"To companies and schools, proxy sites are a red flag. It could be a security threat ? becoming an entry point for malware, it could be a data leakage point ? or it could mean users accessing social networking sites or downloading streaming audio-video rather than be on work. Then there's the threat of legal liability, because ultimately it is your company or school that is legally liable for any misdemeanors by the users from within the internal network.
We've covered this threat in our latest version release ? 9.5.4.66 ? with HTTPS URL filtering. Cyberoam now blocks web-based proxies and malicious websites hosted over SSL. Plus it gives detailed reporting of all activity on the HTTPS protocol with the username and the blocked attempts. You can check the user and view all the proxy sites accessed by him / her. Or check the other way round. You can pick a particular proxy site and look for all the users who have accessed the site.
SSL tunnels hide user activity and the result is anonymous surfing. Originally meant for students who set out to bypass school content filters, today it is a larger threat to corporate networks too. Trouble is users can access practically any blocked website through web-based proxies, bypassing existing content filters. They enter the innocuous URL of a proxy site and once on the site, they can access webmail, IM, P2P, streaming media, social networking and much more ? all the stuff that is banned or controlled in organizations for fear of security threats.
Well, the sites that the employee or student has accessed may install drive-by malware downloads, the user might upload sensitive information, or visit sites that could bring on legal liability to the company. Regulatory compliances remain unfulfilled in such cases, security and productivity are under threat, bandwidth could become scarce and what's more, there are no logs to prove that the user has accessed unwelcome sites ? so there goes forensics.
So how does Cyberoam secure against web-based proxy access? 3 ways in which it does it ? Cyberoam has categorized known proxy sites under the category URL Translation Sites. With proxy sites increasing each day, its site database is constantly being updated to include them. But considering the rate at which they spawn, this does leave some new uncategorized ones out there at a given point in time. So if there are some that you come across that are being accessed from your network, for an instant fix, the first thing you should do is add them to your custom site category list. At the same time, submitting the URL to our WebCat team through http://csc.cyberoam.com/cyberoamsupport/webpages/webcat/webcathome.jsp would ensure the site's addition to the Cyberoam database and would be available in the regular updates.
Cyberoam also validates the SSL certificate to filter out HTTPS URLs. What you need to do is enable certificate-based categorization for HTTPS from Internet Access Policy. You can update your default access policy for all users or if you want to block HTTPS URLs for a particular user, attach it to the particular username. This will block attempts to bypass the web content filter and sites hosted on SSL.
Now suppose, you see significant or consistent access to a particular blocked site via proxy sites and you would like to block access through any proxy site. IPS signature allows you to create signatures for these specific sites. Let's say you want to block www.sex.com whichever proxy is being used to access it. In either case, create an IPS signature for the site and apply it to the firewall rule. And you can assign the policy to a particular user, or a group or create a blanket policy for the entire organization. That does the blocking.
There's more to version 9.5.4.66, but considering the importance proxy-based surfing holds to organizational security, I felt it's best to take the rest in a separate post. But to give you a brief on what more has come out ? Cyberoam site categories have gone up to 82 and the additions are all to do with the latest trends in Internet surfing. And then there's visibility of documents uploaded over HTTP ? you'd know the user who has done the uploading. The full release is on http://www.cyberoam.com/versionrelease.html"
Educational institutions use a content filtering Internet proxy for two major reasons: to protect the students and the school itself. It is widely believed that with filters operating in classrooms and campus libraries, the students will have less opportunity to view obsene, values-eroding materials like pornography and prevent them from peeking into their favorite social networks and keep them on-task while they are online. Educators are also concerned about intrusions of objectionable materials and the reassuring presence of filters give the parents and the community at large the peace of mind that their children are insulated from the smut that litter the Internet.
While the objectives are noble, still, the question arises as to whether a school should use a content filtering proxy in view of the following considerations:
Instead of discouraging students from connecting to smut sites, content filters often times challenge students to go around or try to beat the “system," thereby having the opposite effect of motivating or increasing attention to restricted obscene sites. Since the content filtering proxy is devoid of human judgment on what is appropriate and what is not, it may have too narrow or too broad a definition of what is obscene. The result is that the filter may only block sites with patently sexual content but fail to filter out sites that have subtle but disturbingly violent, hate-filled or discriminatory undertones. On the other extreme end, the parameters of a content filter may be so encompassing that it may limit access to sites that are vital to researchers. For instance, a student doing research work on breast cancer may be locked out of her classroom computer once she keys in “breast cancer" to search for the appropriate site because of the word “breast," which is deemed sexually offending.
America is the world’s showcase of democracy and it has spent a lot of treasure and sacrificed many lives on the altar of freedom. No less that its educational system is in the forefront of teaching the many aspects of democracy such as the freedom of speech and the freedom of choice to students who will one day lead the country armed with what they have learned in school. The use of a content filtering proxy which limits the choice of sites of students not only restricts their ability to get both sides of an issue, but confuses them as well on the nobleness of intentions of an institution that is supposed to promote, and not suppress civil liberties.
Removing the choice of what one can view and not view and placing that authority on a single person or a specialized software called “content filtering proxy" may run counter to the basic notion that a school is the cradle of democratic ideals. The better way is to hand hold children to help them define their values so that they will be better equipped in determining for themselves what is appropriate and what is not.
Both Abhilash Sonwane & Alex Gwen Thomson are contributors for EditorialToday. The above articles have been edited for relevancy and timeliness. All write-ups, reviews, tips and guides published by EditorialToday.com and its partners or affiliates are for informational purposes only. They should not be used for any legal or any other type of advice. We do not endorse any author, contributor, writer or article posted by our team.
Abhilash Sonwane has sinced written about articles on various topics from Online Security, Broadband. "Abhilash Sonwane is the Vice President of Product Management, Cyberoam. For more information on Cyberoam, visit these pages -