An Analysis of End-User Application Traffic on University Networks

An Analysis of End-User Application Traffic on University Networks

Academic Freedom or Application Chaos? An Analysis of End-User Application Traffic on University Networks November 2009 Palo Alto Networks 232 East Java Dr. Sunnyvale, CA 94089 Sales 866.207.0077 www.paloaltonetworks.com Table of Contents Key Findings............................................................................................................................ 3 Introduction............................................................................................................................. 4 Applications that Enable Circumvention are in Use ................................................................ 5 External Proxies........................................................................................................................................ 5 Encrypted Tunnel Applications ................................................................................................................. 6 Remote Desktop Control Applications...................................................................................................... 7 P2P File Sharing Usage is Rampant ........................................................................................ 8 Browser-based File Sharing Gains in Popularity .................................................................... 9 Students are Adept at Being Entertained .............................................................................. 10 Applications are Designed for Accessibility .......................................................................... 11 Summary............................................................................................................................... 11 Appendix 1: Methodology ...................................................................................................... 12 Appendix 2: Applications Found ............................................................................................ 13 KEY FINDINGS Over the past 18 months, Palo Alto Networks has performed Application Visibility and Risk assessments on 35 university networks. The analysis consisted of installing a Palo Alto Networks firewall on the university network, and then monitoring traffic for a given period of time. based on the traffic observed, an Application Visibility and Risk report is generated and provided to the university networking and security team (see Appendix 1 for more information on the methodology). A roll up of all 35 assessments shows that 589 unique applications were detected, consuming 64 terabytes of data. Some of the key findings are summarized below: Students are using applications that enable security circumvention. • The high frequency with which external proxies, encrypted tunnel and remote access applications were found indicates students are taking extra steps to conceal their activity. This finding is somewhat contradictory to the assumption that university networks are “open”. Peer-to-peer file sharing use continues to be a significant portion of university traffic. • Found in 34 of the 35 university networks (97%), P2P file sharing continues to be a significant portion of traffic. The 24 P2P variants found consumed 13.9 terabytes or 21.7% of total bandwidth, indicating that P2P is still a relatively serious issue on university networks. • Adding to the challenge of managing the RIAA requests for more P2P control, a new threat— Mariposa—is spreading rapidly across nine commonly used P2P networks. Browser-based file sharing applications show significant usage. • An average of 11 browser-based file sharing application variants were found across 33 of the 35 university universities (94%). While not as common as P2P, these applications simplify the transfer of large files such as music or movies, possibly exposing universities unknown risks. Students are adept at keeping themselves entertained. • There were 203 applications found that fall into gaming, social networking, media, file sharing and web browsing categories. Bandwidth consumed by these applications was more than 48 terabytes or 78% of total bandwidth consumed. Application accessibility features make visibility and control difficult. • Of the 589 applications found, 356 (60%) of them can use port 80, port 443 or hop ports as a means of enabling user access. Unfortunately, accessibility features can introduce security risks because traditional port-based offerings cannot see or control these applications. The data used to generate this report was collected by deploying a Palo Alto Networks next-generation firewall in the network, in either tap mode or virtual wire mode, where it monitors traffic traversing the Internet gateway. At the end of the data collection period, an Application Visibility and Risk Report is generated that presents the findings along with the associated risks, and a more accurate picture of how the network is being used. The data from each of the AVR Reports is then aggregated, analyzed and summarized herein. INTRODUCTION Today’s university students are more computer savvy than ever before, using a wide range of applications for socializing, entertainment and fostering their education. The breadth of applications, along with the premise that university networks are “open” puts the security team between a rock and a hard place. On one hand, they are asked to enable openness, while on the other, they are required to protect the network and the corresponding data. In analyzing 35 university networks around the world, Palo Alto Networks found a wide range of applications that span the social, entertainment and educational spectrum – which was not all that surprising. Peer-to-peer file sharing continues to be used while browser-based file sharing applications are increasing in their use. And not surprisingly, applications that are more focused on entertainment than on education were used heavily. What was not expected was the relatively high use of proxies, encrypted tunneling and remote desktop access applications. The use of these applications raises two questions – if the network is open, then why use applications that can mask user activities? This is the key question to be answered. Or are control efforts such that users re being driven to use these applications. Whichever the reason, the statistics show that students are using whatever application they want and security administrators are struggling to keep pace. APPLICATIONS THAT ENABLE CIRCUMVENTION ARE IN USE One of the more interesting sets of statistics uncovered during the analysis was how frequently the use of external proxies, encrypted tunnels and remote access applications were being used. This finding is somewhat contradictory to the assumption that university networks are “open”. The theory being that if the networks are open, then why would there be a need to use applications that can bypass security? Are the students being overly cautious? Or are the universities exerting stricter traffic controls? Regardless of the underlying reasons, the frequency1 that these applications were seen was quite surprising. EXTERNAL PROXIES There are two types of proxies that can be used for the purposes of bypassing security controls. The first is a private proxy, which is a software application that is installed on a server and is used by a single user. In this case, the student will install the software on a machine at home, or somewhere outside of the university network. The student will then browse to the external proxy as an unmonitored means to browse the web. The analysis discovered a total of 21 different proxies, including HTTP proxy which might be in use by the university. Excluding HTTP proxy from the discussion, external proxies were still detected in 100% of the universities with the highest number of proxy variants found being 12, and the average number found in each university being 4. The most commonly detected proxies are CGIProxy and PHProxy, detected in 63% and 60% of the universities respectively. The second proxy variant is a public proxy or a proxy service. These are merely implementations of the aforementioned proxy software applications that are made available to the public. For example, a student that wants to browse the web anonymously can visit www.proxy.org and select from one of 7,700+ proxies that have been established by well-meaning Internet citizens. Users can also sign up for an email update that notifies them of the 10 or so new proxy sites made available on a daily basis. In either of these two cases, the traffic looks like normal web browsing and most security policies allow this type of traffic to pass unfettered. The result is that students are bypassing any control efforts including threat inspection, exposing the university to unnecessary security risks. Most Common Proxy Applications Found cgiproxy 63% phproxy 60% coralcdn-user 46% glype-proxy 31% vtunnel 57% socks 14% 11% freegate 11% http-tunnel 11% kproxy psiphon 9% 00% 25% 50% 75% Frequency that the application was found on university networks Figure 1: The most commonly detected proxies found across the participating universities. 1 Note that the frequency is based on a given application appearing on the university network – the number of users is a factor in frequency. ENCRYPTED TUNNEL APPLICATIONS Whereas a proxy is used primarily to bypass web filtering controls, encrypted tunnel applications go one step further, enabling students to hide their activity within an encrypted tunnel. Two reasons for this come to mind. Either they are using it to bypass security controls and

View Full Text

Details

  • File Type
    pdf
  • Upload Time
    -
  • Content Languages
    English
  • Upload User
    Anonymous/Not logged-in
  • File Pages
    15 Page
  • File Size
    -

Download

Channel Download Status
Express Download Enable

Copyright

We respect the copyrights and intellectual property rights of all users. All uploaded documents are either original works of the uploader or authorized works of the rightful owners.

  • Not to be reproduced or distributed without explicit permission.
  • Not used for commercial purposes outside of approved use cases.
  • Not used to infringe on the rights of the original creators.
  • If you believe any content infringes your copyright, please contact us immediately.

Support

For help with questions, suggestions, or problems, please contact us