Prior to January of 2007, I had very little exposure to the vast array of applications that employees use while at work. Sure, I used IM, webmail and listened to music online, but I was being paid to do a job, not entertain myself. After joining Palo Alto Networks, and analyzing 18 months worth of customer traffic, it has become clear to me that my application exposure is outdated. I say this because I am surprised by the broad range of applications we find running on corporate networks – business and end-user oriented. Examples include inappropriate web surfing (obviously), watching HD movies, streaming music, file sharing or running a side business. The bottom line is that employees are using their favorite applications whenever they want with little regard to the associated business and security risks.
If they are stopped by IT or if users want to hide their activities, then are several ways in which they can circumvent controls:
- External proxies: CGIProxy, PHProxy and Hopster
- Encrypted tunnels: TOR, Hamachi, SSH
- Remote desktop control applications: Yoics!, LogMeIn!, RDP
In this first of three articles, we take a look at external proxies in a bit more detail. External proxies are defined as those that the IT department would not endorse for enterprise use. The purpose of an external proxy is plain and simple – browse the web, use web-based applications, without the organization having control or even knowing about it.
In our recently published Application Usage and Risk Report, we found 17 external proxy variants across 81% of the 63 enterprises we worked with. On average, we found 4 different proxy variants, and in one case, as many as 9 variants were discovered. The most common proxies were CGIProxy, PHProxy and Hopster. None of these proxies were deployed by IT. For the purposes of bypassing corporate security mechanisms, employees can use one of two alternatives: private or public.
- Private proxies are those that an end-user installs and uses for themselves. Merely search the net for PHProxy, Glype or one of the other proxy executables, install it on an Internet-connected computer and start evading IT controls. The most commonly detected proxies that fall into this category are CGIProxy and PHProxy, which were detected in 57% and 51% of the accounts respectively.
- Public proxies or proxy services are typically implementations of the aforementioned proxy software applications that are made available to the public. Someone installs the software on a public-facing server and then submits the URL to proxy.org, making it available to anyone who wants to use it to browse anonymously. Simply visit www.proxy.org and select from one of 7,700+ proxies that have been established by well-meaning Internet citizens. Users can also sign up for an email update that notifies them of the 10 or so new proxy sites made available on a daily basis.
External proxies (private or public) enable employees to bypass existing controls, such as a firewall and URL filtering, and IT-implemented proxies. The reasons are simple – the traffic looks like normal web browsing and most enterprise security policies allow this type of traffic to pass unfettered. An argument could be made that URL filtering could block public proxies, but in many cases, they are unable to keep up with an average of 10 new proxy services enabled every day.
Most IT folks we talk to agree that external proxies do not belong on the enterprise network. They are designed for one thing – to circumvent controls. They represent an unmonitored vector that poses business and security risks to the end user and to the network itself. Examples include lost productivity from non-work related activity, damage to business continuity from malware propagation installed by the proxy creator and inbound threats coming from the sites being visited. Public proxies bring additional risks, over and above those listed for a private proxy. Because the proxy is public, set up by someone whose intentions are unknown, these should be treated as “use at your own risk”. All traffic passing through the public proxy is technically viewable by the proxy owner.
I am the first to admit, I do not work 100% of the time. I am of the opinion that if an employee needs to go the lengths of using a proxy in order to surf the web, maybe they should re-think doing so at work. But maybe that’s just me and my web 1.2 mindset.