End user appears to bypass Symantec Web Gateway (SWG) for purposes of URL Filtering by entering entries in the /etc/hosts file of the local machine
Last Updated June 13, 2013
An end user enters one or more entries into the /etc/hosts file of their local machine. This appears to permit them to connect directly to a site which would otherwise be blocked by SWG appliance.
When hostname entries are typed in the /etc/hosts file, the local machine translates the hostname to the IP address of the domain name. The client browser then sends an HTTP request to the IP address of the domain. The HTTP request contains the path and filename requested, and the HTTP request contains the hostname in the HTTP Host: header. SWG appliance in turn performs malware IP lookup against the IP address and a Content Filtering lookup against the domain in the Host header and the rest of the URL specified in the HTTP GET or HTTP POST request. If the IP address is not a noted malware site, it does not appear on the IP reputation list. If the domain name in the HTTP Host: header and the URI requested in the HTTP GET or HTTP POST request do not correspond to a listing in the Rulespace ruleset, the SWG appliance will permit access to the site without logging an event entry.
This behavior is by design.
An enhancement request has been filed to ask that reverse DNS lookup occur for HTTP and/or HTTPS traffic IP addresses when those IP addresses would normally fall within fields that would specify a hostname. An enhancement request is exactly that, a request, and does not imply any commitment on the part of Symantec Corporation or its Engineering or Marketing teams.
The original design of SWG appliance was for span/tap mode, followed by INLINE mode. Historically, these modes both had support for latency that was measured in milliseconds. DNS lookups would add to the delay of processing and relaying traffic to an extent that would vary from environment to environment.
Additional options for detecting and avoiding hosts file based bypasses:
Another Symantec product, Symantec Endpoint Protection, can monitor and log those changes within the hosts file of a Windows operating system Excerpt: “System Change Detection Exceptions This behavior happens when the SEP client Virus and Spyware Protection policy has been modified to log hosts file changes detected by SONAR. hosts file change detections are logged as an error in the System Event Log” Excerpt Source: http://www.symantec.com/connect/forums/comparison-between-sep-121ru1-mp1-12-ru-2
The hosts file is a target for alteration by both viruses and unauthorized end users. For this reason, some IT administrators and/or IT Security adminstrators choose to restrict write access to the hosts file. Various Endpoint Control products can enforce this change, but many admins use a Windows Global Policy Object (GPO) to limit write permissions to members of a group containing only IT or IT security staff.