Egress controls are a core feature of the information security strategy of most organizations. By breaking the direct link between users on the trusted network and computers in untrusted zones (e.g.: the internet) they play a critical role in protecting against attacks that involve a protected computer connecting out to an attacker on the internet. Egress controls can also provide a valuable audit trail of all user access to the outside world, which can be critically important in the investigation of security incidents.

However, new technologies and widely used mainstream applications (particularly in the field of instant messaging) are beginning to consciously set out to circumvent traditional egress controls. There are several different (and conflicting) agendas involved here, and it will be interesting to see how they develop. In the meantime, in the light of these developments, those responsible for securing corporations and government agencies need to start re-examining their approach to egress controls.

Circumventing Egress Controls - The Sociopolitical Agenda

In recent times, HTTP proxies have been the corner stone of egress controls; most perimeter defences are configured to require all HTTP traffic to go through the proxy. Additionally, and most important from a control perspective, by concentrating all user access to the internet through proxy servers, the proxy can provide an audit trail of all user access.

This orthodox approach to egress control has given rise to some issues that were far from the minds of the corporate security people who first developed these control methods - most notably, the plight of dissidents in totalitarian regimes. The response of governments and human rights campaigners in the free world to assist the downtrodden victims of such regimes has inadvertently set in process a chain of technological innovation that will pose some major challenges for the information security regimes of corporations and government bodies around the world.

In an attempt to control communication with the outside world, totalitarian regimes are increasingly using similar types of technologies to those employed by corporate administrators, particularly when it comes to egress controls. Most importantly, this includes the use of packet-filtering firewalls, and content-filtering proxies. As part of a broad human rights driven agenda, organisations in the free world are seeking to assist oppressed minorities by developing tools and techniques that can allow those minorities to circumvent the egress controls imposed by totalitarian governments. In so doing, they are simultaneously making new technologies available that have the potential to totally undermine the legitimate egress controls that many organizations have in place as a fundamental part of their network security strategy.

The best example of this is known as The Onion Router, or TOR. TOR is being developed by the Electronic Frontier Foundation (EFF), in furtherance of their mission to " fight [digital] measures that threaten basic human rights". The thinking behind TOR is that much of the ability of the proxy to serve as an instrument of control (or an instrument of repression, depending on context and viewpoint) turns on its ability to identify, log and/or block all traffic on its way to or from the Internet. TOR recognizes that if a user can encrypt or anonymise their traffic, it will become extremely difficult for a totalitarian state controller to determine who is responsible for any given internet access, or to inspect and block dissenting content. TOR's goal is therefore to bring anonymising technology to the masses, by making it simple and easy to use.

The technology behind TOR is called "Onion Routing", and the theory behind it has been in development for a number of years. The Freehaven Project maintains a list of academic papers in this field, dating back as far as 1981. For our purposes, it has three important attributes that administrators need to be aware of. Firstly, TOR works by "laundering" a user's traffic through a large number of intermediate nodes. Secondly, TOR encrypts all traffic between nodes, preventing intermediate devices (like your proxy, performing traffic validation and logging) from reading the conversation. Finally, TOR sends all traffic over ports commonly allowed through firewalls (specifically, TCP ports 80, 443, 9001 and 9031).

When a TOR proxy (usually installed on the user's desktop) is initialised, it gets a list of all TOR server nodes from a set of fixed "directory servers", out on the internet. Each time a user establishes a new connection (e.g.: browsing to a new webpage, connecting to a server to retrieve email), the TOR proxy picks a new set of nodes to route that connection's traffic through. This means that if someone in your network can talk to the directory servers and can make connections to internet devices on port 80 (HTTP) or 443 (HTTPS), that person can effectively circumvent all your egress controls and prevent you from examining their traffic. That means that users might be able to get to services normally banned by your security policy, such as peer-to-peer file sharing or online gaming. What's worse, TOR allows users to publish services on the TOR network, and allow any Tor-enabled user to access them. A user could therefore install a web server or P2P server on their desktop and allow internet users to connect to it, regardless of a firewall rule at your perimeter preventing external devices connecting to internal desktops.

In short, this kind of technology is good news for dissidents but potentially bad news for information security professionals in the free world. At this point, we should stress that we are not in any way critical of the efforts and underlying motives of those involved in supporting the victims of totalitarian regimes. On the contrary, we applaud these activities. However, what we are saying is that information security professionals need to understand what these newly available technologies can do, and consider how to address their potential impact if they start to become deployed (as they inevitably will) by users in corporations and government agencies in the free world.

Circumventing Egress Controls - The Application Developer's Agenda

The other development that is challenging the traditional approach to egress control is the widespread availability and take up of applications (such as instant messaging) that are designed to circumvent traditional egress controls and make life "easier" for users. This phenomenon flows from the fact that orthodox notions of egress control dictate that if perimeter defences are configured to require all HTTP traffic to go through a proxy, firewalls can (and should) block all direct traffic between desktops and the outside world because there's no business need for most users to use any other protocol. This works fine for the majority of users who simply want to browse the web and send email, but puts an inconvenient roadblock in the way of those who want (or need) to use other applications, such as instant messaging.

Developers of instant messaging applications have therefore (in the interests of usability) built into their applications ways of circumventing traditional egress controls. Instant messaging clients, like MSN Messenger and AOL Instant Messenger, have been able to use HTTP as a transport for a few years now. Most recently the Voice over IP (VoIP) application Skype was designed to circumvent egress controls in a number of different ways, some of them similar to TOR's techniques. Given the taste of freedom provided by these applications, it is likely that users will begin to expect that all applications will just work, altering their perception of the role of security controls.

This combination of new technologies to assist dissidents in totalitarian regimes to circumvent national egress controls, coupled with the widespread popularity amongst users of day to day applications that employ conceptually similar techniques to manage the "problem" of egress filtering for users, is going to start providing those charged with managing information security in corporations and government bodies some real headaches in the near future. In particular, they are going to have to take a hard look at how they manage egress controls, and they will need to come up with some new approaches.

What To Do?

So, what controls are available to preserve the integrity of your perimeter, and to carry on monitoring user access for audit purposes? Whitedust has made some recommendations, which we think are sensible.

In order to specifically thwart TOR, we recommend you alter your perimeter controls to prevent any access to the three directory servers it relies on. This prevents Tor installations from obtaining a list of server nodes, effectively preventing communication.

Wherever possible, don't allow end-user devices to establish connections directly to hosts on the internet (e.g.: through NAT). Instead, require connections to be mediated by proxy servers, and use proxy servers that perform validation to ensure that the traffic is what it claims to be. Please remember that if you log staff access, you should notify staff of this monitoring, at least as part of your "Acceptable Use" policy.

Finally, consider locking down desktops, preventing end-users from having Administrator privileges. This can assist in preventing users from altering the configuration of devices, especially installing untrusted applications. As always, controls should only be implemented as part of a broader risk management program, and only where they can be justified by genuine business needs.

Simon Brown
Security Consultant

If you would like to find out more about this topic or any of the issues raised in this article, or if you are interested in validating and modernizing the information security regime of your organization, please call the Safecoms team on 02 8234 4000 or email us at info@safecoms.com.au