There have been a couple of security vendor press releases recently talking about how they solve the issue of anonymous web proxies. These proxies are web servers that allow users to circumvent URL / content filtering systems to access sites that may be prohibited at work. There are a ton of proxies for MySpace, for example. The first release I saw was from 8e6 Technologies. Typical vendor marketing in action here talking about the dangers of proxies and how they solve the problem. There was a similar release from Aladdin Knowledge Systems. However this release bordered on sensationalism in my book. They claim to be able to stop 100% of anonymous proxies, even encrypted connections.
I don’t know how that is possible. Granted they are not trying to keep track of Proxy URL’s, but still. Even encrypted? How would their software know the difference between me logging into my bank with SSL and logging into a proxy with SSL. I am certainly no expert when it comes to proxies but I do know a bit about them.
Is it realistic to think that any security technology can block 100% of a security threat?
–Chris
Technorati Tags: 8e6, Aladdin Knowledge, anonymous proxies
August 16th, 2007 at 9:49 pm
Chris - Don’t agree with the question, as it is my personal thought that these proxies are really helpful for individuals to visit sites which have been banneed in their environment could be work place, college or country
August 17th, 2007 at 8:29 am
There is no doubt that they do what they are supposed to do. What they allow you do to is bypass security controls and acceptable use policies that may be in place. There are many reasons organizations block these, from security to employee productivity issues to stifling free speech in other parts of the world.
If your organization has blocked a site that you need a proxy to visit you might want to stop and ask them why. It could be an oversight or it could be justified.
Thanks for the comment!
–Chris
August 28th, 2007 at 10:51 am
Chris:
First let me state that I am the Product Manager for the 8e6 product you mentioned in your article. It is good to hear that you saw our marketing collateral come across. So I am one of the people responsible for some of the marketing fluff of which you speak. Guilty as charged.
As a representative of one of the companies mentioned I will say that you will never hear 8e6 say that we block 100% of all Web-Based Proxy sites, or any type of site for that matter. I will even go further and state that claiming to do so would be inaccurate. If you search through our press release you will find that we do not claim to block 100%.
Having personally dealt with the Web-Based Proxy phenomenon for over 8 years now, I can tell you that Web-Based Proxies are a multi-headed monster. Every time you cut off one of the heads, something far more insidious comes along to replace it. We at 8e6 have been involved in assisting organizations deal with the Web-Based Proxy problem for over 10 years, and it is always a game of one-upmanship. Every time the filtering vendors do something to block the Web-Based Proxies, someone creates a new Web-Based Proxy that isn’t blocked.
Just a few years ago, it was only a handful of sites like anonymizer.com that offered the Web-Based Proxy ability. From an Internet Filtering standpoint it was simple to block these sites, just add them to the list of sites in the Web-Based proxy category.
Now that the open source community has taken to creating Web-Based Proxies the number has grown exponentially. A user can easily use this software to create a Web-Based Proxy in the morning, and use it that day on a filtered computer. Since the site was created today, there is no way that any filtering vendor is going to have that proxy in their list. This is what has cause the recent avalanche of problems for Network/Security Admins, there is just no way that any filtering vendor could keep their list up to date when users have the ability to create one of these Web-Based Proxies “on-the-fly.”
At 8e6 we added a pattern recognition system to our flagship filtering product (the R3000) over a year ago. This allowed our product to detect the use of proxies based upon the bits and bytes as they traversed the wire. This was a very well received feature and has been extremely effective at blocking Web-Based Proxy usage. But in the filtering industry all of the vendors live and die by the annual contract. In many cases these contracts can be multi-year contracts. So no matter how enticing the new features we add, such as this Proxy Pattern Recognition system, the customer is locked into a multi-year contract. This means that they are very unlikely to subscribe to another vendors solution until the end of the existing contract.
The product that you saw the release on is the ProxyBlocker, a new product which takes that Proxy Pattern Recognition system available in the R3000 and makes it available without the need to purchase a full Web-Filtering contract. This means that it is affordable as an add-on to any Internet Filtering solution that is not doing a good job of covering proxies.
There have been several other Johnny-Come-Lately vendors that have jumped into the fray on the Web-Based Proxy problem, since it has become a serious threat for Network and Security administrators. Such is the nature of the free market and competition.
Some of the marketing information has been shocking, and I did see the release that said “100% of proxies blocked.” The fine print was “100% in our lab test.” Anyone could put together a lab test in which they blocked 100%, but that would be dishonest, and misleading to the customer. However, I am comfortable in stating that we do a very effective job in blocking Web-Based Proxies. There are accounts from our critics (the end users who are blocked) on several message boards complaining about our effectiveness. This is due to our constant vigilance in ensuring that both our URL list, and most importantly our patterns are kept as up to date as possible. If new technology is needed, we will have to build that new technology. It is part of the game of one-upmanship with the Web-Based Proxy community. We are doggedly determined to stay on top of it, because it is important to our customers for us to do so.
So in answer to your question, NO, it is impossible to block 100% of anything unless you want to disconnect your Internet connection. With the Web-Based Proxies, there is always someone, somewhere that is coming up with a new method that no one is quite ready for. I for one appreciate the fact that the technology is always moving forward. It is the constant advancement of these on-line threats that ensure I continue to have a job.
So speaking as one of the vendors, you will continue to see press releases and other information from 8e6 about the Web-Based Proxy problem. This is simply due to the fact that it is such a problem for the Network and Security Admins out there. But you will not hear 8e6 saying we block 100% of anything. But we are sure going to try; it is what our customers expect of us.
Mark D. Parker
Sr. Product Manager
8e6 Technologies