Web anonymizers can be beneficial in preventing employees from accessing specific Web sites while on your network. However, when employees use anonymizers, they become dangerous. Anonymizers can be misused to evade corporate firewalls, defeating your efforts to stop employees from accessing their personal email accounts and engaging in inappropriate – and sometimes illegal – Web surfing to pornography and gambling sites. In some cases, employees use anonymizers to
What are anonymizers?
An anonymizer is a proxy that hides a user's real IP address – in this case, your company's IP address – from the Internet. It is software installed on the client that creates a virtual proxy that links either with a proxy network or to a public proxy server. There are hundreds of public proxies listed on the Web, some of which anonymizers are tuned to call.
Many enterprises with heavy-duty firewalls use proxies to control traffic into and out of their network. The proxy is the gateway between the company's internal network and the Internet, and can be configured to block certain traffic, inappropriate Web sites or any activity the company deems malicious. As long as your users have Internet access, the anonymizer's request to a public proxy outside your network appears onyour Web logs as just another innocent request to a seemingly innocuous Web site. That makes it tricky to detect and block anonymizers on your network. So what can you do to find anonymizers and protect your network? Let's look at some options.
Web content filtering products, like Websense and Blue Coat, can be configured to detect users trying to download software, inappropriate or otherwise, and then tuned to block them. It's easy to tune any content blocker to watch for the two main anonymizer products: Anonymizer from Anonymizer, Inc. and Tor from the Electronic Freedom Frontier (EFF) Organization. But there are also dozens of other lesser-known, free products available on the Web that are harder to fingerprint and weed out. So, besides blocking content, you can detect them indirectly by reviewing intrusion detection system (IDS) logs for unusual traffic. This can point to malicious use of your network possibly caused by anonymizer use. A routine analysis could point to a desktop with an anonymizer installation.
As for preventing their use, with careful planning, you can block elusive anonymizers from causing trouble on your network. The following are some steps, short of the draconian measure of stripping Internet access from all your employees:
- Make sure you have a clear policy that prohibits employees from downloading software of any kind on their desktop without the express written permission of your information security department. A blanket policy for blocking malware and spyware, in general, also covers anonymizers, without specifically saying so.
- Policies only go so far and are easy to circumvent. Therefore, it's also important to block the downloading of software at your firewalls. This should be the rule for most employees, with limited exceptions only for IT staff and other individuals cleared by the information security department. Even then, firewall rules that allow downloads should be tightly restricted to prevent ordinary users from easily going around them.
- Block the IP addresses for downloading Anonymizer and Tor, and their proxies. For other products, get up-to-date lists of public proxies used by anonymizers. These lists are available on the Web from anonymizer providers, and you can blacklist them on your routers, gateways or other content blocking software your company uses. This can be a big job since there are hundreds, possibly thousands, of public proxies advertised on the Web by anonymizers.
About the author
Joel Dubin, CISSP, is an independent computer security consultant in Chicago. He is a Microsoft MVP, specializing in Web and application security, and the author of The Little Black Book of Computer Security available from Amazon. As an expert for SearchSecurity.com, Joel is available to answer your questions on identity and access management.
This was first published in June 2006