Two Letters Re: Firewalls, Anonymity, and SurvivalBlog

Dear Mr. Rawles
As a network administrator, I spend a fair amount of time making sure my end users cannot access certain web sites from company computers and data lines. I try to make sure we don’t get too draconian in our filtering practices, I do my best to make sure that not streaming audio or video, social networking sites, or other time killers make their way through the network.

Recently, a friend of mine told me about a tool called JanusVM, a combination of Internet anonymity tools (TOR, PRIVoxy, Squid, and VPN) that runs in a virtual machine. You basically run the VM in a VMWare player, connect a VPN connection from your PC to the VM, and open your web browser. Like a lot of anonymity tools, it isn’t very fast. It is, however, about as anonymous as you can get on the internet. I went to a web site that displayed my current IP address as well as your geographic location and found I was supposedly surfing from Paris, France. One page reload later and I was in Northern California, and then followed by Denmark, all without ever leaving my chair. According to the web site’s very brief write up, the DNS requests are so scrambled that even your internet service provider can’t tell where you’re surfing. That made me wonder if I could use this tool to get around my web filtering firewall as well. I tested my machine to make sure I was blocked out by our firewall by trying to visit Facebook, which is a big no no site around here. Sure enough, it’s blocked. Then I closed my web browser, established the VPN connection to the JanusVM, and re-launched my web browser. Bullseye! I had Facebook access. Not only was I anonymous, I’d also defeated my own web filtering software and firewall.

While this is a great tool, here are a few things to keep in mind.

1. I haven’t tested it on any other system, so YMMV.

2. You need a network with at least one available IP address for the VM. It can be an internal IP, but it still needs one. This keeps it from working with Verizon broadband cards. If someone out there gets it to work with one, I’d LOVE to hear about it!

3. Anonymity is not the same as privacy, or even security. Don’t count on this tool to protect your internet logins and passwords. Hackers have been known to sniff incoming and outgoing traffic on TOR nodes for unencrypted passwords. They may not know where they came from, but they can still read them. If they can figure out where they were headed, you’re in trouble.

4. Your workplace or branch of the military may frown on anyone trying to circumvent their firewalls and web filters, so use this information at your own risk.

– Some Call Me Tim


A couple of notes about your post on [SurvivalBlog being blocked by the US Navy and Marine Corps Internet system]:
* with varied duty hours and multiple shifts, there’s no such thing as only blocking during “duty hours”.
* Anonymizers are just about the first thing blocked by any organization that filters net access. 🙂
* If you have scripting capability on a web host, CGI Proxy and PHP Proxy are both good alternatives. Of course, they’re going to be blocked, too…so you still would have to find an unblocked site that has it or an alternate ISP long enough to download the scripts. People also run services with these or other types of scripts, but they come and go, and as mentioned previously, will most often be blocked. You also never know who’s running them.
* An alternate site works for a while, but it will eventually get blocked, too. It also dilutes your “brand”.
* The XML RSS feed option is probably the best, as it doesn’t rely on working around the restrictions so obviously. I use Google Reader myself, through which I can read web sites blocked by the corporate firewall. It cuts you off from reading comments, but that’s not a problem with your site. Some may be concerned at Google having too much information and choose some other feed reader, but I’m not too concerned with it. [JWR Adds: To avoid trails of “cookie crumbs”, I’ve read that the best choices are the Avant Browser for PCs and the NewsFire Reader for Macs.]

The feed option is good for current reading and keeping up, but for searching on a topic or looking at items in a non-linear fashion a proxy of some sort is a better, more flexible, yet more complicated option. Hope this helps. – Robert