Smashing the Perimeter - Avoiding Content Inspection
 One area that is always a large concern for business today is Internet access for staff. This isn’t just from a technical perspective for keeping virus infections out, and keeping Intellectual Property in; but also, to protect their staff from offensive content. In addition to this, staff are also generally expected to be working for their money, not surfing Facespace for five hours a day.
As Security Professionals, we are often asked to circumvent systems put in place to that are supposed to provide some protection and control over the use of the internet within an organisation. When we are invited by companies to come in to their network, we arrive armed with a large range of tools that are designed to subvert security measures, so we can fully assess the applications and networks under review. How do we get around corporate filtering systems, and what can be done to prevent us and your staff from accessing inappropriate content on the Internet?
Obviously, the exact technique of each attempt to subvert security measures very much depends upon the networks and systems in place. However, the one application that allows us through the most is a very powerful SSL VPN. This application needs installing on a server placed in the outside world. It is Open-Source, and hence freely available for download. We connect to the server using normal HTTPS (the protocol used for accessing your hotmail, gmail or internet banking sites), download and run a Java Applet (no installation required, hence subverting many workstation lockdown controls). The Java Applet creates a tunnel through to the server that we use as a local proxy, avoiding any unencrypted traffic being sent over the network. The application runs entirely through HTTPS, and many filters view it as pure HTTPS traffic. Using this tunnel, we can access anything on the Internet, not only www pages but other Internet protocols such as email, FTP and remote access software such as SSH and Terminal Services.
What makes our attack more effective is that we can run multiple connections from multiple ISPs, all on dynamic IP addressing, using dynamic DNS. It is very hard for a system administrator to capture all of our IP address and DNS to effectively add us to the black list.
The risk for business is that this is something that is not to high on the difficulty scale for someone to do, circumvents internet controls and can potentially be devastating for a business by creating a securely encrypted hole right into the heart of the organization.
One further difficulty companies face when it comes to Internet access is that often there is an established culture of allowing staff to enjoy mostly unfettered Internet access. Without sufficient inline and end point protection (more on this in a future article) this is a high risk situation. Certainly no one would want to be the one responsible for bringing down the corporate network, or worse end up being falsely accused of a heinous crime like this guy.
The only effective method for capturing and blocking our unfettered Internet connection is to run sophisticated HTTPS decrypt software. These work by using certificates installed on the corporate gateway server, and the user browsers. The gateway performs all communication with the web servers. it decrypts the content to ensure valid HTTPS requests are being made. Once validated, the content is re-encrypted and sent to the user. If the HTTPS traffic is seen to be performing unusual HTTPS requests, then the gateway drops the connection.
|
