ThreatSTOP Blog

Use of VPN and Tor Traffic Allows Corporate Security Bypassing

Written by Jeremiah Jackson | May 8, 2017

 

We’ve all been bored at work, that’s a given. We don’t have a need to go crashing through the brush looking for our next meal and that leaves our brains with a bunch of extra cycles to spend on life in the modern world. That means our personal lives, our jobs, and what to have for lunch.

Part of that reality -- the job part -- can be, tedious. Boring, flat out exhausting from the sheer ennui of it all. So, we reach out into our personal lives to find fulfillment and funny pictures of cats. Services like Facebook, IRC, Tumblr, or even Diaspora, to name a few, help relieve our grind. What happens if our corporate policy holds this in violation of corporate security though? We need to find a way around right?

Dtex Systems revealed in a recent report that approximately 95% of Enterprises found employees looking for ways to bypass corporate security. This meshes with the fact that roughly 43-60% of security breaches come from company insiders. According to the Ponemon Institute breaches garnered an average of $158/record, with the average data breach costing $4 million dollars in 2016.

Enter the hydra of the security world: VPN and Tor. VPN or Virtual Private Networks do have legitimate uses in the corporate world. They allow us to remotely connect to sensitive services inside our corporate networks, access files that we need, and perform our jobs. Inside of a secured network, they create tunnels out of the network into the World Wide Web (clearnet). The Onion Router (Tor), serves a similar purpose. First built by the US Navy with the intent of allowing secured communications between political dissidents living under oppressive regimes, Tor saw huge success in helping to create the Arab Spring of 2010. Over time Tor has shifted from this purpose into enhancing communications between less savory parts of society.

Both types of service used apart or combined, serve to be a nightmare for corporate security policies. VPN connections appear to a network server as a collection of encrypted traffic going to a particular server. What's contained in that encrypted traffic could be anything: cat pictures, or your entire secured database of customer information. Conversely, Tor isn't intended to hide what you're looking at, it hides your physical location. This means that Tor traffic isn't encrypted by default outside of the network. Instead, it provides a single point of contact into the encrypted Tor network. This network then bounces your signal around to obfuscate your physical location. It is possible to reach the clearnet through Tor or to reach Tor network sites. Using both in combination can allow a user (malicious or benevolent) to reach into the Internet without revealing where they are, or what they're looking at.

From a security administrator's point of view, these services are a nightmare to manage. Traffic through VPN can look completely legitimate, and Tor can prevent admins from locating where their connections are actually coming from. ThreatSTOPs IP and DNS Firewalls allow our customers to prevent communications to and from VPNs and Tor. The following list shows a sample of the targets that we provide:

 

IP Firewall: DNS Firewall:
  • Anonymous Networks
  • DNS tunnel IPs
  • TOR Exit nodes
  • Anonymous Proxies
  • I2P Protocol Seeds

 

  • DNS Tunnel domains infrastructure
  • DNS tunnel IPs
  • Anonymization Services
  • Anonymous Networks
  • I2P Protocol Seeds
  • TOR Exit nodes
  • Anonymous Proxies

Using these targets will block communication with VPN, TOR, and I2P services.