Family History Center Firewall Bypassed

Discussions about Internet service providers (ISPs), the Meetinghouse Firewall, wired and wireless networking, usage, management, and support of Meetinghouse Internet
jdlessley
Community Moderators
Posts: 9861
Joined: Mon Mar 17, 2008 12:30 am
Location: USA, TX

Family History Center Firewall Bypassed

#1

Post by jdlessley »

This is the second time in five weeks that our FHC has had an incident where inappropriate web sites have been accessed on a FHC computer. This is frustrating for me because I cannot determine how it is being done.

We have the standard FHC CCN configuration with a Cisco PIX 501 firewall. When the first incident occurred we determined that the PIX firewall software WebSense could be knocked off-line after a brief power interruption that causes a memory overflow. To solve that issue we installed an interruptible power supply. I knew that the filtering software wasn't working on the first incident because it was allowing full Internet access, which is the default setting for firewall faults, when I investigated the incident a couple of days later. During this most recent incident's investigation I found that the filtering software was working.

After talking to GSD/OTSS the only two ways to bypass the firewall filtering is to physically bypass the PIX firewall by removing it from the network or for the PIX to have a partial failure such as the power interruption issue. The technician told me that a partial failure will persist until the PIX is reset by turning it off and then back on. For someone to create a partial failure is nearly impossible to do - or is it?

Does anyone know of any other scenario to bypass the PIX firewall filtering?

I am trying to close down all the possible avenues to access inappropriate web sites. We still haven't physically secured the networking hardware. Removing the PIX from the network is our number one possible reason for the access. I do not want to blissfully believe that once we do secure the hardware that this won't happen again.
danpass
Senior Member
Posts: 514
Joined: Wed Jan 24, 2007 5:38 pm
Location: Oregon City, OR
Contact:

Forensics

#2

Post by danpass »

What is the nature of the evidence that alerted you to this problem? Browser logs, inappropriate content found on the computer or what? Knowing this could help us suggest possible vulnerabilities. If you can't conclusively determine how the circumvention is accomplished, you might consider installing a monitoring tool on the computers in the FHC. I would first talk to GSD/OTSS to make sure that the installation of such software does not violate any policies or local laws. If it is allowed, they might be able to recommend a product. Most products of this type can be run in stealth mode and collect and save a large amount of information that would be helpful in discovering what is going on and when it is happening.
russellhltn
Community Administrator
Posts: 34422
Joined: Sat Jan 20, 2007 2:53 pm
Location: U.S.

#3

Post by russellhltn »

The first issue I'd look at is that someone is getting access to the FHC computers who probably shouldn't have access. You may want to consider ways of securing the room and/or machines. Take a look a the date/time stamps and machine logs. You should be able to pin down when this is happening. Obviously securing the network itself is important too.

The second question is do you know the firewall is being bypassed or is it just not doing the job? No filter is 100%. They might have found sites that are not being filtered.

Third, there might be ways of bypassing it. The simplest attack is an external DNS lookup. Now http://www.gambling.com is blocked, but if you use the ip address, http://85.133.46.253, can you get to it?

There's also re-direction sites out there. They're primarily to hide one's tracks when visiting websites. But if they aren't filtered, it's possible that the firewall may not know where you're visiting since all the traffic is going to the redirection site.

Just some thoughts.
jdlessley
Community Moderators
Posts: 9861
Joined: Mon Mar 17, 2008 12:30 am
Location: USA, TX

#4

Post by jdlessley »

The trigger that led us to investigate inappropriate web site access was an incomplete print run. When the FHC was opened and computers turned on the workers noted one printer was out of paper and put some in it. It began spewing pornographic images from the incomplete print run. The first incident was noted after a worker tried to find a URL in the drop-down list of the address bar. There were curious URLs that indicated a need for further investigation. In both cases all I had to do was search the temporary internet files to discover what sites had been visited and when.

In this most recent incident the stake president and the three bishops in the building were notified of the incident. One bishop recalled a report from a young man's parents about finding him in the FHC and noted the time - which turned out to be when the incident occurred. The bishop will interview the young man to find out what he did. If it turns out that he simply started browsing then we will be asking for for help from GSD/OTSS.

We are going to change locks to the FHC and put the network hardware in a locking cage. This will eliminate physically bypassing the PIX.
The_Earl
Member
Posts: 278
Joined: Wed Mar 21, 2007 9:12 am

#5

Post by The_Earl »

Be sure to check for odd software running on the machines themselves. Some anonymizing software will work around a firewall.

Obviously, patrons of the FHC should not be installing software on the machines. I am not sure if it is possible or not on your setup.

Keep good logs. Audit machines regularly. Lock things up when unsupervised. etc...

What did the 'odd url's' look like?

The Earl
jdlessley
Community Moderators
Posts: 9861
Joined: Mon Mar 17, 2008 12:30 am
Location: USA, TX

#6

Post by jdlessley »

Curious URL is a polite way of saying the site was obviously pornographic. Just posting a sample here might offend someone so I will not.

With this incident I think I have more supporting evidence to make the Patron account a 'user' account instead of a 'power user' account. It was because the Patron account could install programs that the infections became as convoluted as they were.

I had been debating using the DeepFreeze program before this incident. Now I know it will save me many, many hours of computer maintenance and recovery. It won't help with the access to inappropriate web sites but it will help with the risks to computer maintenance.
The_Earl
Member
Posts: 278
Joined: Wed Mar 21, 2007 9:12 am

#7

Post by The_Earl »

jdlessley wrote:Curious URL is a polite way of saying the site was obviously pornographic. Just posting a sample here might offend someone so I will not.
Ok. I was wondering if it was malformed or oddly encoded. Such things can bypass firewalls if done correctly.

The Earl
russellhltn
Community Administrator
Posts: 34422
Joined: Sat Jan 20, 2007 2:53 pm
Location: U.S.

#8

Post by russellhltn »

jdlessley wrote:With this incident I think I have more supporting evidence to make the Patron account a 'user' account instead of a 'power user' account. It was because the Patron account could install programs that the infections became as convoluted as they were.
That's the route I've taken, and I have few issues with the FHC machines. I have had to tweak the permissions as some programs just don't like working that way. The programmers tend to treat their area under C:\Program Files as their own little data storage, but "user" typically has no rights to write or modify that area.

jdlessley wrote:I had been debating using the DeepFreeze program before this incident. Now I know it will save me many, many hours of computer maintenance and recovery. It won't help with the access to inappropriate web sites but it will help with the risks to computer maintenance.
It will also hide evidence of access to inappropriate sites. Less work for you, but it prevents you from finding out there is a problem.
jthork-p40
New Member
Posts: 1
Joined: Wed Jul 16, 2008 6:18 pm

Filtering Workarounds

#9

Post by jthork-p40 »

I was an executive at a filtering vendor for almost 10 years. There are tons of workarounds for filtering and only a few filtering vendors are built on technology platforms that cannot be overcome by simple workarounds. Websense is one that is easily defeated by anonymous proxies, among other workarounds.

The fact that the URLs show in the browser history indicate that either the sites are simply not in the Websense URL database or the filtering/PIX was somehow disabled.

But at least you know that this is happening. In contrast, there are ways to bypass the filtering that do not show up too visibly with anonymous proxies. There are two ways anonymous proxies are generally used to get around the filter:

1) The user enters the URL for an anonymous proxy such as www.sugarwhip.com. From this site, the user can type in *any* URL and bypass the filtering. Test this by going to www.sugarwhip.com and then enter a site (non-porn) that you know should be blocked. The only way Websense or any filtering vendor can avoid this workaround is to remain vigilant and add these new URLs as they are created by the "anti-censorship" crowd. This particular site was created and distributed to its mailing list on 7/10/08 (I still receive the mailings). There are new sites added each week to keep filtering vendors on their toes.

2) The user creates their *own* anonymous proxy using free software available on the Internet. They install this software on their Internet-connected computer at home and then only have to enter the IP address assigned to come up with a page served by the home computer wherein they can enter the URL of a normally-blocked site. This is the hardest method for filtering vendors to overcome, but again, there is at least one vendor who can still block this. (That is the company I used to work for. :)

My final suggestion is to add another layer of filtering. Not the best solution but it's fast, cheap and simple. Download the free software provided by Blue Coat, a well-known and respected security company, at www.k9webprotection.com. The great thing about K9 is that you can also turn on a feature called Dynamic Real-Time Rating which scans the pages for bad content before serving them. I use this at home with my home computer and even have it loaded on all my work computers. It really works well as a second layer of defense.

Let me know if you have any add'l questions. I'm happy to help.
jdlessley
Community Moderators
Posts: 9861
Joined: Mon Mar 17, 2008 12:30 am
Location: USA, TX

#10

Post by jdlessley »

Thanks everyone for all the input. Before I take any steps beyond physically securing the network hardware I want to hear how the young man accessed the sites.
Post Reply

Return to “Meetinghouse Internet”