Avoid Web Filtering with SSH Tunneling: Encrypted Circumvention
by Tessian (tessian@gmail.com)
As an experienced Websense administrator, I was excited to read Major Lump's article about circumventing filtering, "Avoiding Internet Filtering," in the Spring 2007 issue of 2600.
Unfortunately, I was dismayed to find out that that the method he proposed was not an actual workaround but rather a product of a poorly configured Websense integration.
The Websense installation in question did not have a service responsible for filtering traffic on non-HTTP ports, so the writer was easily able to circumvent it by visiting an HTTPS internet proxy. Websense and other top-tier Internet filtering products rely on integration with another service, most commonly a firewall or proxy servers, to forward normal HTTP traffic.
The filters rely on packet sniffing to pick up the slack and to be able to filter not only HTTPS and FTP, but also instant message traffic, proxies, streaming media, peer-to-peer software, and more.
Most internet filtering databases contain the IP addresses of well-known proxy websites, so they can block them on HTTPS as well as HTTP. With this in mind and in an effort to stay one step ahead of my users, I decided to start searching for a real method of circumventing internet filtering.
The Solution
My search ended in success with a wonderful method many of you may be familiar with: SSH tunneling.
You can find methods on accomplishing this all over the web, but it was the guide at www.buzzsurf.com/surfatwork that broke it down the best for me. Basically, we'll disguise your SSH tunnel as an HTTPS connection and forward all internet traffic through it, effectively bypassing all Internet filtering, and firewalls in between.
To accomplish this, configure a PC at home as a normal SSH server, but set it to listen on port 443, which is normally reserved for HTTPS.
Now, assuming you've made sure this SSH server is accessible from the Internet, you connect to your SSH server. I recommend using a free DNS service such as DynDNS (www.dyndns.com) to make it easier to connect back to your PC at home. This is most easily done by downloading or bringing in a copy of PuTTY and at the command prompt running the command:
Replacing sshserver with the IP or address of your SSH server.
Once you've successfully connected to and logged into your SSH server, you need only change your browser's settings to use the SSH tunnel you've created as a SOCKS proxy. This is done in the IE's Advanced Proxy Settings configuration by setting the SOCKS address to 127.0.0.1 and the port to 8080.
Now your Internet traffic is encrypted and virtually undetectable. This can also be used for any other web application that supports SOCKS proxies; simply configure them the same way.
Risks
Obviously, there are risks involved with testing this at work.
If your Information Security department is anything like mine, then there are alarms and triggers set around the network just waiting to squeal on you the second that they detect proxy usage. However, assuming you configure this correctly the first time, there will be almost no indication of this because of the encryption involved.
Websense logs it as HTTPS traffic to an "Uncategorized IP address." There are only two ways that Websense could stop you: if HTTPS is blocked or if uncategorized websites are blocked. Neither is very likely unless you're in a very small environment, as both have very legitimate uses.
The only flag that was raised was by my Intrusion Detection System (IDS). I was pleasantly surprised to find out it did in fact notice I was using SSH on a port other than the default of 22 and that it threw an event marked "Suspicious." Luckily the event only fires a few times during the initial connection and isn't detected after that.
In larger environments, it's not uncommon to see SSH running on an unusual port, but if you have a very vigilant security department, this could be noticed.
Uses
There are more uses to this version of SSH tunneling than just circumventing filtering; this also works very well to protect yourself and your information on untrusted networks such as wireless hot spots.
While businesses and universities normally warn and notify their users if they are being monitored, there is no way of telling just what is lurking on an untrusted network waiting to sniff your traffic.
SSH tunneling can be used for things other than Internet forwarding. With a few changes, you can use it to protect connections back to your home network for email or printing.
If you know the port a service communicates on, you can put it through this SSH tunnel.