Enforcing Corporate Web Policies

Last week I blogged (at the URL below) about an upcoming tool, Psiphon, that will undoubtedly give some administrators a difficult challenge. The reason is that your users could employ Psiphon to bypass your content or URL filters.


According to information posted on the Web (at the URL below), "Psiphon is a user-friendly stand-alone proxy application designed to securely circumvent Internet censorship.... Unlike other circumvention technologies, Psiphon relies on multiple social networks of trust, rather than mass publication of IPs or proxies, which can be easily intercepted and filtered by a determined state."


Psiphon is a script written in the popular Python language. It works in a similar fashion to a traditional proxy server--that is, a remote Psiphon server intercepts and processes URL requests, then returns the data to the requesting client. The traffic is encrypted between the Psiphon client and server. The idea is to have a trusted friend or associate, or possibly one of your own computers, run the Psiphon server at the remote location. Psiphon servers require a username and password from the client, so access to them can be controlled.

Another popular tool in a similar vein is The Onion Router (Tor, at the URL below), based on the SOCKS protocol. Tor is a bit different from Psiphon in that anonymous people run Tor servers. Effectively, Tor acts as an anonymous network of proxy servers, and your traffic might pass through any number of them (but at least three), depending on how you configure the client. TOR directory servers keep track of the addresses of Tor proxy servers and automatically deliver those addresses to Tor clients.


One major attraction of Tor is that it offers relative anonymity. Anyone can run a Tor client or server without having to reveal anything to the outside world except an IP address, and that address is only made known to the first TOR server your traffic passes through. Furthermore, all traffic on the TOR network is encrypted, which helps protect against snooping.

There are of course a number of other proxy services that could be used to circumvent your corporate policies. Here I point out Psiphon and Tor because Psiphon is new and although Tor has been around for quite some time, both are gaining more attention as the days go by.

Preventing the use of outside proxy services can be tedious. You could of course limit the ability to install unauthorized software such as Python, Psiphon, and Tor, or regularly audit systems to look for unauthorized software, or both. Another tactic could be to filter connections to proxies. However, it would be difficult to filter all the many third-party proxies that operate over port 80, particularly because you must discover them before you can filter them and because you probably can't block at your network borders.

The overall problem is compounded if you use Web browsers, mail clients, and other Internet-related tools that don't offer much control over their configuration. If you can restrict the client configuration of proxy and SOCKS settings, you can better control policy enforcement; if you can't restrict configuration due to software limitations, savvy users will go the end around if they want to.

I think one of the best deterrents is to have written acceptable-use policies that include clearly defined grounds for termination of employment. If people value their jobs, they'll probably follow the rules.

I'm curious about how you deal with this problem of policy circumvention on your network, if at all. If you can share details, send me an email. If I receive enough responses, I'll summarize them in a future edition of this newsletter.

Hide comments


  • Allowed HTML tags: <em> <strong> <blockquote> <br> <p>

Plain text

  • No HTML tags allowed.
  • Web page addresses and e-mail addresses turn into links automatically.
  • Lines and paragraphs break automatically.