Web filtering: How well are you really protected?

"Guest blogger Richard Baldry is the product manager for the Sophos Web Appliance here at Sophos Vancouver. Richard is currently raising money to fight colon cancer as part of Movember. If you like Rich’s post please consider donating to Rich’s efforts."

Picture of Rich Baldry

As a lifelong fan of Scooby Doo cartoons, I know all about secret passages that let people enter and leave a creepy haunted house unobserved. Watching the front door is only going to help if you know there are no other exits – every kid knows that. So why does this simple rule get overlooked in the world of Web Security?

Secure Web Gateway products, like the Sophos Web Appliance, are becoming the de-facto standard to ensure safe web usage within organizations. Unlike earlier-generation URL filters, Secure Web Gateways manage the flow of web requests and the responses from sites, examining content as well as the URL itself in making decisions about whether to allow or block.

But there is a challenge – how do you ensure that all HTTP traffic within your organization gets filtered properly? Looking at every packet on the off-chance that it’s HTTP is hard work and likely to disrupt network performance.

One answer to this is to use a set of router based rules and protocols, like Cisco’s WCCP, to pre-filter web traffic. Most web servers listen on TCP port 80, so these systems create rules that say “˜filter any TCP connection from an internal address to port 80 at any external address’. Job done. Or is it?

Although port 80 is the default, a web server can in fact be hosted on any port. A URL can contain a numerical element specifying the port to connect to – for example http://www.example.com:1234/ tells the browser to connect to port 1234 rather than the normal port 80. This is certainly rare, but it is not so rare that you can just block these connections without fear of losing functionality on some web site or other.

Image of a secret passage

Last week I was talking to a colleague in SophosLabs, who mentioned that he was seeing quite a large number of malicious websites hosting malware on ports other than 80. One of the most prevalent infections in recent weeks, Mal/IFrame-N, uses a non-standard port for all the links to malware download sites it drives victims to.

So if you’re using methods like WCCP to redirect content to a web gateway, the requests triggered by Mal/IFrame-N will bypass the Secure Web Gateway altogether. Because it’s not going to port 80, it will be ignored by the filter on the router and pass straight out to the malicious server.

Further investigation showed that 7 out of every 2000 malicious URLs in the SophosLabs database use non-standard ports, and with 65535 to choose from, there’s no shortage of options for the bad guys to try.

This problem is avoidable, but it requires a different approach. All browsers, and most other web-aware applications, can be configured to connect directly to an HTTP proxy. This will make them send every single request to that proxy, whatever port it is destined for.

At Sophos, we call this “˜Explicit deployment’, and it’s the way we recommend our customers deploy the Sophos Web Appliance. Because all web traffic, whatever the destination port, is going through the proxy, this approach has two significant benefits:

  1. Policies and security checks can be enforced on all web traffic
  2. You can impose stricter firewall rules for direct outbound connections without limiting what users can do on the web

So next time you’re reviewing your network security, think “˜What would Scooby do?’.

Creative Commons image of bookcase courtesy of Slushpup’s flickr photostream.