October 20, 2008, 9:52 AM — If there is truly a gray zone in the struggle between online good and evil, anonymous proxy servers live there.
Organizations typically use proxy servers to forward website, file and other requests to other servers. Anonymous proxy servers are meant to hide the identity of the requestor.
Some security experts say the latter is only necessary if someone wants to mask malicious activity, including Sunil James, senior product manager at Amazon Web Services and formerly director of vulnerability research at iDEFENSE Inc.
"As a security person my natural first instinct is to ask why someone needs to be anonymous if they are doing something legitimate," he said. "I just don't see a viable use for anonymous proxy servers in corporate environments."
Others say certain kinds of security research and testing make them a necessity and that they are perfectly safe if used responsibly.
In an effort to reach a consensus on the issue, CSOonline polled several industry professionals by phone, e-mail and networking sites like LinkedIn.
Surprisingly, most respondents defended the use of anonymous proxy servers and offered a litany of legitimate-use examples. But everyone admits they can easily be used for malicious purposes and that organizations need to respond with the right security procedures.
"From a security perspective, hiding your true location behind a proxy definitely falls in the gray area of Web browsing," says Ed Ziots, a Rhode Island-based network engineer. "I use them to view questionable content from semi-trusted systems because I do not want the site to know the true origin of my communications when I am researching the latest exploits, exploit code, or new and up-and-coming trends in exploit research."
But he can imagine a more sinister scenario where the bad guy uses multiple anonymous proxies so victims can't determine where his attack sequences are coming from.
Spying (or blocking) competitors Anonymous proxy servers are often used to spy on competitors or block their efforts to do the same to another competitor, says Chris Kraft, VP of product management for web security for security vendor Sophos.
"This tends to be used for competitive purposes in which a website operator can identify the IP range of competitors and prevent them from viewing the company's assets," Kraft says. "It can be used to gather intelligence on your competitors, and the competitors in turn can use anonymous proxies to block your activities."
During his time as the CISO of a Fortune 100 company, security consultant Larry Glassman received a request from the sales and marketing department to establish an anonymous proxy server so the marketing department could perform competitive market analysis against a competitor in the space.
"This was in response to the competitor blocking access from the company's Internet-registered IP block to the website," Glassman says. "I equate this to a Walmart, Sam's Club or Warehouse Club VP walking through Costcos around the country to compare their products and services against [another] direct competitor in the space."
A lifeline for foreigners Richard Childers, IT security manager at Canadian Blood Services in Ottawa, Canada, says anonymous proxy servers are usually used within a corporate context to exercise control over outbound Internet traffic and are often combined with caching capabilities to make better use of limited bandwidth. But he also sees their use justified in parts of the world where free speech is suppressed.
"While I believe most anonymous proxy servers are used to hide who is accessing socially unacceptable web sites (porn etc), some of them may be of political value in that it makes it harder for repressive governments to identify folks accessing information sites officially forbidden," he says.
Dan Kaminsky, director of penetration testing at IOActive and discoverer of this summer's much-publicized DNS flaw, says there's an even simpler explanation for anonymous proxy use in other countries: A lot of people just want to get Internet access.
"It's easy for us in America to suggest this is unethical, but we take Internet access for granted," he says. "Without proxies, some countries don't have genuine access to the Internet."
Explore traffic coming from a typical proxy and you're bound to find it all coming from a kid in a foreign land who just wants to watch something on YouTube or e-mail friends, Kaminsky says.
To those who say anonymous proxies are used for malicious purposes, Kaminsky says, "The true black hats use botnets and break into desktops. They're not breaking into boxes using proxy servers."
Out of the black, into the gray In the final analysis, security experts say anonymous proxy servers are like any other technological tool these days - there are ways to use it for good and ways to use it for evil.
Baba Akinjayeju, technical security architect at Atos Origin in the UK, says anonymous proxies are becoming more popular these days because people want to be able to keep an element of anonymity and freedom for which the Internet is known.
"Opponents to it have always argued, 'why be anonymous if you haven't got anything to hide,' but life is not always as black and white," Akinjayeju says. "Having said that, I think there are lots of mischief makers in the world who would use the cloud of anonymity to commit all sorts of ills."
Coming soon: In Part 2 we ask, "Would you trust and use an anonymous proxy server picked off a list on the Internet? Those who wish to respond can do so at bbrenner@cxo.com.
