Ever since The Onion Router (Tor) anonymity service started being used in the mainstream around five years ago, enterprise admins have been wondering whether it represents a risk worthy of blocking and, if it does, how this can be achieved.
UK case studies examining the risks issue are pretty much non-existent and the only sector that offers much anecdotal evidence has been in universities where Tor has, predictably, gained a following or sorts. It's not hard to understand that Tor has plenty of perfectly legitimate uses (it is not our intention to stigmatise its use) but it also has plenty of troubling ones such as connecting to criminal sites on the 'darknet', as a channel for malware and as a way of bypassing network security. The anxiety for organisations is that it is impossible to tell which is which.
Tor is not the only anonymity network designed with ultra-security in mind, The Invisible Internet Project (I2P) being another example. On top of this, VPNs and proxies also create similar risks although these are much easier to spot and block.
Tor can live inside networks either as a browser that bundles the services into a piece of easy-to-use piece of software or, potentially more seriously, as a server node or network bridge that becomes parts of its network. Although network users can set up one or both of these, it's important to grasp that neither is good news for an organisation for a variety of reasons. A related issue are websites that don't want Tor users connecting anonymously to whatever service they are offering although this is a specialised problem.
Risks of Tor in the enterprise
Risk 1 - the 'darknet'
The darknet is more than hyperbole. A Kaspersky Lab estimate from early 2014 put the number of criminal services using it at almost 1,000, almost certainly a sizable under-estimate. Whatever the figure, the number that will have increased several fold by now. The darknet would exist without Tor, of course, which simply a way of reaching it without revealing the client's IP address or browsing list.
Risk 2 - malware, botnets, DDoS
On top of this, criminals have also started using Tor as a communications channel for malware command and control (C&C), which means that its presence can indicate infection and compromise. For most organisations this will probably be the biggest worry of all. Although Tor C&C is slower it is a tempting place for malware to hide its communications. The bandwidth of some of the exit nodes has resulted in Tor being hijacked for DDoS attacks.
Risk 3 - blacklisting
Assuming that an organisation sets out to control Tor use, blocking this involves two elements that cover incoming/outgoing traffic, where someone has established a Tor node, and outgoing traffic, where a client PC is connecting to a Tor entry node. Most admins will focus on the latter, reasoning that it is the more likely problem but it is important to remember that setting up a Tor node inside a network isn't that hard to do. This is a major potential headache because it runs a risk of an organisation's IP being added to an Internet block list.
Sign up for CIO Asia eNewsletters.