DOCSLIB.ORG

An Analysis of End-User Application Traffic on University Networks

Total Page:16

File Type:pdf, Size:1020Kb

Download full-text PDF Read full-text
An Analysis of End-User Application Traffic on University Networks Academic Freedom or Application Chaos? An Analysis of End-User Application Traffic on University Networks November 2009 Palo Alto Networks 232 East Java Dr. Sunnyvale, CA 94089 Sales 866.207.0077 www.paloaltonetworks.com Table of Contents Key Findings............................................................................................................................ 3 Introduction............................................................................................................................. 4 Applications that Enable Circumvention are in Use ................................................................ 5 External Proxies........................................................................................................................................ 5 Encrypted Tunnel Applications ................................................................................................................. 6 Remote Desktop Control Applications...................................................................................................... 7 P2P File Sharing Usage is Rampant ........................................................................................ 8 Browser-based File Sharing Gains in Popularity .................................................................... 9 Students are Adept at Being Entertained .............................................................................. 10 Applications are Designed for Accessibility .......................................................................... 11 Summary............................................................................................................................... 11 Appendix 1: Methodology ...................................................................................................... 12 Appendix 2: Applications Found ............................................................................................ 13 KEY FINDINGS Over the past 18 months, Palo Alto Networks has performed Application Visibility and Risk assessments on 35 university networks. The analysis consisted of installing a Palo Alto Networks firewall on the university network, and then monitoring traffic for a given period of time. based on the traffic observed, an Application Visibility and Risk report is generated and provided to the university networking and security team (see Appendix 1 for more information on the methodology). A roll up of all 35 assessments shows that 589 unique applications were detected, consuming 64 terabytes of data. Some of the key findings are summarized below: Students are using applications that enable security circumvention. • The high frequency with which external proxies, encrypted tunnel and remote access applications were found indicates students are taking extra steps to conceal their activity. This finding is somewhat contradictory to the assumption that university networks are “open”. Peer-to-peer file sharing use continues to be a significant portion of university traffic. • Found in 34 of the 35 university networks (97%), P2P file sharing continues to be a significant portion of traffic. The 24 P2P variants found consumed 13.9 terabytes or 21.7% of total bandwidth, indicating that P2P is still a relatively serious issue on university networks. • Adding to the challenge of managing the RIAA requests for more P2P control, a new threat— Mariposa—is spreading rapidly across nine commonly used P2P networks. Browser-based file sharing applications show significant usage. • An average of 11 browser-based file sharing application variants were found across 33 of the 35 university universities (94%). While not as common as P2P, these applications simplify the transfer of large files such as music or movies, possibly exposing universities unknown risks. Students are adept at keeping themselves entertained. • There were 203 applications found that fall into gaming, social networking, media, file sharing and web browsing categories. Bandwidth consumed by these applications was more than 48 terabytes or 78% of total bandwidth consumed. Application accessibility features make visibility and control difficult. • Of the 589 applications found, 356 (60%) of them can use port 80, port 443 or hop ports as a means of enabling user access. Unfortunately, accessibility features can introduce security risks because traditional port-based offerings cannot see or control these applications. The data used to generate this report was collected by deploying a Palo Alto Networks next-generation firewall in the network, in either tap mode or virtual wire mode, where it monitors traffic traversing the Internet gateway. At the end of the data collection period, an Application Visibility and Risk Report is generated that presents the findings along with the associated risks, and a more accurate picture of how the network is being used. The data from each of the AVR Reports is then aggregated, analyzed and summarized herein. INTRODUCTION Today’s university students are more computer savvy than ever before, using a wide range of applications for socializing, entertainment and fostering their education. The breadth of applications, along with the premise that university networks are “open” puts the security team between a rock and a hard place. On one hand, they are asked to enable openness, while on the other, they are required to protect the network and the corresponding data. In analyzing 35 university networks around the world, Palo Alto Networks found a wide range of applications that span the social, entertainment and educational spectrum – which was not all that surprising. Peer-to-peer file sharing continues to be used while browser-based file sharing applications are increasing in their use. And not surprisingly, applications that are more focused on entertainment than on education were used heavily. What was not expected was the relatively high use of proxies, encrypted tunneling and remote desktop access applications. The use of these applications raises two questions – if the network is open, then why use applications that can mask user activities? This is the key question to be answered. Or are control efforts such that users re being driven to use these applications. Whichever the reason, the statistics show that students are using whatever application they want and security administrators are struggling to keep pace. APPLICATIONS THAT ENABLE CIRCUMVENTION ARE IN USE One of the more interesting sets of statistics uncovered during the analysis was how frequently the use of external proxies, encrypted tunnels and remote access applications were being used. This finding is somewhat contradictory to the assumption that university networks are “open”. The theory being that if the networks are open, then why would there be a need to use applications that can bypass security? Are the students being overly cautious? Or are the universities exerting stricter traffic controls? Regardless of the underlying reasons, the frequency1 that these applications were seen was quite surprising. EXTERNAL PROXIES There are two types of proxies that can be used for the purposes of bypassing security controls. The first is a private proxy, which is a software application that is installed on a server and is used by a single user. In this case, the student will install the software on a machine at home, or somewhere outside of the university network. The student will then browse to the external proxy as an unmonitored means to browse the web. The analysis discovered a total of 21 different proxies, including HTTP proxy which might be in use by the university. Excluding HTTP proxy from the discussion, external proxies were still detected in 100% of the universities with the highest number of proxy variants found being 12, and the average number found in each university being 4. The most commonly detected proxies are CGIProxy and PHProxy, detected in 63% and 60% of the universities respectively. The second proxy variant is a public proxy or a proxy service. These are merely implementations of the aforementioned proxy software applications that are made available to the public. For example, a student that wants to browse the web anonymously can visit www.proxy.org and select from one of 7,700+ proxies that have been established by well-meaning Internet citizens. Users can also sign up for an email update that notifies them of the 10 or so new proxy sites made available on a daily basis. In either of these two cases, the traffic looks like normal web browsing and most security policies allow this type of traffic to pass unfettered. The result is that students are bypassing any control efforts including threat inspection, exposing the university to unnecessary security risks. Most Common Proxy Applications Found cgiproxy 63% phproxy 60% coralcdn-user 46% glype-proxy 31% vtunnel 57% socks 14% 11% freegate 11% http-tunnel 11% kproxy psiphon 9% 00% 25% 50% 75% Frequency that the application was found on university networks Figure 1: The most commonly detected proxies found across the participating universities. 1 Note that the frequency is based on a given application appearing on the university network – the number of users is a factor in frequency. ENCRYPTED TUNNEL APPLICATIONS Whereas a proxy is used primarily to bypass web filtering controls, encrypted tunnel applications go one step further, enabling students to hide their activity within an encrypted tunnel. Two reasons for this come to mind. Either they are using it to bypass security controls and
Load more

Recommended publications
  • Uila Supported Apps
    Uila Supported Applications and Protocols updated Oct 2020 Application/Protocol Name Full Description 01net.com 01net website, a French high-tech news site. 050 plus is a Japanese embedded smartphone application dedicated to 050 plus audio-conferencing. 0zz0.com 0zz0 is an online solution to store, send and share files 10050.net China Railcom group web portal. This protocol plug-in classifies the http traffic to the host 10086.cn. It also 10086.cn classifies the ssl traffic to the Common Name 10086.cn. 104.com Web site dedicated to job research. 1111.com.tw Website dedicated to job research in Taiwan. 114la.com Chinese web portal operated by YLMF Computer Technology Co. Chinese cloud storing system of the 115 website. It is operated by YLMF 115.com Computer Technology Co. 118114.cn Chinese booking and reservation portal. 11st.co.kr Korean shopping website 11st. It is operated by SK Planet Co. 1337x.org Bittorrent tracker search engine 139mail 139mail is a chinese webmail powered by China Mobile. 15min.lt Lithuanian news portal Chinese web portal 163. It is operated by NetEase, a company which 163.com pioneered the development of Internet in China. 17173.com Website distributing Chinese games. 17u.com Chinese online travel booking website. 20 minutes is a free, daily newspaper available in France, Spain and 20minutes Switzerland. This plugin classifies websites. 24h.com.vn Vietnamese news portal 24ora.com Aruban news portal 24sata.hr Croatian news portal 24SevenOffice 24SevenOffice is a web-based Enterprise resource planning (ERP) systems. 24ur.com Slovenian news portal 2ch.net Japanese adult videos web site 2Shared 2shared is an online space for sharing and storage.
    [Show full text]
  • What Is Peer-To-Peer File Transfer? Bandwidth It Can Use
    sharing, with no cap on the amount of commonly used to trade copyrighted music What is Peer-to-Peer file transfer? bandwidth it can use. Thus, a single NSF PC and software. connected to NSF’s LAN with a standard The Recording Industry Association of A peer-to-peer, or “P2P,” file transfer 100Mbps network card could, with KaZaA’s America tracks users of this software and has service allows the user to share computer files default settings, conceivably saturate NSF’s begun initiating lawsuits against individuals through the Internet. Examples of P2P T3 (45Mbps) internet connection. who use P2P systems to steal copyrighted services include KaZaA, Grokster, Gnutella, The KaZaA software assesses the quality of material or to provide copyrighted software to Morpheus, and BearShare. the PC’s internet connection and designates others to download freely. These services are set up to allow users to computers with high-speed connections as search for and download files to their “Supernodes,” meaning that they provide a How does use of these services computers, and to enable users to make files hub between various users, a source of available for others to download from their information about files available on other create security issues at NSF? computers. users’ PCs. This uses much more of the When configuring these services, it is computer’s resources, including bandwidth possible to designate as “shared” not only the and processing capability. How do these services function? one folder KaZaA sets up by default, but also The free version of KaZaA is supported by the entire contents of the user’s computer as Peer to peer file transfer services are highly advertising, which appears on the user well as any NSF network drives to which the decentralized, creating a network of linked interface of the program and also causes pop- user has access, to be searchable and users.
    [Show full text]
  • The New England College of Optometry Peer to Peer (P2P) Policy
    The New England College of Optometry Peer To Peer (P2P) Policy Created in Compliance with the Higher Education Opportunity Act (HEOA) Peer-to-Peer File Sharing Requirements Overview: Peer-to-peer (P2P) file sharing applications are used to connect a computer directly to other computers in order to transfer files between the systems. Sometimes these applications are used to transfer copyrighted materials such as music and movies. Examples of P2P applications are BitTorrent, Gnutella, eMule, Ares Galaxy, Megaupload, Azureus, PPStream, Pando, Ares, Fileguri, Kugoo. Of these applications, BitTorrent has value in the scientific community. For purposes of this policy, The New England College of Optometry (College) refers to the College and its affiliate New England Eye Institute, Inc. Compliance: In order to comply with both the intent of the College’s Copyright Policy, the Digital Millennium Copyright Act (DMCA) and with the Higher Education Opportunity Act’s (HEOA) file sharing requirements, all P2P file sharing applications are to be blocked at the firewall to prevent illegal downloading as well as to preserve the network bandwidth so that the College internet access is neither compromised nor diminished. Starting in September 2010, the College IT Department will block all well-known P2P ports on the firewall at the application level. If your work requires the use of BitTorrent or another program, an exception may be made as outlined below. The College will audit network usage/activity reports to determine if there is unauthorized P2P activity; the IT Department does random spot checks for new P2P programs every 72 hours and immediately blocks new and emerging P2P networks at the firewall.
    [Show full text]
  • THINC: a Virtual and Remote Display Architecture for Desktop Computing and Mobile Devices
    THINC: A Virtual and Remote Display Architecture for Desktop Computing and Mobile Devices Ricardo A. Baratto Submitted in partial fulfillment of the requirements for the degree of Doctor of Philosophy in the Graduate School of Arts and Sciences COLUMBIA UNIVERSITY 2011 c 2011 Ricardo A. Baratto This work may be used in accordance with Creative Commons, Attribution-NonCommercial-NoDerivs License. For more information about that license, see http://creativecommons.org/licenses/by-nc-nd/3.0/. For other uses, please contact the author. ABSTRACT THINC: A Virtual and Remote Display Architecture for Desktop Computing and Mobile Devices Ricardo A. Baratto THINC is a new virtual and remote display architecture for desktop computing. It has been designed to address the limitations and performance shortcomings of existing remote display technology, and to provide a building block around which novel desktop architectures can be built. THINC is architected around the notion of a virtual display device driver, a software-only component that behaves like a traditional device driver, but instead of managing specific hardware, enables desktop input and output to be intercepted, manipulated, and redirected at will. On top of this architecture, THINC introduces a simple, low-level, device-independent representation of display changes, and a number of novel optimizations and techniques to perform efficient interception and redirection of display output. This dissertation presents the design and implementation of THINC. It also intro- duces a number of novel systems which build upon THINC's architecture to provide new and improved desktop computing services. The contributions of this dissertation are as follows: • A high performance remote display system for LAN and WAN environments.
    [Show full text]
  • The Effects of Digital Music Distribution" (2012)
    Southern Illinois University Carbondale OpenSIUC Research Papers Graduate School Spring 4-5-2012 The ffecE ts of Digital Music Distribution Rama A. Dechsakda [email protected] Follow this and additional works at: http://opensiuc.lib.siu.edu/gs_rp The er search paper was a study of how digital music distribution has affected the music industry by researching different views and aspects. I believe this topic was vital to research because it give us insight on were the music industry is headed in the future. Two main research questions proposed were; “How is digital music distribution affecting the music industry?” and “In what way does the piracy industry affect the digital music industry?” The methodology used for this research was performing case studies, researching prospective and retrospective data, and analyzing sales figures and graphs. Case studies were performed on one independent artist and two major artists whom changed the digital music industry in different ways. Another pair of case studies were performed on an independent label and a major label on how changes of the digital music industry effected their business model and how piracy effected those new business models as well. I analyzed sales figures and graphs of digital music sales and physical sales to show the differences in the formats. I researched prospective data on how consumers adjusted to the digital music advancements and how piracy industry has affected them. Last I concluded all the data found during this research to show that digital music distribution is growing and could possibly be the dominant format for obtaining music, and the battle with piracy will be an ongoing process that will be hard to end anytime soon.
    [Show full text]
  • Congratulations Susan & Joost Ueffing!
    CONGRATULATIONS SUSAN & JOOST UEFFING! The Staff of the CQ would like to congratulate Jaguar CO Susan and STARFLEET Chief of Operations Joost Ueffi ng on their September wedding! 1 2 5 The beautiful ceremony was performed OCT/NOV in Kingsport, Tennessee on September 2004 18th, with many of the couple’s “extended Fleet family” in attendance! Left: The smiling faces of all the STARFLEET members celebrating the Fugate-Ueffi ng wedding. Photo submitted by Wade Olsen. Additional photos on back cover. R4 SUMMIT LIVES IT UP IN LAS VEGAS! Right: Saturday evening banquet highlight — commissioning the USS Gallant NCC 4890. (l-r): Jerry Tien (Chief, STARFLEET Shuttle Ops), Ed Nowlin (R4 RC), Chrissy Killian (Vice Chief, Fleet Ops), Larry Barnes (Gallant CO) and Joe Martin (Gallant XO). Photo submitted by Wendy Fillmore. - Story on p. 3 WHAT IS THE “RODDENBERRY EFFECT”? “Gene Roddenberry’s dream affects different people in different ways, and inspires different thoughts... that’s the Roddenberry Effect, and Eugene Roddenberry, Jr., Gene’s son and co-founder of Roddenberry Productions, wants to capture his father’s spirit — and how it has touched fans around the world — in a book of photographs.” - For more info, read Mark H. Anbinder’s VCS report on p. 7 USPS 017-671 125 125 Table Of Contents............................2 STARFLEET Communiqué After Action Report: R4 Conference..3 Volume I, No. 125 Spies By Night: a SF Novel.............4 A Letter to the Fleet........................4 Published by: Borg Assimilator Media Day..............5 STARFLEET, The International Mystic Realms Fantasy Festival.......6 Star Trek Fan Association, Inc.
    [Show full text]
  • Fandango Movie Ticket Return Policy
    Fandango Movie Ticket Return Policy sniggersUnpanelled bombard Fritz enamellings gainly? acquiescently. Son scart hitchily. Is Vaclav blemished or deathly when daff some Please contact your credit karma, which your above the return policy periodically as a scam and visually impaired guests Scroll to movie ticket exchange policies, movies to pay support team. Days later I receive an email asking you yet more information. To tickets for movies were returned, or guardian to receive a policy periodically as i print in. If I buy from ticket online, how do I is my tickets? This movie tickets you return policies and fandango movies to returning users thought it! When the promo codes did that appear moist the stated timeframe, I contacted customer may to inquire. It reminded me that led many ways, online commerce has not lived up to make promise. To find more information about reviews and trust on Sitejabber. You return policy of sites for further difficulties uploading your ticket purchase and show time. Bread financing at fandango movie tickets on. You will receive an email notification when you receive an Award. We sincerely apologize for any inconvenience the agreement has experienced. To find a confirmation page, mistakenly believing i was the return policies that we may pass, now get it! Instead of printing the ticket I had it sent to my mobile phone. Amazon Pay support on column customer service call here. What Phone Number Do however Use to shell a Fandango Refund? Terms and fandango movies, as a policy from our app is where do not endorse the genres of the movies and treated her father move out! How do I get a refund or make changes to my order? Parents should be especially careful about letting their younger children attend.
    [Show full text]
  • Forescout Counteract® Endpoint Support Compatibility Matrix Updated: October 2018
    ForeScout CounterACT® Endpoint Support Compatibility Matrix Updated: October 2018 ForeScout CounterACT Endpoint Support Compatibility Matrix 2 Table of Contents About Endpoint Support Compatibility ......................................................... 3 Operating Systems ....................................................................................... 3 Microsoft Windows (32 & 64 BIT Versions) ...................................................... 3 MAC OS X / MACOS ...................................................................................... 5 Linux .......................................................................................................... 6 Web Browsers .............................................................................................. 8 Microsoft Windows Applications ...................................................................... 9 Antivirus ................................................................................................. 9 Peer-to-Peer .......................................................................................... 25 Instant Messaging .................................................................................. 31 Anti-Spyware ......................................................................................... 34 Personal Firewall .................................................................................... 36 Hard Drive Encryption ............................................................................. 38 Cloud Sync ...........................................................................................
    [Show full text]
  • Crowdsourcing Indie Movies
    Chicago-Kent College of Law Scholarly Commons @ IIT Chicago-Kent College of Law All Faculty Scholarship Faculty Scholarship 9-1-2012 Crowdsourcing Indie Movies Henry H. Perritt Jr. IIT Chicago-Kent College of Law, [email protected] Follow this and additional works at: https://scholarship.kentlaw.iit.edu/fac_schol Part of the Entertainment, Arts, and Sports Law Commons Recommended Citation Henry H. Perritt Jr., Crowdsourcing Indie Movies, (2012). Available at: https://scholarship.kentlaw.iit.edu/fac_schol/449 This Article is brought to you for free and open access by the Faculty Scholarship at Scholarly Commons @ IIT Chicago-Kent College of Law. It has been accepted for inclusion in All Faculty Scholarship by an authorized administrator of Scholarly Commons @ IIT Chicago-Kent College of Law. For more information, please contact [email protected], [email protected]. Crowd sourcing indie movies Henry H. Perritt, Jr. 1 Table of Contents I. Introduction ........................................................................................................................... 3 II. The project: make a feature-length movie ......................................................................... 4 A. Goals ................................................................................................................................ 6 1. Enlist productive collaborators ................................................................................... 6 2. Minimize capital requirements ..................................................................................
    [Show full text]
  • Design of a Blocking-Resistant Anonymity System DRAFT
    Design of a blocking-resistant anonymity system DRAFT Roger Dingledine Nick Mathewson The Tor Project The Tor Project [email protected] [email protected] Abstract Internet censorship is on the rise as websites around the world are increasingly blocked by government-level firewalls. Although popular anonymizing networks like Tor were originally designed to keep attackers from tracing people’s activities, many people are also using them to evade local censorship. But if the censor simply denies access to the Tor network itself, blocked users can no longer benefit from the security Tor offers. Here we describe a design that builds upon the current Tor network to provide an anonymiz- ing network that resists blocking by government-level attackers. 1 Introduction and Goals Anonymizing networks like Tor [11] bounce traffic around a network of encrypting relays. Unlike encryption, which hides only what is said, these networks also aim to hide who is communicat- ing with whom, which users are using which websites, and similar relations. These systems have a broad range of users, including ordinary citizens who want to avoid being profiled for targeted advertisements, corporations who don’t want to reveal information to their competitors, and law en- forcement and government intelligence agencies who need to do operations on the Internet without being noticed. Historical anonymity research has focused on an attacker who monitors the user (call her Alice) and tries to discover her activities, yet lets her reach any piece of the network. In more modern threat models such as Tor’s, the adversary is allowed to perform active attacks such as modifying communications to trick Alice into revealing her destination, or intercepting some connections to run a man-in-the-middle attack.
    [Show full text]
  • The Application Usage and Risk Report an Analysis of End User Application Trends in the Enterprise
    The Application Usage and Risk Report An Analysis of End User Application Trends in the Enterprise 8th Edition, December 2011 Palo Alto Networks 3300 Olcott Street Santa Clara, CA 94089 www.paloaltonetworks.com Table of Contents Executive Summary ........................................................................................................ 3 Demographics ............................................................................................................................................. 4 Social Networking Use Becomes More Active ................................................................ 5 Facebook Applications Bandwidth Consumption Triples .......................................................................... 5 Twitter Bandwidth Consumption Increases 7-Fold ................................................................................... 6 Some Perspective On Bandwidth Consumption .................................................................................... 7 Managing the Risks .................................................................................................................................... 7 Browser-based Filesharing: Work vs. Entertainment .................................................... 8 Infrastructure- or Productivity-Oriented Browser-based Filesharing ..................................................... 9 Entertainment Oriented Browser-based Filesharing .............................................................................. 10 Comparing Frequency and Volume of Use
    [Show full text]
  • Weekly Wireless Report WEEK ENDING September 4, 2015
    Weekly Wireless Report WEEK ENDING September 4, 2015 INSIDE THIS ISSUE: THIS WEEK’S STORIES This Week’s Stories Ad Blocking In Apple’s iOS 9 Highlights Rift Over Ads With Ad Blocking In Apple’s iOS 9 Highlights Rift Over Ads With App Publishers App Publishers September 4, 2015 More Than 225,000 Apple Apple has warned developers that, in the name of privacy and user preference, it is adding ad-blocking iPhone Accounts Hacked capability in its upcoming release of iOS 9 software, which is expected to arrive with new iPhones as early as Sept. 9. And that’s creating some tension with Google, mobile marketing companies, and PRODUCTS & SERVICES publishers alike. A New App That Lets Users’ If iOS 9 and the ad blockers are widely adopted, it could mean significant disruption to the $70 billion Friends ‘Virtually Walk Them mobile marketing business. More ad blocking means that many users simply won’t see as many ads in Home At Night’ Is Exploding In their games or apps. Publishers, ad networks, and marketing tech companies will get less revenue. Popularity Mobile game companies don’t need to panic now, but they’d better pay attention. Sprint Revises Free Service The battle over the legality of ad-blocking software is still playing out on the Web, where online ads are Deal For DirecTV Customers, a $141 billion business. In May, a German court ruled that ad blocking is not illegal. In mobile, Apple Adds Data Options has added the ability to block ads via a change in its platform that allows third-party companies to create ad-blocking apps.
    [Show full text]