Today, the Internet can be an infinite resource, allowing people access to a plethora of information and news. People graduating from college now have never known a world without Internet access, and it’s usually been unrestricted. However, whoever controls the network connections can potentially control the network content. And whether that control is in the hands of a company choosing to restrict certain websites or a national government enforcing its internal philosophy, free rein can be quickly taken away.
Network content control is a controversial issue. Many companies in the United States choose to implement some level of Internet filtering. Obviously, web browsing can be a huge distraction – how many times have you done non-work related browsing while on the job? There are also more compelling business reasons to limited Internet browsing: US courts have ruled that merely allowing access to content which is “adult” or NSFW (Not Safe For Work) can be considered evidence in sexual harassment or discrimination lawsuits for contributing to a hostile work environment.
Then there’s the basic issue of cost: a company has to choose whether to pay more money for a faster Internet link, and if recreational traffic takes a significant portion of that bandwidth, the decision is essentially whether to subsidize personal Internet use at the company’s expense. A company makes a similar decision regarding whether to provide free coffee. There are a lot of issues, and it’s easy for employees to forget that the Internet at work is a perk, not a right.
The more visible side of the Internet filtering controversy is expressed in a single word: censorship. The current situation in Iran (and China, Syria, Kazakhstan, Saudi Arabia, South Korea, and far too many others) stands as an example of nationwide Internet filtering. In the previous example, a business doesn’t have to provide free coffee, but it’s not legal in the US to ban their employees from drinking coffee at home, especially if the company controls where the employees live and prevents them from living or working somewhere else.
In Iran, there has been a recent increase in the level and sophistication of filtering. The timing is likely related to the annual protests on 25 Bahman (14 February), perhaps driven by a fear of the role the Internet played as an organizational tool for the Arab Spring revolutions. Secure HTTPS encryption has been blocked for many websites, including Gmail, Facebook, as well as some Western news sites. Interestingly, cleartext connections aren’t necessarily blocked, implying that the goal is to not to block access, but to allow content monitoring. Analysis by Team Cymru shows that the control is implemented above Layer 4: rather than simply blocking access to port 443, the TCP 3-way handshake is allowed to complete, but the SSL handshake and key exchange are blocked.
From a technology perspective, the blocking appears to be using Deep Packet Inspection (DPI), similar to the so-called “Great Firewall of China”. While the hardware requirements (and costs) are higher for DPI analysis, the coverage is not limited to a single port. The willingness to spend money on more sophisticated filtering shows a level of determination in the Iranian government which is matched by the determination of Internet and Free Speech activists to bypass those restrictions.
Bypassing and Protecting Network Filtering
Network controls can generally be bypassed in two different ways: proxies and VPNs.
A proxy is a server which works with your web browser to provide access to content through a level of redirection. Your web browser connects to the proxy, tells it what site to look up, and the proxy fetches the site and returns the contents. A proxy by its nature is an active man-in-the-middle, acting as a server from your perspective and as a client from the end website perspective. The gamble when using a proxy for transmission of sensitive information is whether you trust whoever runs the proxy, because they have access to the content you’re uploading and downloading. There are two general types of proxy: web-based and browser-based.
Web-based proxies are the easiest to use: just browse to the proxy like any other web page, enter the URL you want to reach, and the proxy fetches that page and returns it to you. The difference between using a web-based proxy and browsing directly is that, from a user’s perspective, the address bar always shows the proxy’s URL, and from a network analysis perspective, all of the traffic from the web browser is going to a single web server. If one were to capture traffic next to the web-based proxy server, it would look like it’s a both a server (accepting connections from web browsers) and a client (connecting to other web servers).
Beyond ease of use, web-based proxies are also quick to create and highly flexible: if the proxy gets blocked, give it a different URL like any other web page. In 2003, the US Government created a web-based proxy just for Iranians, with the latest URLs announced via the Voice of America’s Iranian-focused program “Radio Farda”. Blocking based on URLs is therefore a tedious task, which helps explain why DPI is being more widely deployed. The downside of a web-based proxy is that it uses standard web technology, which means that the DPI blocking SSL will also block SSL for web-based proxies.
Browser-based technologies require more set up from the end user. The configuration is typically either in the browser settings (e.g. Firefox) or in the operating system (e.g. Internet Explorer and the Network control panel). The advantage of using a browser-based proxy is that the browser looks and feels just like browsing the Internet normally. Network analysis would reveal that the browser is connecting exclusively to a single server, and DPI would reveal that there are multiple different host header entries for the same IP across different TCP sessions. Given the more difficult user setup, it’s less likely that a browser-based proxy would be used to bypass Internet filtering. However, this type of proxy does have widespread appeal in enterprise networks, typically for security reasons or, ironically, to implement Internet filtering.
If proxies are blocked, the next level of bypass is to use a VPN or some other form of tunnel. This type of solution establishes an encrypted connection to a remote server, then using that tunnel to carry all traffic between the client PC and the Internet. VPNs are an additional degree harder to set up than a browser-based proxy, as using the VPN requires installing the VPN software, configuring it, then remembering to run the software every time you want to use the Internet. While it’s still not hard to do, it’s something that requires some pre-planning and action and creates additional evidence of intent to bypass Internet filtering or monitoring.
VPNs will vary in appearance. A lightweight SSL VPN might look like standard https encrypted web browsing. There may also be connections to non-standard ports, or even packets without either TCP or UDP. Regardless of protocol specifics, the VPN will appear to be a long-lived connection between the client and the server.
The most well-known public-access tunnel service is TOR (The Onion Router), which was designed to bypass filtering, to provide user anonymity, and to be difficult to block. TOR works by passing traffic through multiple levels of redirection, so no part of the tunnel knows what web site the client is accessing, nor, conversely, which clients are accessing any web site. Additionally, TOR has the option of using multiple “entry nodes” (client-facing), to make the traffic less identifiable as a VPN.
The TOR project anonymously tracks usage based on periodic proxy list downloads, and saw a large increase in January 2012, possibly stemming from increased web filtering levels. Iran responded by using DPI to block TOR at the beginning of February 2012. The technique is similar to what China started doing in October 2011. The TOR project usage graph demonstrates both the January spike and the February plummet.
Notice that the levels of use have almost returned to normal. TOR is countering the DPI filtering with a tool called Obfsproxy, designed to add a level of obfuscation to evade detection. The TOR project says that Obfsproxy is currently non-trivial to set up on the server side, so they’re working to make it easier to use. The downside of using TOR is that it creates overhead: multiple layers of encryption require additional layers of headers, and every packet between client and server gets multiplied into 4 packets total between the client, server, and the three relays. TOR is a specialized tool to provide traffic privacy, at the cost of speed.
Reports vary by users of other proxy services, or corporate VPN users, on whether their VPN access was affected by the DPI blocking.
Additional options exist for filtering bypass based on even more evasive techniques, but the bandwidth and latency for the end-to-end connection decreases dramatically as the level of evasion goes up. My favorite evasion technique is running a VPN over DNS – using one of the basic Internet control protocols to hide information in plain sight as web page address lookups. Initial research into this area came from security and protocol guru Dan Kaminsky in 2003. However, the level of evasion required for this solution leads to an exponential increase in overhead compared to other techniques. One recent anecdotal report showed bandwidth of 500KB/s dropping to a mere 3KB/s in the tunnel. VPN over DNS is clearly a technique of last resort.
Understanding how network access restrictions can be bypassed is key for protecting your company and your network. By using proxy servers already in place or creating a tunnel with public-access tools like TOR, the controls can only be as strong as those that they are trying to keep out. Users can manage to find ways to bypass restrictions to the Internet by being a step ahead of the network engineer, but network engineers can stay a step ahead by detecting initial attempts. The “winner” of the struggle is whichever side is willing to go farther beyond the 80/20 rule, spending increasingly more time for decreasing results.
Author Profile - Jim MacLeod is a Product Manager at WildPackets. He has been in the networking industry since 1994, and started doing protocol analysis in 1996. His experience includes positions in firewall and VPN setup and policy analysis, log management, Internet filtering, anti-spam, intrusion detection, network monitoring and control, and of course packet sniffing.