05 May 2013

Internet Filtering Series -- Part IV (Upstream SOHO "Lab")


After showing some of the benefits and drawbacks of client-side filtering, it's time to look at one upstream solution. DNS filtering is one such solution. What DNS filtering does is prevent certain sites from resolving from their IP address (usually in the format A.B.C.D where A is a specific number between 0 and 223 and B, C, and D are each specific numbers between 0 and 255) into a human-understandable name (such as example.com).

Unlike client-side filtering, DNS filtering is platform-agnostic and scalable based on the size of a network. Often, providers will provide either a free or nominal-fee service for individual homes and schools.

Further, the entire lab is done within VMware Workstation, which enables the emulation of a suitable "generic" PC with typical hardware.

Typical Real-World Scenarios Addressed: 

  • A family's set of PCs in their home
  • A small parochial school
  • Your typical public library (though under federal law, librarians must have the ability to disable this at the adult patron's request)
  • A small branch office or a typical "mom and pop" business.  

Specific Lab Scenario Details: 

Philip Parsons works for a local accounting firm in the suburbs. His company employs about 25 individuals in a single office. While he is the primary user of his computer, he technically shares it on occasion with two other individuals, Ben Thomas and Maryann Richards.

In the wake of a threatened harassment lawsuit from a now-departed (and unspecified) female employe, it was determined that two male employes (including the said female employe's direct supervisor) were regularly visiting dating, lingerie and pornography, and sports sites from their work computers while "on the clock" and then openly talking about their exploits.

The firm's owner believes these employes' usage of the site has something major to do with the alleged hostile environment and thus has ordered Richard Cuneo, the firm's in-house IT professional, to block all similar sites from all workstations within the company.

Technical Details:


  • PC Hardware Simulated: Generic 64-bit PC with 1 GB RAM and 80 GB hard drive
  • OS: Originally XP, most machines were upgraded recently to Windows 7 Professional with SP1
  • PC is fully-updated with Microsoft Update
  • Anti-Malware: ZoneAlarm Suite (trial), definitions and components up to date.
  • Several "typical" programs are installed including Microsoft Office 2007, iTunes, FileZilla, some general business/accounting software, TeamViewer, and Spybot
  • IP address of PC: 192.168.2.21
  • Netmask: 255.255.255.0 (/24 in CIDR notation) 
  • Network Type: workgroup without Windows domain; files are transferred via email accounts and shared folders between individual computers. 
  • ISP: Acme Internet Services (Anytown, USA) with a basic business-class broadband connection
  • Filtering Method: OpenDNS

Filtering Policy: Restrictive (e.g. to simulate a company's acceptable-use policy with additional filters in place to help prevent harassment claims and increase worker productivity)

Notes/Assumptions:

  • Physical access to the box is assumed, including the probability of unsupervised access as the machine sits in a small cubicle. 
  • The gateway from the ISP has a feature that integrates with OpenDNS, and therefore the entire network's DNS ultimately uses the service--as opposed to Richard changing the DNS settings on each PC to use the OpenDNS service. 
  • Ben Thomas is a 24 year old college graduate, and arguably the most technically-savvy user of the three. Philip Parsons is 39 years old and your average PC user. Maryann Richards is 61 years old and only uses the computer when she has to. 
  • Richard has said that he cannot "police" what other employes do on their computers all the time, but he can try to "make those kinds of things difficult" for those users. 
  • Richard isn't a specialist in IT security, and only has perhaps 3-4 years experience in the IT field. Nevertheless, he generally knows what he is doing despite the demands placed on him. (In other words, assume no malice in the current network setup)

Goals of This Lab: 

Attempt to bypass a setup wherein a computer's Internet connection uses an external DNS service that also offers content filtering without access to the administrator's account.

(In short, you are playing the role of Ben. While you weren't busted with your co-workers, you definitely aren't thrilled about the crackdown and still want to be able to access stuff as before.)

Test Sites Used: 

ESPN (http://www.espn.com) -- Representing a "sports" site
Maxim (http://www.maxim.com) -- Representing a "girls/lingerie/laddie" site
Match (http://www.match.com) -- Representing an online-dating site

All three sites were verified to be blocked after the filter was set up.

Results: 

Methods used to circumvent: 

  • Anonymising software. I was able to smuggle the Tor browser bundle onto the test PC, successfully load it, and access Maxim, Match (albeit the local version for the Netherlands--and not surprisingly, in Dutch), and ESPN.
  • Teamviewer. I was able to use the installed version of Teamviewer to connect to an unfiltered computer I control (in this case, an old PC running Slackware 13.37)
  • Remote Forwarding. Once again, I was able to forward Firefox from a Linux box and access all of the sites using MobiXTerm. 

Methods attempted with mixed results:

  • Domain Edit. I was able to access ESPN by directly typing in http://espn.go.com instead of espn.com. Yet I also feel it's vital to note that the other two tested sites did not have any such edit or redirect that I am aware of, and therefore did not work. 

Methods attempted, but unsuccessful: 

  • Proxy sites. This method only works with new proxy sites that literally came out in the last 24 hours. Like the previous lab, I set up another test circumventor site on another PC and got through. The filtering companies though are often great at weeding them out by IPv4 address rather quickly. I put this in unsuccessful because it's a temporary circumvention that may last for merely a couple of hours--and would force a user to come up with a newly-undiscovered proxy on the fly. I did try "Hide My Ass" and that was blocked. 
  • Live Media. This one failed simply because the company's gateway/"router" had everything set to point to OpenDNS. All three sites were blocked even though I'd booted the PC from a Slax 7 Live CD. 
  • HTTPS edit. All three sites failed to go through by changing the address to https://[site]. OpenDNS noticed it right away and automatically brought up the block page. 

Methods Not Tried (mostly involves hacking): 

[NOTE: Most of these methods involve getting access to an administrator account and/or making major changes to the computer that may be noticeable. Many won't work if the computer is hooked up to a formal network such as a Windows domain or a UNIX directory server--while it's possible, it's also not as common in this type of situation. ]

  • Obtaining local-administrator rights to the PC
    • Reset Passwords. This would work in most SOHO (small office and home) environments, and would enable anyone to access the designated administrator account on the computer. For Windows, this can be done with any of several well-known tools and techniques. 
    • Built-in Administrator account. Windows has a built-in administrator account. Up through Windows 7, the default password is blank (however, this account is disabled by default from Vista onward, and many PC vendors have been disabling it even before Vista shipped). Thus, if it is enabled, and not an ancient copy of Windows, it's probably set.
    • Other modern operating systems (Mac OS X, Linux, BSD, UNIX, etc.) don't have a built-in account--and if more than one person may use the computer, there's a login to these systems.  
    • After that's done and admin access is obtained, the following options emerge: 
      • Editing the DNS entries to use a different DNS server such as Google Public DNS (8.8.8.8 or 8.8.4.4) or the old GTEI (now Verizon) at 4.2.2.2. This has the effect of not using the filtering provider's DNS and therefore the blocked sites should resolve. 
      • Checking to see if the administrator account will allow you to manually set the DNS servers for the PC.
  • Bringing one's own device (such as a laptop, mobile device, or tablet such as an iPad), and attempting to manually adjust the DNS settings to point away from the company's DNS service. while maintaining the IP address. 
    • If the network uses DHCP pools, this can cause a problem if local IP addresses end up duplicated.  

Recommendations to Help Avoid Successful Circumvention of DNS solutions: 

  • Set a reasonable filtering policy, and consider allowing "relaxed" access to social networks, sports, and the like during lunch periods and after normal business hours or shift-changes (shift-change relaxation could be done, for example, by providing a relaxed PC in the break room with a note saying to make sure an employe clocks out before logging on). Do note that "relaxed" access may not necessarily be an option. 
  • Ensure that the DNS service is used at the gateway or router and that it's distributed with the IP addresses via DHCP. Some ISPs enable their provided routers for SOHO (small office & home) users to use a service such as OpenDNS when configuring it. 
    • Beware that if your ISP also provides your phone or TV, using a DNS provider may munge with the functioning of those services; AT&T U-Verse is a notable example--if you have U-Verse for TV, OpenDNS will mess with it because their IPTV service requires direct access to AT&T's stuff
  • Control what programs go on the computer. Some vendors offer additional products or services that can enhance the web filtering by scanning or disabling USB and optical drives. It's also possible to get an IT consultant--or perhaps even the in-house IT staff to write policies or scripts that will prohibit non-administrators from running unapproved install programs and "portable" apps 
  • Disable access to mstsc.exe for non-administrators and non-IT staff
  • Limit Teamviewer and other remote-access tools only to staff that requires it as part of their job
  • Remember that no method is foolproof, and that anyone with sufficient resources and time WILL figure out ways to get in and circumvent the filtering. 
Go back to Part III

Go to Part V

No comments:

Post a Comment