06 May 2013

Internet Filtering Series -- Part VI (Dedicated Filtering)


The final lab in this series is a rather interesting one. Many larger entities such as multi-national corporations, research universities, government contractors, and even arms of state and national governments often aim for having a series of dedicated hardware meant to increase network security.

In this case, the equipment is often purchased from a major security vendor (e.g. Sophos, Barracuda, Cisco) and mounted in racks or cabinets in the network operations centre (NOC) or primary data centres of these entities. Commonly, the equipment includes Web monitoring/filtering, email & anti-spam appliances, firewalls, secured gateways, intrusion detection and prevention (IDS/IPS) capabilities, and centralised management that can integrate with an entity's network (such as with Windows Active Directory domains).

There is a "home" version of such an appliance put out by Sophos. It is free to download (you do have to register first), and actually does a very good job considering that it's geared for residential usage.

Also on a personal note, I've been involved with designing and implementing such a solution, it's rather fitting that I take a good look from multiple standpoints. Thus the lab contains an amalgam of several things I've actually either seen or had to address in the field. It was also partially done using physical equipment and partially via VMware.

Typical Real-World Scenarios Addressed: 

  • Agencies of a national government or military (e.g. to comply with FISMA in the United States) 
  • A multi-national corporation
  • Businesses and organisations that deal with highly-sensitive data (e.g. that which concerns financial, health, or national-security information that can be highly-damaging if leaked)
  • A major state/provincial research university
  • A major Internet Service Provider (ISP)  

Specific Scenario Details: 

You are Lloyd (or, if you're a woman, Luann) User, and you have been working for the government for about six months. Specifically, you are an agent for the Department of Redundancy Department. The department's headquarters are just outside of Washington, DC. Though you've heard of the notoriously-strict technology policies when you were hired, you didn't pay much heed to it as you figured you'd just work anyways. One day at lunch, you decide to try to upload some pictures from the football party you had last weekend to Facebook, but find that you can neither access Facebook in the browser, nor even access your "thumb drive."

Curiosity gets the better of you, and while you consider yourself more-knowledgeable than the "average PC user," you're far from being a "hacker." So, you decide to experiment and see if there's a way you could quietly go about your, ahem, business without being too brash about it...

Technical Details:

Network (mostly not shown; assume these are in place)


  • Subnet: 10.12.0. 0
  • Netmask: 255.255.224.0 (CIDR notation /19) 
  • Routers: 3 x Cisco 2621XM at 10.12.0.2 10.12.0.3 and 10.12.0.4 with Cisco IOS 12.4(25d)
  • Routing: OSPFv2 Area 0 (contains filtering appliance and the three routers) 
  • Number of Windows domain controllers (DCs): 5 (one showing up in the lab)
  • Simulated Domain Controller (DC) hostname: garfield
  • DC IP address: 10.12.0.6
  • Other DCs: peanuts (10.12.0.5), dilbert (10.12.0.7), pickles (10.12.0.8), heathcliff (10.12.0.9) 
  • Windows Domain: main.redundancy.msft
  • Windows Server level: Windows Server 2008 R2 for both forest and domain  
  • Other servers: archie (iSCSI SAN with Windows Storage Server 2008 R2, located 10.12.0.10), doonesbury (dedicated device-control server running Windows Server 2008 R2 SP1, located 10.12.0.11), blondie (print server running Windows Server 2008 R2 SP1, located 10.12.0.12), maryworth (Red Hat EL 6 email server for Group A located at 10.12.0.13), beetlebailey (Red Hat EL 6 email server for group B located at 10.12.0.14), princevaliant (Red Hat EL 6 email server for Group C located at 10.12.0.15), shoe (database server with Server 2012 and MS-SQL Server 2012 located at 10.12.0.16), and Unitrends backup devices located at 10.12.0.17-20).  
  • Approximate number of devices: 4900 (includes all workstations, servers, approved wireless devices, networked printers, network equipment, remote connections, etc.) 
  • DNS handled through the appliance and for AD, on the DCs. 
  • ISP: Acme Internet Services (Anytown, USA) with a premium business-class broadband connection and a nice little government contract

Appliance 

  • Software: Sophos UTM 9.1, distribution of Linux, installed from ISO on a converted workstation (represented by a VMware virtual machine running the home edition)
  • Network cards: 3 x Intel e1000 cards
  • 2GB RAM, 60 GB hard drive
  • IP Address: 10.12.0.4
  • Part of a larger system that was recently implemented
  • Routing enabled, and can communicate with the Cisco routers
  • Has the capabilities to do web filtering, serve as a stateful firewall, control FTP, and perform application control 
  • Can also manage wireless connections, do NAT, and detect/prevent network intrusion attempts
  • Logs practically everything that contacts the device and sends frequent reports to the IT staff and Human Resources

Workstation

  • Hardware Simulated: Generic 64-bit business-class workstation with 1024 MB RAM, and using a (simulated) SCSI-based hard drive with a 36 GB partition
  • OS: Windows 7 Enterprise SP1 
  • PC is fully-updated through January 2012
  • Anti-Malware: McAfee VirusScan Enterprise (trial), definitions and components up to date.
  • Several "typical" programs are installed including Microsoft Office, iTunes, FileZilla, some general business/accounting software, TeamViewer, MobiXTerm and Spybot
  • IP address of PC: 10.12.2.159
  • Netmask: 255.255.255.128 (/25 in CIDR notation) 
  • Network Type: Windows domain; network drives in place (not mapped for brevity)

Filtering Policy: Extremely Strict, but can be overridden by specified administrators.

Major Categories/sites blocked (some of which were built from smaller ones and the Sophos defaults): 

  • Alcohol and Tobacco
  • Chat
  • Computer Abuse and Hacking
  • Dating
  • Discrimination and Hate
  • Drugs
  • Entertainment and Culture
  • Gambling
  • Illegal (unspecified)
  • Job Search
  • Lingerie/Intimate/Swimsuits
  • Miscellaneous
  • Nudity
  • Pornography and Sexuality
  • Private Homepages (except local intranet)
  • Shopping and e-Commerce
  • Social Networking
  • Suspicious
  • Weapons
  • Any site or resource containing spyware or malware
  • Browser-based chats
  • Personal webmail such as: Windows Live, Hotmail, Gmail, Yahoo Mail
  • Remote Access sites such as GoToMyPC, LogMeIn, and NoMachine NX
  • Downloads are blocked for multiple categories, including executables, tar archives, and bat/cmd (Windows/DOS/NT batch) files.
  • FTP proxy in place subject to most of the above
  • Pinholes exist to provide access to internal resource such as the local intranet and network resources.  

Notes/Assumptions:

  • It's your workstation, so you obviously have physical access
  • You manage to pop into the computer's BIOS and find everything locked. So, you can rule out any sort of approach that employs booting to an alternate operating system. 
  • Your department was deemed to not require flash drives as you have extensive space on the network shares, and you also have limited access to your workstation whilst "on the road" by way of a company-issued laptop that is locked down at least as much as your "regular" workstation 
  • Agency forbids bring-your-own-device (BYOD), so that option is out
  • Within Windows, you don't have access to USB or optical devices (there is no floppy or tape drive) due to "software restrictions" 
  • The cause of the arguably-draconian policies involved low productivity by office staff coupled with three major incidents involving confidential and/or classified material held and accessed by the department that happened not long before you started. Software restrictions were placed to deter the more "cunning" users from trying to get around the web appliances 
  • The department's IT and HR personnel have numerous ways to tell if you're trying to circumvent the filtering--and the related restriction policies
  • Your supervisor does have more access to content, and passes it to you on a "need-to-know" basis 
  • Assume you do not have the resources, time, etc. to thoroughly conduct a social-engineering campaign against some of the more "weaker" staff in the IT department, and therefore cannot rely on that method 

Goals of This Lab: 

You are to attempt to bypass the web-filtering appliance, and do so in such a way so as to not draw any more attention to yourself than necessary.

If you do find a way around, you are to document it.

Test Sites Used: 
  • Facebook (https://www.facebook.com)
  • Fling (http://www.fling.com)
  • Craigslist (http://www.craigslist.org)
  • PlentyOfFish (http://www.pof.com)
  • MLB (http://mlb.mlb.com)
  • Playboy (http://www.playboy.com)
  • YouTube (http://www.youtube.com)
  • RealClearPolitics (http://www.realclearpolitics.com)
  • Tor Project (https://www.torproject.org)
  • Hide My Ass! (http://www.hidemyass.com)
  • Peacefire.org (http://www.peacefire.org)
  • Vatican.va (http://www.vatican.va)

All sites were verified to be blocked after the filter was set up.

Results: 

Strategies Considered:

  • Using a secure connection to a remote server to access banned content
  • Smuggling Tor in via renamed file (would require access to remote server that isn't likely to be blocked--as CD/DVD and USB drives are locked down) 
  • Using a portable device with a mobile carrier despite the prohibition (e.g. a smartphone, or iPad with mobile hotspot--to quiet it down, SSID broadcasts would need to be stopped; the downside is that the device may be unable to connect to the "unfettered" connection)
  • Attempting to "space out" circumvention attempts in the hopes that they might be overlooked with "regular" traffic coming in and out--a sort of "camouflage" (in other words not stand out too much should somebody decide to sniff through the device logs 

Software downloaded and executed: 

  • Teamviewer: Got it to download and run but not install
  • WinRAR did download, but was caught by the Sophos appliance and scanned first. It also required admin credentials--so this was a successful download, but failed execution 

Methods used to circumvent: 

  • X11 Forward. Using an Oracle Solaris 11.1 box under my control and configured for X11 forwarding over SSH, I was able to use a portable version of MobiXTerm after managing to shut down the firewall via services.msc. 
    • Like the previous labs, this resulted in access of all 12 sites, and somehow didn't register on the Sophos UTM logs (but it is possible that it would--and that my attempt was merely a stroke of luck in this regard, so one would have to be VERY careful with this method)
  • TeamViewer. This was installed on the workstations for legitimate usage. However, I found that I could connect to a separate Windows box outside the filter with a separate install of TeamViewer and access the sites
    • HOWEVER, this was "caught" (see below)

Methods attempted, but unsuccessful: 

  • Proxy sites. This method only works with new proxy sites that literally came out in the last 24 hours. Like the previous lab, I set up another test circumventor site on another PC and got through. The filtering companies though are often great at weeding them out by IPv4 address rather quickly. I put this in unsuccessful because it's a temporary circumvention that may last for merely a couple of hours--and would force a user to come up with a newly-undiscovered proxy on the fly. I did try "Hide my ASS" and that was blocked 
  • Any sort of removable media. Couldn't open it
  • PuTTY Method. PuTTY would not connect to an outside SSH server running on port 4222. A view at the appliance logs shows that it dropped the connection AND registered the attempt
  • Tor. I managed to smuggle it aboard by copying it onto my private FTP domain, and then using the included WinSCP software to connect and download it to the workstation. By running it from the desktop, Vidalia was able to start, but in four attempts, it stalled at "Establishing an encrypted directory connection" and thus didn't work even after letting it sit for 10 minutes. 
  • Circumventor site. For some reason (perhaps sheer luck), I couldn't use my "circumventor" site as recommended on Peacefire. I suspect that this would work in theory as a "one-trick-pony" but would be quickly discovered and blocked on the appliance. 


Methods Not Tried (involves hacking): 

  • Anything that would involve gaining administrative access over the domain (or even merely the Web appliance). 
    • One method that could conceivably be employed would involve the usage of multiple PwnPlugs (available from the good folks at Pwnie Express for anywhere between $200-$600 per unit--the higher-end ones are 3G capable and even more stealthy; that would require a separate 3G data plan from a GSM-based mobile carrier such as AT&T)  
  • Attempting to quietly remove the hard drive, mount it at home with a USB to SATA & IDE cable, and put the "illicit" software on it. This might fail for numerous reasons
  • Attempting to swap out the hard drive with a near-identical one with Linux, BSD, UNIX, etc. installed instead of Windows. On the upside, this would bypass the software restrictions and enable the transfer/running of software. On the downside, this would be discovered rather quickly as a simple casual analysis would show a non-Windows workstation floating around--tracking down the IP and MAC address could rather easily lead back to you.
Recommendations to Help Avoid Successful Circumvention of Dedicated Appliances: 
  • Set a reasonable filtering policy, and consider allowing "relaxed" access to social networks, sports, and the like during lunch periods and after normal business hours or shift-changes (shift-change relaxation could be done, for example, by providing a relaxed PC in the break room with a note saying to make sure an employe clocks out before logging on). 
    • The stricter the policy, the more people are going to be driven to try and find ways around it, which in turn may pose even more problems, and not just in terms of morale
    • Do note that "relaxed" access may not necessarily be an option, particularly in office settings when people can vary on when they take breaks and lunches. 
  • Rethink the policies that govern control of what programs go on the computer. Some vendors offer additional products or services that can enhance the web filtering by scanning USB drives.
    • It's also possible to get someone in the IT department to write policies or scripts that will prohibit non-administrators from running install programs and "portable" apps, or make the case for using technology like AppLocker. 
  • Watch what apps that allow for remote access are installed, and if possible, restrict who has access to those apps, and who can run them.  
  • The circumvention method involving the Tor browser bundle was blocked by a combination of application control and firewall policies. 
    • Firewall policies might not be enough, as a savvy user could simply attempt to change the ports--or let the folks at Tor know that ports 9050 and 9051 are commonly used by Tor products and are likely to be blocked. 
  • Group Policy settings to enforce restrictions on common tools such as Regedit and cmd, and only allow applications meeting certain criteria to execute are probably a wise idea. For example, a failure to draw a command prompt or PowerShell without domain admin or server-operator credentials limits options for crackers and may force their hand in terms of their attempts to gain access. However, the downsides to this scenario are: 
    • it is likely overkill as the Sophos UTM could block most "evil" programs that require access to the outside to function; and 
    • it can unintentionally hamper legitimate applications and services in their execution.  
  • Remember that no method is foolproof, and that anyone with sufficient resources and time WILL figure out ways to get in and circumvent the filtering. In this case, Lloyd figured out that he could use a portable copy of MobiXTerm at work to gain access to a Linux PC at home and do his surfing from there--particularly given that Teamviewer is being logged. 
    • He could also risk it with Teamviewer and pray that his connections are judged to be innocuous enough to not be caught
    • However, IT may catch on and watch WHERE the Teamviewer and/or SSH connections are coming and going 

End Notes:
  • While I do overcome the Sophos UTM in this lab, I do wish to stress that it's not a failing of the system itself but rather of the policies that the administrator used; stronger policies did in fact stop the successful methods dead in their tracks. 
    • Thus I still recommend it as the price is right and in many cases, the mods that need to be done to an old PC would be to ensure ample memory and hard-disk space as well as an additional network card
  • The logging features also mean that both of these attempts aren't long-term solutions--the longer and "heavier" people use them, the more likely the people employing these techniques are going to be busted
  • Many companies use top-of-the-line equipment that provides a lot more features--and usually has a competent systems admin versed in security at its helm
  • This point also differentiates this lab from the previous three--the other three required the "attacker" to work around the technology whereas this one was much more of an attack against policies and possible misconfigurations. 
Go back to Part V

Go to Part VII

No comments:

Post a Comment