FAQ: Firewall Admins Guide to Porn

One of the more frequent problem security administrators will face is porn. It is a popular Internet application, and even when restrictions are put into place, users find ways of getting around them. At the same time, users tend to be clueless as to the knowledge firewall admins have of their surfing habits. Every administrator of a large company that I know of has had to confront this issue, but not much is discussed about the topic in the literature.

This document is intended as a guide for firewall admins in this area.

PS: If you may have trouble accessing this document due to content blocking filters.

0. Information about this FAQ

You can get this document from:
http://www.robertgraham.com/pubs/firewall-pron.html (HTML)
This is an early work in progress.

1. General Guide (non technical)

1.1 What the end user should know

Anecdote
At one time I worked for Network General on the Sniffer(tm) Network Analyzer. A new utility under developement would sniff the URLs off the wire, put them into a database, and ship them up to the "SniffMaster" console.

We naturally test on our own network, and were immediately confronted with URLs that were obviously porn sites, being surfed during work hours. Many of these users were also higher level employees (managers and above). While the company had no policy per se against it, it obviously wasn't good. It also made the engineers nervous, because they didn't want to know such things.

The CTO at the time sent out a pretty good e-mail on the subject. Basically, he clarified that Network General had the highest concentration of network monitoring equipment in the world, simply for developement purposes. Therefore, if somebody had surfing habits they didn't want other to know about, then they shouldn't surf at work.

Personally, I thought it would be a good intelligence test -- if they surfed porn sites at Network General, then they obviously weren't too intelligent.

The first problem firewall admins face is educating clueless end-users as to the scope of their powers. Users tend to think the Internet is unmonitored, or that monitoring their activity would be illegal or immoral. Also, they never hear of other people getting caught -- so they think they will not get caught. They need to understand that their Internet use is monitored, and that even if they don't get "caught" (i.e. fired, etc.), they will be found out. Many firewall admins simply don't have the time nor inclination to pursue the matter. They will know, but they simply won't tell anybody.

The first step in communicating this issue to end-users is to explain to them that all traffic incoming/outgoing traffic is monitored for security purposes. There exists a "firewall" through which all traffic passes, which attempts to restrict hacker attempts. Thise "firewall" logs all connections, and the administrators frequently review those logs in order catch those hacking attempts. If they are surfing porn sites, the firewall admin will also accidentally see that as well. The company may not be looking for such things, but they will accidently find it.

The long an the short of it is: if you are surfing porn at work, somebody knows. Just because they haven't talked to you about it doesn't mean they don't know. They probably are just to uncomfortable to tell you about it.

1.2 What managers should know

Tidbit
It is often the managers, all the way up to the CEO, who are the worst offenders. They feel that since they are at such high levels, they don't have to play by the rules. This makes administrators afraid of the higher-ups finding out what they known -- and getting squished.
Porn surfing isn't necessarily a problem. Sure, it wastes a bit of time, but surfing news, sports, weather, etc. also waste time. Porn shouldn't be disallowed for this reason (though you may have other policies against wasting corporate time).

Many companies have official policies against knowing about monitoring for porn for legal reasons. This sounds strange, but here is how it works: If you monitor content, then you become liable for content. In this area, ignorance generally is a good excuse. The best example of this are Yahoo message boards on stock information. Yahoo intentionally does not monitor content on these boards. End-users have posted slander and knowingly false rumours in attempts to manipulate stock prices. By not monitoring such things, Yahoo is blameless in much the same manner that the phone companies and ISPs are blameless in sending that traffic over the wire. Legally, it just transfers information among users.

AOL experienced this many years back. They got sued over some content, because they partially monitored the content. They were therefore found responsible for the content. AOLs response was to cease monitoring most of its message boards, and only monitored specific message boards (for kids).

1.3 What firewall admins should know

Anecdote
A major financial institution has no official policy for/against porn, and officially does not monitor employee net usage (for much those reasons mentioned above).

However, technicians are constantly seeing evidence of porn. This makes them very uncomfortable, because it is often high-level VPs doing the surfing. This makes them scared for their jobs, and they put informal processes in place in order to delete the information or not collect it. Therefore, when they evaluate new network management products, they prefer products that do not have porn-sniffing features, or ones where such features can be easily disabled.

Firewall admins see porn surfing all the time, whether or not companies have regulations against it. The first question they have is "I've found porn, what should I do now?".

Most are reluctent to do anything. This is HR (Human Resources) job, not theirs. In particular, reporting such information doesn't help their job, but can put them into great jeopardy. For example, if they find a VP surfing porn sites against company regulations, there is a better chance of them losing their jobs than the VP.

Monitoring people is a very senstive issue, even when done accidentally. Even though it the network, the computer, and even people's time is technically "owned" by the company, the employees rarely see it this way. If someone gets fired for porn, it will generate a lot of ill will -- especially toward the people who discovered it.

1.4 A good solution

The best solution I've heard of is the following: Log access to all sites, then publish the log in a web page. The log should include who is accessing what web pages.

This solution has a number of benefits.

The biggest problem with this is false positives. For example, there was a security article on Playboy.com that I went to because it popped up in an AltaVista search result. Some pr0n spam messages contain hyperlinks to images on the net, which will show up. However, generally it is easy to tell the difference between an "accident" that shows up once or twice compared to an on-going clear abuse.

2. How they will be caught

Firewall admins, IDS admins, network managers, and desktop managers are constantly seeing evidence of porn.

2.1 Packet Filter logs

A popular type of firewall is the "packet filter". Most routers nowadays support packet filtering and logging.

This traps porn use in two ways. The first is simply that all connections are logged, telling the firewall admin who in the company was surfing which site. Secondly, many companies block well-known porn sites. Denied connections are placed in a separate log that admins are more likely to see. (Firewall admins typically don't have time to review the first log, but often glance over the second log).

2.2 Proxy logs

Proxy are a different type of firewalls. They essentially stop all Internet traffic at the box, then re-generate the original requests. As far as the Internet sees, all the requests come from the proxy, not from the end-user.

Not only does this boost security, it also increases performance. If multiple users want the access the same file on the Internet, the proxy only needs to get it once -- then "caches" it on its hard disk for each subsequent access by other users.

Like firewalls, they log all the sites they visit. Administrators reviewing such data for fault/performance reasons will often come across pr0n.

2.3 Sniffers

Anecdote
In the early 1990s before HTTP/HTML, the primary front-end for Internet was text-based with things like Telnet, FTP, and so on.

During this time I created a Telnet/rlogin session monitor that would watch sessions on the wire and dump the contents to the appropriate terminal emulator. This allowed me list all current sessions, then view a snapshot of the same thing the user was seeing on their screen. During developement, I was essentially forced to watch another engineer nearby who Telnetted daily out of the company to another computer to read Usenet B&D groups. Again, the biggest pr0n problem is the embarrassment it causes us who find out about it.

Network managers (not just security managers) will frequently put "sniffers" (wiretaps) on the network in order to see what is going on. The main purpose of these devices is to solve problems (like why two devices can't talk, or why the network is slow).

There are many kinds of sniffing programs.

RMON
These are remote probes placed around the network. They log all TCP/IP connections (RMONv2) and send that information to a centralized console.
DSS (Distrbuted Sniffer System) from NAI
Much the same as RMONv2, these will monitor not only connections but will also pull URLs off the wire and send them to a centralized console.
IDS
Like from Network ICE, ISS, Axent, or NAI. These programs constantly sniff the wire looking for intrusions, then report them to a centralized console. They don't necessarily monitor all connections, but they will report suspicious ones up to a centralized console.

See http://www.robertgraham.com/pubs/sniffing-faq.html for more information on packet sniffers.

2.4 DNS cache

Most companies setup their own DNS servers to resolve names in to addresses (i.e. "www.microsoft.com" might resolve to "192.0.2.128"). In order to improve performance, these servers "cache" requests.

For example, when you load the URL "http://www.robertgraham.com", you first ask your local DNS server for the corresponding IP address. The DNS server "resolves" that address for you by sending a query across the Internet to my DNS server. The second time you ask for this address (or when somebody else in your same company asks for it), the DNS server has remembered it and responds immediately, without sending a second request across the Internet to my server.

An administrator of a DNS server will occasionally come across this cache when administering the server. They won't know exactly who surfed "www.robertgraham.com", but they will know somebody in the organization has.

For example, the DNS server that I use for my website and my outgoing traffic will show the following hierarchy:

In the first section, you can tell that my DNS server will respond to queries from the Internet for "www.robertgraham.com" and "ftp.robertgraham.com". In the second section, you can tell that I've recently visited the sites: www.microsoft.com, support.microsoft.com, www.yahoo.com, my.yahoo.com.

2.5 Browser histories and cookies

Anecdote
One time I was reviewing the cookie list with a co-worker on her machine, and one of them was from an obvious porn site. I am pretty sure this was because of me -- I work in security, and sometimes surf hacker sites to research information. In the past (though less so now), hackers put lots of porn advertising banners on their sites in order to earn money. While re-installing software on my machine, I may have used her machine for research -- and may have visited a hacker site that pulled a banner from a porn site that put a cookie on her machine. (This was in an environment where we regularly use each other's machines).
One simple way employees reveal their surfing habits to other employees is the "smart completion" feature of newer browsers. The URL line at the top of the browser contains a drop-down list box of recently visited sites, and will "auto-complete" for you. As a user selects a URL or types one partially in, a past URL of a porn site will inadvertently appear. People standing over their shoulder will accidentally see this.

Most browsers keep a list of all the URLs that a user has browsed. A few clicks of the button will open this list. Again, a user can easily accidentally open this list by clicking on the wrong location, again exposing the list to people standing nearby.

Similarly, sites will drop cookies on your machine. If you open your cookie list you will probably see hundreds of cookies left on your machine. Mostly, these sites are attempting to track you. They place icons on other pages, and match the HTTP "Referer" field with the cookie. They don't necessarily know who you are, but they do know where you've been. Porn sites are very big into various browser tricks, such as using JavaScript to open infinite number of pages or using cookies to track you online. It is very easty to accidentally acquire some porn cookies on your machine, as I describe in the anecdote for this section.

2.6 Browser cache

Anecdote
One day, I come into work, sit down at my machine and use it as normal. However, I find some weird programs in the Windows "Start" menu. One was called "Live View", and the other called "Sex Chat".

Alarm bells start ringing in my head, of course. I start all sorts of complicated plans to catch the culprit, but unfortunately it was much easier than that.

The first thing I did was dir /s /b *.jpg in my browser cache directory. Sure enough, I saw lots and lots of files with names like "busty.jpg". Furthermore, the timestamps of the files were always for about 5-10 minutes around 4:15 am and 5:00 am going back a couple of weeks. I deduced that this must be the security guard. On his rounds, he drops by my office and surfs porn.

Among the many stupid things he did was to write down 900 numbers onto a pad of Post It notes, which leaves an indentation in the underlying notes. This gave me a sample of his handwriting. I went and found the current security guard on duty (this was a weekend) and match the hand writing with the previous security guards report. This nightly report also showed the schedule for the security guard's rounds.

I communicated the incident to the facilities admin and got the guy fired. I felt so violated (I am a geek after all), they guard betrayed the companies trust, he may have been reading proprietary info off my machine, and there is no telling what kind of viruses or trojans he could have accidentally downloaded. Personally, I feel that being a guard is a lonely job, and that the company should just provide him a machine for his desk :-) so that he won't feel impelled to borrow other machines.

In much the same way that proxies (see above) cache files on the hard disk, web browsers will also save files. This means that every time a user visits the same web page, the web browser doesn't need to go across the Internet and download the same file again, dramatically speeding up web access.

The primary admin who comes across these caches is the desktop technician. They frequently make house calls to desktop machines, or work with the machines inside their labs. Automated backups sometimes pull down these directories accidentally, meaning the backup tapes are filled with porn.

Even when the user take pains to bypass monitoring software, encrypt their connections over SSL, or go through anonymous browsing service, the files will always get saved to the disk. If the user can view it, then it is more than likely the system has saved it to disk somewhere.

Even deleting the cache doesn't always get rid of the files. There are many ways to recover lost files, depending upon how much effort you are willing to go to. The first step would be built in undelete programs. The next would be disk scanners (which disregard directory entries and pull data directly from the disk). Those two method rely upon the fact that the files have been forgotten about, but not overwritten. However, a third method can sometimes recover overwritten files. Even when things are overwritten, magnetic traces of the original data are left behind. This is why spies and the DoD recommend overwritting free space at least 7 times in order to completely erase old data. Such "wipe" features come as part of many encyption packages.

X. Miscellaneous

X.1 Anecdotes

If you have any anecdotes, I'd love to hear about them. Please send me e-mail. I'll stick them in this section.

From http://www.nfr.net/firewall-wizards/mail-archive/1999/Jun/0237.html

Hey folks. First of all, obligatory thanks to all of you; reading your
discussions have helped me at my job tremendously, in providing a fairly
vendor independent perspecive on realistic security implementations. so
thanks, y'all.

I'd like to add that I feel it takes both types of involvement, for a
company to really implement a viable safeguard against liability for
illegal/inappropriate access. At my organization, we had a rather
unfortunate case of idiocy, which, although it didn't do much damage
prompted us to invoke some limitations on web traffic. We used a combination
of router based and independent software solutions to restrict access to a
list of categories of url's, and track and log all access.  Using this,
along with periodic human log reading, we are able to decide if we need to
have reiterate the companies web browsing policy (which we TRY to ensure
employees are aware of when they are hired, although whose to say what they
ACTUALLY read in this day of quick signatures). The policy has been used to
discipline several employees, and we saw a growing degree of awareness of
the policy, as warnings have been issued about excessive non-work related
browsing.

We are, however, a smaller organization so this is feasible. I do not think
the work scales well, as the larger the organization the more segments to
monitor, the more access points you'll have, and the more general network
chatter you're going to have. All in all, I'd say its a waste of time,
actually, but The People Who Decide Things wanted it, and I actually enjoyed
setting it up in a sick sort of Control Freak way.  

Anyways, that is all. Just thought I'd share; ultimately, the technology is
only going to aid you in enforcing a strong policy, and that takes not only
the will to enforce a policy, and the technology to make it tricky enough to
break that the attempt alone, which is logged, constitutes a clear desire to
break it and not an accident.

--
Henry Sieff
Network Drone
Orthodontic Centers of America

X.2 Links

I originally created this document during a discussion on the firewall mailing list.
http://www.nfr.net/firewall-wizards/mail-archive/1999/Jun/0224.html
How Singapore blocks porn on a nationwide basis as part of censorship efforts. One interesting poing is that the efforts are popular. Another is that the goal of the government is not to block porn, but make its access difficult.
http://www.nfr.net/firewall-wizards/mail-archive/1999/Jun/0186.html
Reponse to the question "How can I block inappropriate content?"
[fin] Firewall Seen FAQ