Organizations and enterprises maintain network security policies to protect against external and internal threats. Network users across various administrative zones may be subjected to different access restrictions dependent upon the organizational responsibilities of the users. For example, hosts in more restricted administrative zones may only be permitted to communicate with hosts within the internal network, or may be so restricted with respect to at least certain network communication protocols, while hosts in less restricted administrative zones may be permitted to communicate with external hosts as well. A user in the more restricted administrative zone may attempt to evade such restrictions by placing a proxy on a host within the less restricted administrative zone. Such a proxy can be used by a host in the more restricted administrative zone to reach external (or other) hosts to which access is otherwise forbidden. Users in more restricted administrative zones who circumvent local network restrictions by establishing proxies in less restricted administrative zones may expose the otherwise secure network to potentially dangerous payloads.
Existing mechanisms for detecting proxies rely on either detecting well-known proxy ports or inspecting protocol content to identify proxy protocols. The former only works in the event that the proxy is using a well-known proxy port and that port is left visible to scanning hosts. However, detection by such techniques can be evaded by running the proxy on an arbitrary port and/or shielding the port on which the proxy is run from unauthorized hosts. The second mechanism requires visibility into the protocol and for the protocol itself to have some property that indicates that it is being used to proxy. Utilizing encryption foils the former, and few protocols indicate that they are actually performing proxy functions. Existing methods for detecting proxies are also unattractive from a deployment point of view. Constant active scanning is very noisy and slow, often setting off numerous other alarms and resulting in only periodic snapshots of the network, which may miss short-lived proxies. Although passive scanning avoids these problems, it requires very widely spread sensors which are costly and problematic to deploy.
Thus, there is a need for a reliable way to detect proxies that is both easy to deploy and is capable of detecting proxies even if various evasion or obfuscation techniques are used.