17. January 2011 · Comments Off on Top 3 Tools For Busting Through Firewalls — Internet Censorship — InformationWeek · Categories: blog · Tags: , , ,

Top 3 Tools For Busting Through Firewalls — Internet Censorship — InformationWeek.

The three tools described in this article are Tor (The Onion Router), Circumventor, and Glype. If you are unfamiliar with them, here is a brief description. The article provides a deeper analysis of them.

TorTor is nominally used for the sake of anonymity, but also works as a circumvention tool, and its decentralized design makes it resilient to attacks. It started as a U.S. Naval Research Laboratory project but has since been developed by a 501(c)(3) nonprofit, and is open source software available for a variety of platforms. Human Rights Watch, Reporters without Borders, and the United States International Broadcasting Bureau (Voice of America) all advocate using Tor as a way to avoid compromising one’s anonymity. With a little care, it can also be used to route around information blocking.


Circumventor – Developed by Bennett Haslelton of the anti-Internet-censorship site Peacefire.org, Circumventor works a little bit like Tor in that each machine running the Circumventor software is a node in a network.

Circumventor is most commonly used to get around the Web-blocking system in a workplace or school. The user installs Circumventor on an unblocked PC — e.g., their own PC at home — and then uses their home PC as a proxy. Since most blocking software works by blocking known Web sites and not random IP addresses, setting up a Circumventor instance ought to be a bit more effective than attempting to use a list of proxies that might already be blocked.

Glype – The Glype proxy has been created in the same spirit as Circumventor. It’s installed on an unblocked computer, which the user then accesses to retrieve Web pages that are normally blocked. It’s different from Circumventor in that it needs to be installed on a Web server running PHP, not just any old PC with Internet access. To that end, it’s best for situations where a Web server is handy or the user knows how to set one up manually.

While these tools are used in certain countries to bypass censorship, in the U.S. they are mostly used to bypass organizational firewall policies.

In order to block these tunneling and proxy applications, organizations have turned to Palo Alto Networks, the leading Next Generation Firewall manufacturer.

However, the real issue is much bigger than blocking the three most popular tools for bypassing traditional stateful inspection firewalls. Or even peer-to-peer applications. The real goal is to enable a Positive Control Model, i.e. only allow the applications that are needed and block everything else. This is a much harder goal to achieve. Why?

In order to achieve a Positive Control Model, your firewall, not your IPS, has to be able to identify every application you are running. So in addition to the applications the firewall manufacturer identifies, the firewall must give you the ability to identify your home-grown proprietary applications. Then you have to build policies (when possible leveraging your directory service) to control who can use which applications.

Once you have implemented the policies covering all the identified applications the organization is using, and who can use them, then the final policy rule can be, “If application is unknown, then deny.”

Once you have implemented the Positive Control Model, you don’t really care about the next new proxy or peer-to-peer application that is developed. It’s the Negative Control Model that keeps you the never-ending cycle of identifying and blocking every possible undesirable application in existence.

Achieving this Positive Control Model is one of the primary reasons organizations are deploying Palo Alto Networks at the perimeter and on internal network segments.