BLACK BOX®

How users are getting around content filters.

Stopping Anonymous Proxies from Interfering with Your Network

724-746-5500 | blackbox.com

724-746-5500 | blackbox.com Page 2

Stopping Anonymous Proxies from Interfering with Your Network

Table of Contents

Introduction .............................................................................................................................................................................................. 3

Proxy-based filters cannot peer into secure anonymous proxy traffic ........................................................................................................... 3 Proxy-based filters are not reliable for controlling rogue traffic ..................................................................................................................... 3

Certificate inspection is limited in controlling anonymous proxy traffic ......................................................................................................... 3 Effective anonymous proxy control: a four-prong solution ............................................................................................................................ 3 In-line packet inspection ....................................................................................................................................................................... 3 Certificate inspection and control.......................................................................................................................................................... 4 Active filter avoidance scanning technology ........................................................................................................................................... 4 Full decryption, dynamic scanning, and re-encryption ............................................................................................................................ 4

WhitewithFC blackdiamond

5th black

Processblack

Full-ColorBlack

BLACK BOX®

Whitewithprocessblackdiamond

Whitewith5th blackdiamond

We‘re here to help! If you have any questions about your application, our products, or this white paper, contact Black Box Tech Support at 724-746-5500 or go to blackbox.com and click on “Talk to Black Box.” You’ll be live with

one of our technical experts in less than 20 seconds.

Stopping Anonymous Proxies from Interfering with Your Network

724-746-5500 | blackbox.com Page 3

WhitewithFC blackdiamond

5th black

Processblack

Full-ColorBlack

BLACK BOX®

Whitewithprocessblackdiamond

Whitewith5th blackdiamond

IntroductionUsers have developed new methods to thwart content filtering technologies. Traditional proxy-based and mirror-port filtering approaches can't address this issue and therefore cannot be relied upon to control network traffic.

Proxy-based filters cannot peer into secure anonymous proxy traffic. Because they do not sit in-line, by nature, proxy-based filters have no visibility into HTTPS and other secure Web traffic. In fact, they can only access HTTP requests—leaving secure and non-browser traffic undetected.

Issues:

• Secure traffic is encrypted, unreadable, and is only certificate-verified by the proxy-based filter, and therefore left unfiltered. • Advanced, secure, non-browser traffic using proprietary protocols (e.g., Torpark) is also unseen and uncontrolled by the filter. • Many anonymous proxies are dynamic—sometimes they're only up for a couple of hours and are therefore undetectable to database spiders.

Proxy-based filters are not reliable for controlling rogue traffic.Recent marketing attempts tout SSL certificate inspection as the solution for technologically limited proxy filters to control secure anonymous proxy traffic. Although this may sound compelling, there are several issues.

Issues:

• Certificates can be easily spoofed, making blocked content appear as content coming from approved sources. • Certificate-issuing authorities do not limit certificates to appropriate sites—any site, whether or not it’s serving appropriate content, can purchase and use a certificate. Proxy filters may verify the certificate is valid but cannot view the page content because it is encrypted—letting inappropriate content pass through—just because the certificate is valid. • Certificates are easily attainable. • Certificates can be easily bypassed or ignored.

Certificate inspection is limited in controlling anonymous proxy traffic.

Issues:

• Proxy site volume—no database update can keep up with the overwhelming number of proxy sites created every day. Additionally, users can create their own proxy server—something impossible for database updates to find and include.

• Non-standard browser traffic—proxies using proprietary protocols or separate applications to serve up content pass traffic in ways traditional proxy filters don’t even have access to.

Effective anonymous proxy control: a four-prong solution. 1. In-line packet inspection.

Unlike other content filters, OptinetTM by Black Box is an in-line device that delivers deep-packet scanning for complete traffic identification and control. Optinet can identify and control traffic regardless of port or protocol—addressing the full suite of traffic, rather than just the HTTP requests traditional filters can address.

Stopping Anonymous Proxies from Interfering with Your Network

724-746-5500 | blackbox.com Page 4

2. Certificate inspection and control.

As a first level of security, SSL certificate inspection can eliminate some anonymous proxy sites with low over-head performance costs. Optinet includes SSL certificate inspection as a first line of defense against anonymous proxy sites. But, unlike other filters that only rely on certificate inspection, Optinet delivers additional layers of protection—ensuring users have the most robust anonymous proxy controls available.

3. Active filter avoidance scanning technology.

Optinet actively scans for and identifies anonymous proxy sites and pushes updates to connected devices daily, whether the devices’ users attempt to access the sites or not. This approach has created the industry’s most aggressively updated and complete anonymous proxy database. For administrators, this eliminates the need to update anonymous proxy blacklists manually and delivers a more comprehensive list than could be created manually—ensuring filter-bypass activity is blocked.

4. Full decryption, dynamic scanning, and re-encryption.

Optinet is the only mid-market solution capable of fully decrypting, scanning, and controlling, then re-encrypting HTTPS traffic. Unlike proxy-based or mirror-port-based filters, Optinet is installed transparently in-line—allowing it to terminate SSL sessions and decrypt the traffic. Once decrypted, Optinet performs complete dynamic, database, and heuristic scans to identify content that should be blocked. It can then re-encrypt and pass legitimate traffic to the client or deliver a “content blocked” page to the client for inappropriate traffic.

To Learn More

This unique four-part approach effectively controls secure anonymous proxies. Contact Black Box today at 724-746-5500 or visit blackbox.com/go/Optinet to see how easy controlling anonymous proxies with Optinet can be.

About Black Box

Black Box is the world’s largest technical services company dedicated to designing, building, and maintaining today’s complicated data networking services and voice infrastructure systems. Black Box services 175,000 clients in 141 countries with 192 offices throughout the world. Black Box is ISO 9001:2000 certified. Black Box provides more than 118,000 networking and infrastructure products, such as fiber, CAT5e, and CAT6 cable; KVM switches; digital signage; and cabinets and racks, plus network services. To learn more, visit the Black Box Web site at http://www.blackbox.com.

Optinet from Black Box scans, identifies, and controls Internet traffic, and provides advanced content filtering, reporting, application prioritization, bandwidth managment, and threat protection.

© Copyright 2009. All rights reserved. Black Box and the Double Diamond logo are registered trademarks, and Optinet is a trademark, of BB Technologies, Inc. Any third-party trademarks appearing in this white paper are acknowledged to be the property of their respective owners.

Mission Critical

Threats and Abuse

Mission Critical

Secure, Intelligent

Data Flow

Non-Mission Critical

Non-Mission Critical

Op

tinet D

ata

Stream C

on

trol