Almost a couple of years ago (shortly before taking a role that put me back under the yolk of corporate web filtering) I wrote the wrong sort of radio to describe how ridiculous and counter-productive such things are. It simply doesn’t make much sense to cut off the Internet at the desktop when everybody has it in their pocket anyway. I was reminded of this by a tweet from Sean Park over the weekend:

TL;DR version

For the last year or so I worked around the corporate web filters by having a PC on my desk connected to the real world via a VPN – an immobile version of bring your own device (BYOD). The VPN moves the point of origination for my web traffic (and the liability that goes with it) from my employer to me, so this was a compromise that everybody could be comfortable with. It was however technically challenging to set up, and performance/reliability was often poor. With a few simple tweaks the whole setup could have been made much more accessible for others, and that would be a good thing.

The Law

SEC Rules 17a-3 and 17a-4 oblige brokers and dealers to keep archives of electronic communication for trading staff, and similar rules have been enacted in most jurisdictions. It’s fairly easy for organisations to keep a regulatory archive of their own email using various bolt on solutions to their mail servers. Private (web)mail was however seen as a way to circumvent archiving[1], and hence had to be blocked. At the same time private webmail was being blamed for malware finding its way onto corporate desktops, so it seemed to make sense to block webmail for everybody, not just trading users (and anyway it seemed like it was too hard to keep track of who should be archived/blocked and who shouldn’t – so much easier to just cast the net over everybody[2]).

The law didn’t tell Wall St. to shut down webmail, but that’s what happened.

The Lore

Once webmail had been blocked on corporate networks it then became part of security and risk management culture that anything that allowed an employee to access webmail (or social networks with similar communications capabilities) must be banned. It was by this perverse logic that when guest and employee wifi were introduced (to allow people to work as effectively as they might in a local coffee shop) those services were then subjected to the same filters as the corporate network.

I used to have this written at the top of the whiteboard behind my desk:

The Lore != The Law

It was there to remind me that pretty much everything evil done in Enterprise IT is done at the behest of ‘compliance’, and it’s part of our job to push back as hard as possible to get a good experience for the users.

The liability argument

Corporate liability was a frequently touched upon issue in discussions about filtering networks. The argument runs something like this:

If we’re providing a service (like employee or guest WiFi) then we’re liable for what’s done with it

It’s a fair point, and the best answer is to get out of the business of providing the service. Get a telco to do it instead. The whole point of ‘wrong sort of radio’ is that telcos aren’t expected to be liable for traffic across their networks in the same way.

In many other cases the liability issue is dealt with using an acceptable use policy, and we pretty much all click through such agreements when accessing the Internet from a hotel, coffee shop, airport, train or whatever. That doesn’t work for Wall St. though. Wall St. has (internal) auditors to ensure that things are done properly. It isn’t good enough to have policy (ask nicely for people to do the right thing). There must be technical measures – make sure that people do the right thing – by actively stopping them from doing the wrong thing.

This is when The Lore kicks in badly. Employee WiFi must have the same filters as the corporate network, otherwise employees will use it to dodge controls; and guest WiFi must have the same filters too, because employees will cheat and create guest access codes for their own use. All that filtering means that traffic can’t just escape out onto the Internet, it needs to be routed through to the filtering place, meaning more hops, more expense and less performance.

VPNs to the rescue?

Virtual Private Networks (VPNs) move the point of egress to the Internet (and hence the perceived point of liability) from the WiFi service provider to the VPN provider. VPNs therefore provide a strong technical argument to the issues around liability; guests and employees should be allowed to use VPNs, because what they do on the Internet tracks back to them, not the company providing WiFi.

If only it was that easy.

The trouble is that the filters can only work on a narrow stream of traffic, and the expectation is that people are just surfing the web; so things get locked down to port 80 (HTTP) and port 443 (HTTPS). Whilst it is possible to run SSH and OpenVPN over port 443 it’s a none standard configuration; and web filters range from actively hostile to simply not designed to work well for such a setup.

VPNs therefore can be useful for moving the point of liability, but things only work well if the network is configured to allow VPNs (rather than VPNs being a workaround).

The gory technical details

The PC on my desk (and the iPad in my bag) were able to connect to virtual private servers I had using SSH and OpenVPN. Most SSH clients (including iSSH on iOS) can work as a SOCKS proxy, though of course this means that the SSH session must be established before surfing begins (which is a nuisance on the desktop and a downright pain on a SmartPhone or Tablet). Not everything gracefully pays attention to proxy rules, which is where OpenVPN can be helpful, but you can’t run SSH and OpenVPN on port 443 at the same time – so I needed two VPS boxes[3].

Call to action

Firms that are making widespread use of web filters[4] for guest and employee WiFi should actively support the use of VPNs by opening the appropriate ports and advertising the VPN capability (maybe even suggesting some services that people can use if they don’t have a VPN already).

Conclusion

Web filters at work get in the way of doing business in a (socially) networked society. I found ways to deal with these that worked for me, but they only worked for me because I was able to deploy resources and expertise that aren’t at everybody’s disposal. Virtual Private Networks provide a sensible workaround for the perceived liability issues, and should be technically facilitated and encouraged.

Notes

[1] Solutions at the time weren’t sophisticated enough. That has changed, but the approach pretty much everybody takes hasn’t.
[2] This is the same logic that gets us full disk encryption.
[3] Though I could have got by with a single VPS and an extra IP address.
[4] It would be remiss of me to finish without mentioning that the rule management for those filters is a nightmare. The default filer rules are normally created for oppressive regimes in the Middle East, and commercial users then need an exception process for stuff they don’t want to filter (because filtering harms their business). Exceptions are normally granted on a firm wide or individual basis. Exceptions are normally only managed for the corporate network (not guest or employee WiFi), leading to much fun getting exceptional exceptions for new services.