Subscribe / Unsubscribe Enewsletters | Login | Register

Pencil Banner

Risks of Tor use inside a network - how to block Tor in business network

John E Dunn | Feb. 8, 2016
Tor's use inside a business network represents a big risk. But detecting and blocking it is not straightforward

How to block Tor in your business

Blocking by port: As mentioned below, Tor is partial to common ports such as 443. But this offers little solace. That port if used by HTTPS and so it can't be blocked completely or a network's web access will grind to a halt. Tor will simply look like everything else.

Blocking at the endpoint: Thinking laterally, it should be possible to stop users from installing the Tor software in the first place by implementing application whitelisting or privilege management. However, Tor can also be run pre-installed from a USB stick which means it can in some cases bypass such controls.

Blocking - from IP ranges to DPI: From the network side, the first task is to identify Tor use on the LAN side to check the scale of the problem, which is not as easy as it sounds. Because Tor uses TLS encryption (the successor to SSL), the traffic won't be easy to spot and its content will be impossible to interrogate. If a Tor node is set up inside a network then in principle this could be used as a bridge to the first Tor entry node. By time the traffic reaches the firewall it will be doubly difficult to see.

A common technique for spotting Tor is to correlate SIEM logs with a list of publically-known IP addresses used as entry nodes. This is where most admins start but unfortunately this can be a long and constantly-changing list and is highly unlikely to cover hidden nodes that are a feature of the system. Some of the servers acting as Tor entry nodes will also be used for legitimate purposes which raises the possibility of blocking innocent traffic and generating a false positive.

Another manual technique is to use the Deep Packet Inspection (DPI) interface on the firewall to look for signs of unusual certificates used by nodes, although this assumes you know which ports are being used. Tor uses 443, but also 80 (HTTP), 9001 and 9030 although it could be using almost any other port it can find so this is at best a starting point.

Coincidentally, it was the use of DPI that in 2012 made Tor blockable in countries such as Iran and Ethiopia for a period of weeks.

Risks of Tor and the enterprise 2016 - conclusion

Detecting Tor is no going to be easy although IP address filtering should reduce the risk. To us it doesn't seem particularly fool-proof or easy and quick to manage on an ongoing basis. For that reason, a lot of firms will fall back on generalised detection policies backed up by tough penalties for running non-approved applications. Technology will only get you so far. 

Source: Computerworld UK 


Previous Page  1  2 

Sign up for CIO Asia eNewsletters.