divisionbyzero

There are a ridiculous number of organizations using transparent proxying as a means to limit access to external resources. The idea is that by proxying all web traffic, they can keep employees from visiting porn sites. I’m not necessarily convinced that this does them much good. My general experience has been that the type of people looking at porn during the day will not become more productive as a result of losing the freedom to look at porn at work. They’ll still be useless employees that you have to performance review instead of firing for inappropriate use of technology.

Additionally, these proxies do very little to increase the security of the network. I’m fairly certain that by the time the Proxy Vendor is alerted to malware distributing websites, an anti-virus company has already issued an update. This is redundant. Normally, I’d fully support this redundant - ok, I’ll drop the buzzword - Defense in Depth solution.

However, piggy-backing on the heels of ay real security value, which is best described as the graph of 1/x, are made up categories of websites to deter your users from doing things that your CEO believes are inappropriate. Interestingly enough, if the CEO is involved in Fantasy Football, you’ll be hard pressed to find an IT Infrastructure that denotes that classification of sites as inappropriate. I digress.

I hate these policies. The whole concept of the internet is free access to information. As my job is Information Security, I frequently surf into the areas of the internet that WebSense might classify as “Inappropiate Content”, “Hacker Sites”, or “Proxy Sites”. It’s the nature of my business. Luckily for me, I’ve been granted an exception to the policy that allows me to view such terrible web content.

However, my users are frequently inconvenienced by searches for “adult oriented material” as some of our reproductivity scientists might need access to sites that contain terms like “sex”, with interesting prefixes like “oral” and “vaginal”. *Gasp*

So, tired of executives so out of touch with their users that they don’t recognize them, much less know what they do, I begin my multipart series on Proxy Evasion with the Environmental Concerns.

CygWin

If you’re running Windows, I highly recommend that you install CygWin. It provides a POSIX Compliant Environment for Windows. I’d be lost on Windows without it.

Using CygWin you can install a host of tools for network scouting, monitoring, manipulation, defense, and attack. Some of my indispensables include:

• nmap - find out about a host
• iptraf - find out about network traffic
• tcpdump / libpcap - excellent network sniffer
• winpcap - I can’t remember if CygWin actually has libpcap support, if not, I remember having enormous success with WinPCAP

None of those are necessary for Proxy Evasion, but they are nice tools to have laying around when you’re connected to a network.

Mac OS X

Don’t worry, I’m a Mac user too. Mac OS X comes with a number of UNIX utilities already installed. I highly reccommend installing the Developer’s Tools package to get GCC and then installing one of the ports systems available. The two forerunners in the GNU/OpenSource porting for OS X are:

• Fink - Provides source & binary downloads of packages with full dependency support.
• MacPorts - Previously DarwinPorts, source only ports system.

Though most free software will download and compile without hassle, it’s nice to have a package management suite that manages and downloads dependencies so you spend less time searching and installing and more time using your software.

But.. But.. I don’t have Admin Rights!

As a way to “increase security”, organizations will remove administrative privileges from average user’s computers. I feel this is complete hipocracy, so I discourage it. However, if you’re unfortunate to have these restraints enforced on your computer, there are ways to run your programs without installing them, and thus be compliant with the “I will not install my own software on company computers” rule you signed when you took the job.

They’re called “Portable Apps.” They’re designed to be installed & run off of USB flash drives and require no disk access on the computer you run it on. This generally avoids all automated software policy enforcement, allowing you to run your programs without being hassled.

Here are the two biggest repositories for portable apps:

• Portable Windows Apps
• Portable Mac OS X Apps

This biggest advantage to portable apps is the fact that they’re preferences are also stored on the drives. This means even if you don’t have access to modify the network settings (ie, Proxy settings) on your applications because of an enforced policy, you can still modify the preferences on the portable apps. This is terribly useful once we have tunnels setup to use for proxying.

I carry around a copy of Thunderbird, Firefox, Gaim/Adium, Abiword, and for Windows, PuTTY.

If you’re on Windows, please download PuTTY now. It’s a light weight ssh terminal that does not need to be installed. It’s precompiled and can run with out writing preferences anywhere you’re not allowed.

By becoming aware of software solutions that allow you to do your work, you can setup a hospitable environment for productivity, free from the annoyances of “ADMINISTRATOR PRIVILEGES REQUIRED.”

In the next article, we’ll cover using SSH for Proxy Evasion.