twitter facebook rss

CISO View: Blocking Tor from the Enterprise

Posted by on November 18, 2015.

torlogoThe Onion Router (Tor) was designed to protect privacy and anonymity on the internet. However, it is increasingly being used by criminals to protect themselves and their endeavors. Last year Kaspersky Lab noted, “the cybercriminal element is growing… We found Zeus with Tor capabilities, then we detected ChewBacca and finally we analyzed the first Tor Trojan for Android.” The reason is simple: “Hosting C&C servers in Tor makes them harder to identify, blacklist or eliminate.” Earlier this year IBM concluded that “it is absolutely necessary to block access to Tor or other similar networks from your corporate networks.”

It’s not simply a question of blocking traffic that comes from Tor. Volunteers are asked by Tor to set up their own Tor relays – and it is important that network administrators prevent that happening on company resources. “In essence,” explains IBM, “running a Tor relay is a donation of bandwidth and an open door to several forms of liability. More important, if a Tor relay is running on a network, the administrator could be an unwilling facilitator of an attack on other networks or within his or her own networks.”

Add to these arguments the need to separate infections (which could have been contracted outside of Tor) from phoning home to C&C servers hidden within Tor.

It would be good practice, therefore, for CISOs to prevent traffic coming into their networks from Tor, to prevent their networks participating in Tor, and to prevent internal connection to Tor. The question is, how can this be done? We asked 10 CISOs from the Wisegate community, “How do you restrict access to and from Tor?” We gave them five options:

  • We do nothing to block Tor
  • We use IP address lists to block traffic from all known exit nodes
  • We use Policy to prevent the establishment of a Tor relay
  • We have controls in place to prevent any company hardware being used as a Tor node
  • We use Tor ourselves

Only one CISO does nothing to block Tor, and only one CISO uses Tor. For the latter, the CISO in question explained, “We’re a University and Health Care organization. We allow the use of Tor in our less governed University network segments, but completely block and disable the use of it on the clinical sections of our network.”

torgraphFour of the CISOs use known Tor exit point IP addresses to block traffic coming from Tor; and four have a policy designed to prevent the establishment of Tor nodes on company equipment. Two have actual controls in place that would prevent the establishment of a node.

There are two primary methods that can be used to block Tor traffic. One blacklists Tor IP addresses, while the other blocks the ports used by Tor traffic. Blocking IP addresses can sometimes be handed off to a firewall provider. One CISO commented, “TOR is pretty well mapped and you can find lists of entrance and exit nodes. You can block as well as blacklist known nodes. Example list: tornodes.”

Not all security experts believe this is foolproof. “I’ve… heard that some entry relays are kept hidden,” commented David Harley from ESET. “I assume that refers to bridge relays that aren’t in the main Tor directory, so aren’t in a public list. You can use Tor tools to find those relays, of course, but I don’t know how feasible it would be to compile a complete list.”

“As for blocking exit nodes,” an F-Secure researcher told us, “an attacker could use a node that isn’t publicly listed. So I’d say you can probably add effective road blocks (a layer of security) – but I wouldn’t consider such road blocks a guarantee.”

Blocking TOR “is certainly a possibility,” adds Sophos’ senior security advisor Chester Wisniewski, “but doing it by IP would likely lead to a lot of tail chasing. Typically Tor communicates on 9001, 9030, 80 and 443,” he added. “The 9000 series ports should already be blocked, and through the judicious use of an application proxy for HTTP and HTTPS traffic (which you should already have in place) any disguised traffic should be blocked as not following the HTTP standards. Tor is valid TLS traffic, but will not pass through an application proxy expecting HTTP(s) traffic.”

It would seem that there are pressing needs but no easy solution to fully blocking all Tor traffic on company networks. Perhaps the answer is onion-layered security to counter the onion-layered router: IP and port blocking with enforced policy, up to date anti-virus and endpoint management.

Leave a Reply

Your email address will not be published. Required fields are marked *

Submitted in: Perspectives | Tags: ,