FAQ: Firewall Admins Guide to Porn

One of the more common problem security administrators will face is pornagraphy. It is a popular Internet application, and even when restrictions are put into place, users find ways of getting around them. At the same time, users tend to be clueless as to the knowledge firewall admins have of their surfing habits. Every administrator of a large company that I know of has had to confront this issue, but not much is discussed about the topic in the literature.

This document is intended as a guide for firewall admins in this area.

PS: You may have trouble accessing this document due to content blocking filters that trigger on words like "porn" :-)

0. Information about this FAQ

Copyright 1998-2001 by Robert Graham (firewall-pr0n@robertgraham.com. All rights reserved. You may use this document for any purpose (including commercial) as long as you give proper attribution and link back to the URL: http://www.robertgraham.com/pubs/firewall-pr0n.html.

Version 1.1, November 11, 2001

1. General Guide (non technical)

1.1 What the end user should know

Anecdote

At one time I worked for Network General on the Sniffer(tm) Network Analyzer. A new utility under developement would sniff the URLs off the wire, put them into a database, and ship them up to the "SniffMaster" console.

We naturally test on our own network, and were immediately confronted with URLs that were obviously porn sites, being surfed during work hours. Many of these users were also higher level employees (managers and above). While the company had no policy per se against it, it obviously wasn't good. It also made the engineers nervous, because they didn't want to know such things.

The CTO at the time sent out a pretty good e-mail on the subject. Basically, he clarified that Network General had the highest concentration of network monitoring equipment in the world, simply for developement purposes. Therefore, if somebody had surfing habits they didn't want other to know about, then they shouldn't surf at work.

Personally, I thought it would be a good intelligence test -- if they surfed porn sites at Network General, then they obviously weren't too intelligent.

The first problem firewall admins face is educating clueless end-users as to the scope of their powers. Users tend to think the Internet is unmonitored, or that monitoring their activity would be illegal or immoral (it is legal in most countries, and necessary to keep the network running). Also, they never hear of other people getting caught -- so they think they will not get caught. They need to understand that their Internet use is monitored, and that even if they don't get "caught" (i.e. fired, etc.), they will be found out. Many firewall admins simply don't have the time nor inclination to pursue the matter. They will know, but they won't tell anybody.

The first step in communicating this issue to end-users is to explain to them that all traffic incoming/outgoing traffic is monitored for security purposes. There exists a "firewall" through which all traffic passes, which attempts to restrict hacker attempts. These "firewalls" log all connections, and the administrators frequently review those logs in order catch those hacking attempts. If users surf porn sites, the firewall admin will also accidentally see that as well. The company may not be looking for such things, but they will accidently find them.

The consequence is: if you are surfing porn at work, somebody knows. Just because they haven't talked to you about it doesn't mean they don't know. They probably are just to uncomfortable to tell you about it.

1.2 What managers should know

Tidbit

It is often the managers, all the way up to the CEO, who are the worst offenders. They feel that since they are at such high levels, they don't have to play by the rules (and don't work in cubes :-). This makes administrators afraid of getting fired when these higher-ups find out what they known.

Porn surfing isn't necessarily a problem. Sure, it wastes a bit of time, but surfing news, sports, weather, etc. also waste time. Porn shouldn't be disallowed for this reason (though you may have other policies against wasting corporate time).

Many companies strive to achieve ignorance of porn-surfing. In other words, they are officially happier not knowing about user's surfing habits. This sounds strange, but here is how it works: If you monitor content, then you become liable for content. In this area, ignorance generally is a good excuse. The best example of this are Yahoo message boards on stock information. Yahoo intentionally does not monitor content on these boards. End-users have posted slander and knowingly false rumours in attempts to manipulate stock prices. By not monitoring such things, Yahoo is blameless in much the same manner that the phone companies and ISPs are blameless in sending that traffic over the wire. Legally, Yahoo just transfers information among users.

AOL experienced this many years back. They got sued over some content, because they partially monitored the content. They were therefore found responsible for the content. AOL's response was to cease monitoring most of its message boards, and only monitored specific message boards (for kids).

1.3 What firewall admins should know

Anecdote

A major financial institution has no official policy for/against porn, and officially does not monitor employee net usage (for much those reasons mentioned above).

However, technicians are constantly seeing evidence of porn. This makes them very uncomfortable, because it is often high-level VPs doing the surfing. This makes them scared for their jobs, and they put informal processes in place in order to delete the information or not collect it. Therefore, when they evaluate new network management products, they prefer products that do not have porn-sniffing features, or ones where such features can be easily disabled.

Firewall admins see porn surfing all the time, whether or not companies have regulations against it. The first question they have is "I've found porn, what should I do now?".

Most are reluctent to do anything. This is an HR (Human Resources) job, not theirs. In particular, reporting such information doesn't help their job, but can put them into great jeopardy. For example, if they find a VP surfing porn sites against company regulations, they have a better chance of losing their jobs than the VP.

Monitoring people is a sensitive issue, even when done accidentally. Even though the network, the computer, and even people's time is technically "owned" by the company, the employees rarely see it this way. If someone gets fired for porn, it will generate a lot of ill will -- especially toward the people who discovered it.

1.4 A good solution

The best solution I've heard of is the following: Log access to all sites, then publish the log in a web page. The log should include who is accessing what web pages.

This solution has a number of benefits.

Instead of using technology to fight a social problem, it uses a social solution to fight the problem.
The company as a whole doesn't need to have a policy against porn -- employees will decide for themselves what is appropriate.
It is self regulating. The employee knows that everyone else will know what they are doing, and will decide accordingly. Even simple time wasting on the Internet will be reduced.
Solves most of the social/legal problems of "spying". The firewall/security/network admins themselves aren't officially looking at the logs -- just everyone else in the company is.

The biggest problem with this is false positives. For example, there was a security article on Playboy.com that I went to because it popped up in an AltaVista search result. Some pr0n spam messages contain hyperlinks to images on the net, which will show up. However, it is easy to tell the difference between an "accident" that shows up once or twice compared to an on-going clear abuse.

2. How they will be caught

Firewall admins, IDS admins, network managers, and desktop managers are constantly seeing evidence of porn.

2.1 Packet Filter logs

A popular type of firewall is the "packet filter". Most routers nowadays support packet filtering and logging.

This traps porn in two ways. The first is simply that all connections are logged, telling the firewall admin who in the company was surfing which site. Secondly, many companies block well-known porn sites. Denied connections are placed in a separate log that admins are more likely to see. (Firewall admins typically don't have time to review the first log, but often glance over the second log).

2.2 Proxy logs

Proxies are a different type of firewalls. They essentially stop all Internet traffic at the box, then re-generate the original requests. As far as the Internet sees, all the requests come from the proxy, not from the end-user.

Not only does this boost security, it also increases performance. If multiple users want the access the same file on the Internet, the proxy only needs to get it once -- then "caches" it on its hard disk for each subsequent access by other users.

Like firewalls, procies log all sites that users visit. Administrators reviewing such data for fault/performance reasons will often come across pr0n traces.

2.3 Sniffers

Anecdote

In the early 1990s before HTTP/HTML, the primary front-end for Internet was text-based with things like Telnet, FTP, and so on.

During this time I created a Telnet/rlogin session monitor that would watch sessions on the wire and dump the contents to the appropriate terminal emulator. This allowed me list all current sessions, then view a snapshot of the same thing the user was seeing on their screen. During developement, I was essentially forced to watch another engineer nearby who Telnetted daily out of the company to another computer to read Usenet B&D groups. Again, the biggest pr0n problem is the embarrassment it causes us who find out about it.

Network managers (not just security managers) will frequently put "sniffers" (wiretaps) on the network in order to see what is going on. The main purpose of these devices is to solve problems (like why two devices can't talk, or why the network is slow).

There are many kinds of sniffing programs.

RMON: These are remote probes placed around the network. They log all TCP/IP connections (RMONv2) and send that information to a centralized console. Popular in Cisco environments.
DSS (Distrbuted Sniffer System) from NAI: Much the same as RMONv2, these will monitor not only connections but will also pull URLs off the wire and send them to a centralized console.
IDS: Like from Network ICE, ISS, Axent, or NAI. These programs constantly sniff the wire looking for intrusions, then report them to a centralized console. They don't necessarily monitor all connections, but they will report suspicious ones.

See http://www.robertgraham.com/pubs/sniffing-faq.html for more information on packet sniffers.

2.4 DNS cache

Most companies setup their own DNS servers to resolve names in to addresses (i.e. "www.microsoft.com" might resolve to "192.0.2.128"). In order to improve performance, these servers "cache" requests.

For example, when you load the URL "http://www.robertgraham.com", you first ask your local DNS server for the corresponding IP address. The DNS server "resolves" that address for you by sending a query across the Internet to my DNS server. The second time you ask for this address (or when somebody else in your same company asks for it), the DNS server has remembered it and responds immediately, without sending a second request across the Internet to my server.

An administrator of a DNS server will occasionally come across this cache when administering the server. They won't know exactly who surfed "www.robertgraham.com", but they will know somebody in the organization has.

For example, the DNS server that I use for my website and my outgoing traffic will show the following hierarchy:

robertgraham.com
- www
- ftp
Cache
- com
  - microsoft
    - www
    - support
  - yahoo
    - www
    - my

In the first section, you can tell that my DNS server will respond to queries from the Internet for "www.robertgraham.com" and "ftp.robertgraham.com". In the second section, you can tell that I've recently visited the sites: www.microsoft.com, support.microsoft.com, www.yahoo.com, my.yahoo.com.

2.5 Browser histories and cookies

Anecdote

One time I was reviewing the cookie list with a co-worker on her machine, and one of them was from an obvious porn site. I am pretty sure this was because of me -- I work in security, and sometimes surf hacker sites to research information. In the past (though less so now), hackers put lots of porn advertising banners on their sites in order to earn money. While re-installing software on my machine, I may have used her machine for research -- and may have visited a hacker site that pulled a banner from a porn site that put a cookie on her machine. (This was in an environment where we regularly use each other's machines).

One simple way employees reveal their surfing habits to other employees is the "smart completion" feature of newer browsers. The URL line at the top of the browser contains a drop-down list box of recently visited sites, and will "auto-complete" for you. As a user selects a URL or types one partially in, a past URL of a porn site will inadvertently appear. People standing over their shoulder will accidentally see this.

Most browsers keep a list of all the URLs that a user has browsed. A few clicks of the button will open this list. Again, a user can easily accidentally open this list by clicking on the wrong location, again exposing the list to people standing nearby.

Similarly, sites will drop cookies on your machine. If you open your cookie list you will probably see hundreds of cookies left on your machine. Mostly, these sites are attempting to track you. They place icons on other pages, and match the HTTP "Referer" field with the cookie. They don't necessarily know who you are, but they do know where you've been. Porn sites are very big into various browser tricks, such as using JavaScript to open infinite number of pages or using cookies to track you online. It is very easty to accidentally acquire some porn cookies on your machine, as I describe in the anecdote for this section.

[Another anecdote]

2.6 Browser cache

Anecdote

One day, I come into work, sit down at my machine and use it as normal. However, I find some weird programs in the Windows "Start" menu. One was called "Live View", and the other called "Sex Chat".

Alarm bells start ringing in my head, of course. I start all sorts of complicated plans to catch the culprit, but unfortunately it was much easier than that.

The first thing I did was dir /s /b *.jpg in my browser cache directory. Sure enough, I saw lots and lots of files with names like "busty.jpg". Furthermore, the timestamps of the files were always for about 5-10 minutes around 4:15 am and 5:00 am going back a couple of weeks. I deduced that this must be the security guard. On his rounds, he drops by my office and surfs porn.

Among the many stupid things he did was to write down 900 numbers onto a pad of Post It notes, which leaves an indentation in the underlying notes. This gave me a sample of his handwriting. I went and found the current security guard on duty (this was a weekend) and match the hand writing with the previous security guards report. This nightly report also showed the schedule for the security guard's rounds.

I communicated the incident to the facilities admin and got the guy fired. I felt so violated (I am a geek after all), they guard betrayed the companies trust, he may have been reading proprietary info off my machine, and there is no telling what kind of viruses or trojans he could have accidentally downloaded. Personally, I feel that being a guard is a lonely job, and that the company should just provide him a machine for his desk :-) so that he won't feel impelled to borrow other machines.

Comment: Why didn't I lock my machine?

In much the same way that proxies (see above) cache files on the hard disk, web browsers will also save files. This means that every time a user visits the same web page, the web browser doesn't need to go across the Internet and download the same file again, dramatically speeding up web access.

The primary admin who comes across these caches is the desktop technician. They frequently make house calls to desktop machines, or work with the machines inside their labs. Automated backups sometimes pull down these directories accidentally, meaning the backup tapes are filled with porn.

Even when the user take pains to bypass monitoring software, encrypt their connections over SSL, or go through anonymous browsing service, the files will always get saved to the disk. If the user can view it, then it is more than likely the system has saved it to disk somewhere.

Even deleting the cache doesn't always get rid of the files. There are many ways to recover lost files, depending upon how much effort you are willing to go to. The first step would be built in undelete programs. The next would be disk scanners (which disregard directory entries and pull data directly from the disk). Those two method rely upon the fact that the files have been forgotten about, but not overwritten. However, a third method can sometimes recover overwritten files. Even when things are overwritten, magnetic traces of the original data are left behind. This is why spies and the DoD recommend overwritting free space at least 7 times in order to completely erase old data. Such "wipe" features come as part of many encyption packages.

2.7 E-mail messages

Most users do not realize how often e-mail is misdirected. Mistyping the destination address often results in the e-mail being forwarded to the postmaster of the destination domain. This means that your e-mail may be read, even though nobody is actively monitoring it.

Likewise, some companies do monitor e-mail. Many log headers in order to track messages over time, others will store the entire contents of text messages.

Anecdote

I maintain e-mail for a domain that is similar to a company in the United Kingdom (like "example.com" vs. "example.co.uk"). I get a fair amount of misdirected e-mail, 80% of which is porn related (both text and images).
One of the messages was:
I'll be away now for 8 weeks and will be having my mail intercepted by our receptionist who is the kind of person who would have me sacked for the type of mail that I've been receiving lately, so could you please not send me any messages until I return. I look forward to seeing you (and my job!) on my return.

I am still curious as to the statistical significance of the quantity of porn I receive this way. Since the sender also receives a report that the e-mail address is wrong, they rarely make the mistake twice. Furthermore, there are about 30 different recipients in that company that I've seen. Statistically, it seems that everyone is sending/receiving porn all the time!

3. How they can defend themselves

(This isn't for firewall admins, really, but lots of users ping me for this information).

3.1 Evidence wiping

The following are traces left behind on your machine:

Windows event history

Run Program
Find Computer
Find Files

Application history

Individual applications record their own private histories of files you opened with those applications. Some are:

RealAudio (including video)
Microsoft Media Player

Web browsers

Cookies
History (of which pages you visited)

E-mail programs

Sent messages (Outlook, Netscape Messenger)

Common dialogs

Microsft has added "helpful" features throughout Windows that helps fill in historically information. These may appear in any application. These traces can be cleaned from the system.

Deleted info

When you delete files, they don't really disappear, but are instead sent to the "recycle" bin. You must regularly clear this folder. Even when files are deleted, they aren't completely deleted. You must purchase special "wipe" programs to completely eradicate all traces from your system.

Some products that automatically clean these things are:

http://www.evidence-eliminator.com/

3.2 Anonymizers

There are services on the Internet that will act as proxies. The corporate firewall logs will only record that you contacted the anonymizers, but not the websites you visited through them.

X. Miscellaneous

X.1 Anecdotes

If you have any anecdotes, I'd love to hear about them. Please send me e-mail. I'll stick them in this section.

From: <anonymous>

Here's an anecdote from a few years ago, relating to porn.

The IT manager for the London office of my then-employer finally managed
to book a couple of week's holiday. Before he headed off, he backed up
(ie., dumped the disk) of his laptop to his home directory on the LAN.
Inevitably, we needed to get hold of a particular file. He told the
support manager to just hook it out the backup. After doing so, the
Support Manager then decided to have a little nosey around (the IT manager
was pretty unpopular and disliked amongst his staff) and, predictably,
turned up a load of porn-related cookies, entries in his browser's history
file, and even in his favourites. The majority sounded (we didn't check)
like gay porn... We weren't a particularly intolerant lot, but he was
married with kids, and had a habit of telling extremely offensive "gay"
jokes. There wasn't an official porn-surfing policy there at that time,
and we'd probably have been in more trouble than him if we'd said
anything, but word quickly spread through the IT department... it didn't
do much for our respect for him.

Please don't use my name if you use this story... thanks again for the
site,

cheers,

Note: Psychologists say that people hate most in others what they fear in themselves.

From: <anonymous>

I have a permanent full screen advert for a porn site every time I open
IE5. I have repeatedly delete the relevant files, but the picture always
re-appears. I have deleted histories and URLs and searched my cookies.
No Joy!
Can you suggest how I can get rid of this embarrassing evidence of my 
interest

Answer: At one point, that pr0n site popped up a box asking if you want it as your homepage. You selected "yes". Such attempts to change your home page are commonly seen from spam, bad search results, and pr0n. Most people aren't alert to the questions the computer ask, so they frequently answer incorrectly. (And it is impossible to be alert always because the computer asks to many confusing questions).

You can reconfigure you browser to put your homepage back, or you can use my utility below. Type in your correct homepage below and hit the button to fix it.

(Note the dialog that asks you to confirm this. You saw this dialog before -- you just didn't notice it).

From http://www.nfr.net/firewall-wizards/mail-archive/1999/Jun/0237.html

Hey folks. First of all, obligatory thanks to all of you; reading your
discussions have helped me at my job tremendously, in providing a fairly
vendor independent perspecive on realistic security implementations. so
thanks, y'all.

I'd like to add that I feel it takes both types of involvement, for a
company to really implement a viable safeguard against liability for
illegal/inappropriate access. At my organization, we had a rather
unfortunate case of idiocy, which, although it didn't do much damage
prompted us to invoke some limitations on web traffic. We used a combination
of router based and independent software solutions to restrict access to a
list of categories of url's, and track and log all access.  Using this,
along with periodic human log reading, we are able to decide if we need to
have reiterate the companies web browsing policy (which we TRY to ensure
employees are aware of when they are hired, although whose to say what they
ACTUALLY read in this day of quick signatures). The policy has been used to
discipline several employees, and we saw a growing degree of awareness of
the policy, as warnings have been issued about excessive non-work related
browsing.

We are, however, a smaller organization so this is feasible. I do not think
the work scales well, as the larger the organization the more segments to
monitor, the more access points you'll have, and the more general network
chatter you're going to have. All in all, I'd say its a waste of time,
actually, but The People Who Decide Things wanted it, and I actually enjoyed
setting it up in a sick sort of Control Freak way.  

Anyways, that is all. Just thought I'd share; ultimately, the technology is
only going to aid you in enforcing a strong policy, and that takes not only
the will to enforce a policy, and the technology to make it tricky enough to
break that the attempt alone, which is logged, constitutes a clear desire to
break it and not an accident.

--
Henry Sieff
Network Drone
Orthodontic Centers of America

X.2 Links

I originally created this document during a discussion on the firewall mailing list.

http://www.nfr.net/firewall-wizards/mail-archive/1999/Jun/0224.html: How Singapore blocks porn on a nationwide basis as part of censorship efforts. One interesting poing is that the efforts are popular. Another is that the goal of the government is not to block porn, but make its access difficult.
http://www.nfr.net/firewall-wizards/mail-archive/1999/Jun/0186.html: Reponse to the question "How can I block inappropriate content?"

X.3 News

Note that a lot of these news stories are in Europe. The European's have much stricter labor laws than the United States. In some European countries it is virtually impossible to fire people. Therefore, the trick is that when the company wants to fire somebody, they start monitoring the victim's surfing habits hoping to find some pretext to fire them.

http://www.theregister.co.uk/content/1/13809.html
[00-10-06] Deutschebank in London fires 10 workers over port downloading.

http://www.theregister.co.uk/content/1/12969.html
[00-09-01] 45 employees fired for looking at naughty picutres and sending obscene e-mail.

http://www.thenews.co.uk/cgi-bin/W3Vfile.cgi/MO=3/TF=news2?RI=78000285b
[00-04-11] British Mayor fired over surfing porn from work PC. 13 other people also found to have porn on their work computers.

http://www.theregister.co.uk/000403-000020.html
[00-04-03] Informa fires around 5 people and disciplines about 10 others for unsavory web surfing practices.

http://www.theregister.co.uk/000328-000025.html
[00-03-28] Zurich Financial Services fires employees for "disturbing" content found on PCs.

http://www.theregister.co.uk/000229-000028.html
[00-02-29] Barclays Bank questions employees over porn found on systems.

http://www.wired.com/news/print/0,1294,32820,00.html
http://www.internetnews.com/rumblings/print/0,1089,81_252181,00.html
[99-12-01] NYT fires 23 employees for violating its e-mail policy.

http://news.cnet.com/news/0-1003-202-809024.html
http://www.internetnews.com/rumblings/print/0,1089,81_213611,00.html
http://www.theregister.co.uk/991007-000006.html
[99-10-07] Xerox fires 40 employees for porn surfing.

http://www.theregister.co.uk/990907-000010.html
[99-09-07] Employees sue company that fired them for e-mailing porn.

http://www.theregister.co.uk/990524-000009.html
[99-05-24] Rolls Royce fires 5 people for e-mailing grossly offensive porn.

[fin]