Encrypted tunnels enable users to circumvent security controls

By Matt Keil, Palo Alto Networks
In the previous article, I talked a bit about how employees are using external proxies to hide web activity from the prying eyes of the IT department. This article discusses the use of encrypted tunnel applications to hide from detection. To someone like myself (an admitted web 1.2 kinda guy), using one of these applications seems a bit extreme. They all require the installation of a client software – but once installed, they virtually guarantee that corporate security won’t see (or stop) you from using your favorite application.

In the previous article, I talked a bit about how employees are using external proxies to hide web activity from the prying eyes of the IT department. This article discusses the use of encrypted tunnel applications to hide from detection. To someone like myself (an admitted web 1.2 kinda guy), using one of these applications seems a bit extreme. They all require the installation of a client software – but once installed, they virtually guarantee that corporate security won’t see (or stop) you from using your favorite application.

In the Application Usage and Risk Report, encrypted tunnel applications such as SSL and SSH were found in 100% and 89% of the organizations, respectively. Other examples such as TOR and Gbridge were also found, although not nearly as often. Encrypted tunnel applications fall into several different categories – those that are explicitly designed to bypass security such as TOR and Gbridge; and tools commonly user by IT that enable similar actions such as SSH. The common thread is that they all let users bask in the warmth of an encrypted tunnel, safe in the knowledge that their activity is hidden.

Do these applications have a redeeming quality? Sure, their sole purpose is to hide something, or evade detection on the network. SSH as a great tool. No question about it. IT can use SSH to perform remote management. But at the same time, a non-IT user can easily hide their actions in SSH to login to PCs outside of work to participate in non-work related activities. But I would seriously question the value of TOR and UltraSurf when they are found on enterprise networks.

TOR (The Onion Router) is an interesting example of a privacy tool that was originally developed by the U.S. military as a means of secure communications over the early version of the Internet (DARPANET). Once installed, TOR sends and receives messages through a distributed series of TOR nodes. Privacy is ensured by the distribution of data across multiple nodes such that that no one node holds the entire message. The use of proprietary encryption further ensures privacy. The final message comes back together when it is received by the intended recipient. TOR is the recommended method of communications for whistle-blowers and it is recommended by the Electronic Frontier Foundation (EFF) as a mechanism for maintaining civil liberties online. Suffice it to say that the sole purpose of TOR on a corporate network is to evade security.

Gbridge is a pretty cool application—it is an ingenious use of an existing infrastructure (Gtalk) to hide an encrypted VPN tunnel. My view of Gbridge is that the developer had too much time on his or her hands. Here’s how Gbridge works: Gbridge establishes a VPN inside of a Gtalk instant messaging session to enable connections to a PC outside the firewall that is “owned’ by the same Gtalk user. With a Gbridge tunnel established to the PC outside the firewall, users can then do whatever they want – all in an encrypted manner.

To most security devices, Gbridge will pass undetected, looking like HTTP traffic, or at most instant messaging traffic, which may or may not pose a risk to the enterprise. Unbeknownst to the security team, hidden inside of the IM session is an encrypted connection. Note that Gbridge is not a Google application – it is an extension written by another developer.

The last example of an encrypted tunnel application that enables proactive security evasion is SSH. Whereas TOR and Gbridge are applications that have been developed with the explicit purpose of bypassing security, SSH is commonly used by IT for remote management. We detected SSH on 89% of the networks in our analysis. We also found that knowledgeable end-users use SSH to access their home machines (or other machines) for non-work related activities. To be fair, SSH is a commonly used IT tool and it is difficult to determine how it is being used in every organization. However, there are known instances within this set of organizations where SSH control policies were in place, yet sophisticated users were violating the policy.

These are just a few of the examples of the encrypted tunnel applications that were found in this analysis. These applications, along with external proxies are perfect examples of the extremes that employees will go to in order to use their favorite application, surf to their favorite web site or login to a PC outside of work.  Right or wrong, these applications pose security and business risks to the enterprise networks and if possible, their use should be identified, then controlled and in some cases blocked outright.

Suggested articles