Manager.
4 IP address instead of DNS name Another technique commonly used to circumvent content filtering is to connect to a website using its IP address rather than by host name. In the composer you have the option to Enable Reverse DNS Lookups ensuring the website is analyzed by the content filter (rather than just checking against a database for a known URL) regardless if connection is made by IP or host name. You can also choose to completely Block IP Address URL s. 1. Verify connectivity to the filter avoidance web site http://www.peacefire.org via their IP address. a. Within your browsers address bar enter http://69.72.177.140. 2. Enable reverse DNS Lookups within Composer a. Log-in to Network Composer b. Go to Manage -> Policies & Groups -> Internet usage rules -> Test group 1 c. Go to the Advanced Filtering tab and then the Web Policy tab. Once within the Web Policy tab check the box next to Enable Reverse DNS Lookups.
5 3. Verify that you have the category Filter Avoidance blocked under Content Filtering -> Blocked Categories tab. 4. Finally click the Save button. 5. Within your browsers address bar enter in http://69.72.177.140. You will now receive a blocked page indicating the address was Found by: Reverse Host Name in URL Database.
6 Web-based proxies These web sites host proxy applications which circumvent filters by allowing the user to connect to the internet over the standard HTTP ports (80,443,8080), and then hide all subsequent web requests behind the original web site. Example, www.ninjabypass.com, proxify.org, www.xioi.info, unblockzweb.com 1. Enable the technology which blocks all web-based proxies. a. You have previously blocked the web category Filter Avoidance. Verify that you are still blocking this category within the internet usage rule b. Verify that the Filter Avoidance settings are also enabled on the Advanced Filtering tab and save any changes that you ve made. Note: Having these settings enabled ensures Network Composer inspects content at the deepest level and subsequently identifies any Web-based Proxies whether they use the most simple techniques or more complex techniques such as PHP scripting or through use of a Proxy Chain.
7 2. Within your browser try going to the website www.proxify.org. You should receive a block page that notifies you the site was blocked due to the detection of Filter Avoidance. Clients (for example, TOR, UltraSurf, FreeGate, GPass) 1. First you will install the UltraSurf client application on to your workstation. a. Click or go to the following link to download Ultra Surf 9.96 exe. http://www.ultrareach.com/downloads/ultrasurf/u996.zip Note: There may be a more recent version of Ultra Surf available after the time of publishing. b. When the File Download Security Warning dialogue box appears click on Save.
8 c. Save it to your desktop or a place that will be easy to access the exe, u996, to execute later. d. When presented with the Download complete dialogue box click Open. e. Click on the u996 exectuable presented in the new window.
9 f. When presented with the Security Warning dialogue box click Run. g. You should now see the Ultra Surf control panel open and the Ultra Surf yellow lock appear at the bottom right of your screen. The Status on the control panel should indicate Successfully connected to server.
10 2. Test the connectivity to the internet through the newly installed UltraSurf client application. Within your browser go to www.google.com. 3. Close your connection to UltraSurf by clicking the Exit button, and then Close IE and Exit.
11 4. Now you will Configure Network Composer to block the Ultra Surf client as well as other clients that attempt to circumvent content filtering through masquerading HTTP data. a. Log in to Network Composer b. Navigate to Manage -> Policies & Groups -> Internet usage rules -> Test group 1 i. Change the Traffic Flow Rule Set to Allow only web filter traffic. 5. If you haven t already blocked the category of Filter Avoidance, make sure it is listed as a blocked category.
12 6. Verify under the Advanced Filtering > Web Policy tab that you have cleared the selection next to Allow non HTTP traffic through the web filter. To block Ultra Surf and other third party application that masquerade HTTP data you MUST block non HTTP data from passing through the web filter (port 80, 8080, 443). 7. Click Save at the bottom of the Add/Edit Internet Usage Rule page to save your changes. Note: You must have SSL inspection turned on as noted at the very beginning of this document. At a minimum you must have Enable SSL certificate-based content filtering selected under the HTTPS/SSL Filtering tab. Tip: If you have other applications that you want users to be able to pass through the Network Composer, other than HTTP, and you are using the Allow only web filter Traffic Traffic Flow Rule Set (Such as FTP or RDP) you ll need to add those applications with a target of Pass Thru to this TFR. You can do this by navigating to Manage > Applications > Applications. Then create a new signature for the application(s) that you want to allow through. Then navigate to Manage > Applications > Traffic Flow Rule Sets and select Allow only web filter traffic. You will see the applications you created on the left side as available applications to add. After you add them to this Traffic Flow Rule set they will be allowed to pass through.
13 8. Test your connection to the Ultra Surf application again. After you launch the application this time you should notice that it cannot establish a reliable connection. a. Locate and then Double click on the file named u996 (u996.exe) to launch the application. b. When the Security warning dialogue box appears click Run. c. You should see the application launch, but notice the Status remains at Contacting Server. This indicates that Ultra Surf is no longer able to connect to the internet and provide anonymous browsing to the user.
14 Anonymous Proxy Guard The Anonymous Proxy Guard technology will ensure that HTTP traffic is subject to the filtering rules you have in place; users are unable to hide their usage or circumvent acceptable use policies. Anonymous Proxies, SOCKS Proxies, Nonstandard ports New proxies are published daily or even sometimes hourly. Therefore, it is critical to have a technology that gives you zero-hour protection against any and all unauthorized HTTP connection attempts. Typically this unauthorized access is accomplished by utilizing a proxy that is application based and configured through browser settings. With the Network Composer you have the technology to block access to these Anonymous Proxies by enabling the Anonymous Proxy Guard.
15 1. Obtain the details of an Anonymous Proxy, both IP and port, and configure your browser with this information. a. Go to http://www.proxz.com/proxy_list_anonymous_us_0.html and pick one of the IP/port combinations listed under the section US Anon proxies as seen below. This web site is one of many available that provide a list of the most recent proxies.
16 2. Configure your browser to utilize the internet proxy and non-standard port combination referred to as an Anonymous Proxy. Note: This assume that you re using Internet Explorer a. Within Internet Explorer Go to Tools -> Internet Options -> Connection tab. b. Click on the LAN settings button. c. On the LAN settings page check Use a proxy server for your LAN. Enter in the IP obtained from proxyz.com into the Address field as well as the port into the Port field. d. Finally click on OK. Now any http request will be forwarded to this internet proxy on the non-standard port. 3. Make a web request to Google by entering http://www.google.com into your web browser. Verify the request to Google completes before proceeding to step 4. 4. Engage the anonymous proxy guard within Network Composer. a. Log in to Network Composer b. Go to Manage -> Policies & Groups -> Internet usage rules -> Test group 1
17 c. Change the Traffic Flow Rule Set to App+Web Filter + Anonymous Proxy Guard d. Finally click Save. 5. Make sure you open a new browser window and then go to www.google.com. This time you will not be able to load the web page (your browser will give a time-out message) or any other site because the Anonymous Proxy guard is turned on preventing HTTP access to the internet (anonymous) proxy on a non-standard port.