Explanation of the “IP Address” Category in Wavecrest Products

Tuesday, August 30th, 2011

Unfortunately, some instances of Web-use activity cannot be readily identified or categorized by Web access management products.  One type appears in the Wavecrest products’ Web Monitor and employee internet usage reports simply as IP addresses with no domain.

If the IP address is not recognized by our product it is put into IP address category and not into “Other” for the below reasons  (While some IP addresses have been identified and categorized in the Wavecrest URL control list, many have not.) If the product does not recognize the IP Address, it initially assigns them – in parallel to two special categories: (a) the IP Address category, and (b) the “Other” (uncategorized) category. This ‘groups’ them so they can be dealt with, as follows.

Using IP Addresses to Help Analyze Web Activity. At first glance it may appear impossible to make use of these initially unidentified IP addresses, but that’s not really the case. With a bit of work, it’s possible to:

  • Deduce the source and purpose of most of them
  • Categorize the legitimate ones
  • Isolate/neutralize the malicious ones

Let’s see how this is done.

First though, for purposes of this discussion, let’s ‘label’ the four general types of unidentified IP addresses. We’ll call them:

  • ‘Internal and partner Web pages without domain names’
  • ‘Innocent links on Web sites’
  • ‘Possible malware or virus servers.’
  • ‘Public proxies’

Identification and Corrective Action Process. This is a three step process: (a) listing the IP addresses; (b) classifying them by the types defined above; and (c) taking appropriate action.

To take the first step, simply run a Top Non-Categorized Sites Report and note the rows with IP addresses.  Then, as explained below, classify each (by type) and take action.

  1. IP Addresses Associated with Internal and Partner Web Pages.  These IP addresses could result from user-generated or Web application traffic. Using local knowledge, determine the sources and then enter the addresses in one or more custom categories. If you wish, give the addresses recognizable names. Complete instructions on how to create custom categories can be found in our manual.
  2. IP Addresses Associated with Innocent links on Web sites. These addresses could be associated with image or ad servers. If you send a Otherwise report that contains these IPs to Wavecrest our categorization team will research and categorize these IPs for you  the same way we would categorize domains. If you would like to identify them yourself there are IP Address lookup tools like the one available from https://www.networksolutions.com This tool will provide you with information about the owner of the IP address(es) of interest. For example, the owner of the IP address could be a marketing company that serves ads, or it could be an image server. Once identified, add the addresses to one or more custom categories. If you wish, give the addresses recognizable names.
  3. IP Addresses Associated with Possible Malware or Virus Servers. These addresses could be associated with malware, spyware or virus servers. The clue here is very high around-the-clock traffic (an indication that the user’s computer has been infected or attacked).  The solution in these cases is to isolate the internal computer(s) and remove the malware/spyware or virus.
  4. Public proxies. Also known as “Anonymous proxies”, public proxies are often used by employees or students who want to get around Web filters and/or avoid being identified by Internet logging. In other words, public proxies allow individuals to surf the Web “anonymously.” Many public proxies promote spyware or malware activity. They are created to gather user information, or even worse, company information on an employee’s computer. They often log an individual’s online browsing, emails, and chat sessions to gather user names, passwords, credit card or banking information. Some of the information gained, e.g., email addresses, is often used to sell to other companies for marketing purposes.

For more information, read our post: The danger of public proxies.

The Dangers of Public Proxies

Wednesday, February 20th, 2008

Introduction.
Public proxies are often used by employees or students who want to get around Web filters and/or avoid being identified by Internet logging. In other words, public proxies allow individuals to surf the Web “anonymously.”

The way public proxies work is by making the requested Web site appear to be going to a Web address other than the address of the site actually being requested. They act like a “middle man.” When a Web site is requested, the request is sent to the public proxy, which forwards the request to the original destination, and then returns the site that was requested.

Problems with Public Proxies.
The claim that a public proxy hides a user’s identity may sound safe, but the fact is that public proxies that are used to get around filters can be very dangerous to the user and his/her company or school.

Many public proxies promote spyware or malware activity. They are created to gather user information, or even worse, company information on an employee’s computer. They often log an individual’s online browsing, emails, and chat sessions to gather user names, passwords, credit card or banking information. Some of the information gained, e.g., email addresses, is often used to sell to other companies for marketing purposes.

Solutions.
An enormous and fast-growing number of dangerous public proxy sites exist around the world with new ones popping up every day. Many of them even change their IP addresses at frequent intervals. For these reasons, it is totally impossible to completely solve the problem with technical approaches alone.

Instead, there are several steps you can take to prevent or identify the use of public proxies. The first is to make sure your company or school’s acceptable use policy and consequences of breaking that policy are clearly communicated.

Secondly, back up your AUP by filtering and/or monitoring employees and students’ Web access. Many public proxies use IP addresses to avoid easy detection, so a spike in IP address visits could be an indication that an employee or student may be using one. Wavecrest Computing’s CyBlock and Cyfin Internet filtering and monitoring software have categories for both public proxies and IP addresses.

Finally, make sure that your employees or students are aware of the security dangers associated with public proxies. Many are not aware of the security risk associated with public proxies and may be less inclined to use one if they are educated on the dangers they pose to the user and his/her company or school.