Internet Content Filtering

By Author: Abhilas Sonwane
Total Articles: 18
Comment this article

"To companies and schools, proxy sites are a red flag. It could be a security threat - becoming an entry point for malware, it could be a data leakage point - or it could mean users accessing social networking sites or downloading streaming audio-video rather than be on work. Then there's the threat of legal liability, because ultimately it is your company or school that is legally liable for any misdemeanors by the users from within the internal network.

We've covered this threat in our latest version release - 9.5.4.66 - with HTTPS URL filtering. Cyberoam now blocks web-based proxies and malicious websites hosted over SSL. Plus it gives detailed reporting of all activity on the HTTPS protocol with the username and the blocked attempts. You can check the user and view all the proxy sites accessed by him / her. Or check the other way round. You can pick a particular proxy site and look for all the users who have accessed the site.

SSL tunnels hide user activity and the result is anonymous surfing. Originally meant for students who set out to bypass school content filters, today it is a larger threat to corporate ...
... networks too. Trouble is users can access practically any blocked website through web-based proxies, bypassing existing content filters. They enter the innocuous URL of a proxy site and once on the site, they can access webmail, IM, P2P, streaming media, social networking and much more - all the stuff that is banned or controlled in organizations for fear of security threats.

Well, the sites that the employee or student has accessed may install drive-by malware downloads, the user might upload sensitive information, or visit sites that could bring on legal liability to the company. Regulatory compliances remain unfulfilled in such cases, security and productivity are under threat, bandwidth could become scarce and what's more, there are no logs to prove that the user has accessed unwelcome sites - so there goes forensics.

So how does Cyberoam secure against web-based proxy access? 3 ways in which it does it -
Cyberoam has categorized known proxy sites under the category URL Translation Sites. With proxy sites increasing each day, its site database is constantly being updated to include them. But considering the rate at which they spawn, this does leave some new uncategorized ones out there at a given point in time. So if there are some that you come across that are being accessed from your network, for an instant fix, the first thing you should do is add them to your custom site category list. At the same time, submitting the URL to our WebCat team through http://csc.cyberoam.com/cyberoamsupport/webpages/webcat/webcathome.jsp would ensure the site's addition to the Cyberoam database and would be available in the regular updates.

Cyberoam also validates the SSL certificate to filter out HTTPS URLs. What you need to do is enable certificate-based categorization for HTTPS from Internet Access Policy. You can update your default access policy for all users or if you want to block HTTPS URLs for a particular user, attach it to the particular username. This will block attempts to bypass the web content filter and sites hosted on SSL.

Now suppose, you see significant or consistent access to a particular blocked site via proxy sites and you would like to block access through any proxy site. IPS signature allows you to create signatures for these specific sites. Let's say you want to block www.sex.com whichever proxy is being used to access it. In either case, create an IPS signature for the site and apply it to the firewall rule. And you can assign the policy to a particular user, or a group or create a blanket policy for the entire organization. That does the blocking.

There's more to version 9.5.4.66, but considering the importance proxy-based surfing holds to organizational security, I felt it's best to take the rest in a separate post. But to give you a brief on what more has come out - Cyberoam site categories have gone up to 82 and the additions are all to do with the latest trends in Internet surfing. And then there's visibility of documents uploaded over HTTP - you'd know the user who has done the uploading. The full release is on http://www.cyberoam.com/versionrelease.html"