Facebook is Blocked at Work – Here’s a Workaround

Yes I know it is addictive, yes I know you love to spend hours on there – which is probably the reason Facebook is blocked at your work. I did some work  last year on a content filter at a medical company – although we did not block anything, we simply monitored the amount of time users spent on different sites. The amount of time some people spent on Facebook, MySpace and Ebay was simply incredible – one young lady  was spending over 30 hours a week regularly on these websites !!!  Which is not bad for a 35 hour contract of employment and we didn’t even count those who used a Facebook proxy.

The idea of monitoring the we sites people used and for how long was obviously to help build a solid case for blocking them. You see the company HAD quite a relaxed Internet Usage Policy and they were also quite happy to allow people to browse what they wanted (within reason) during breaks and after work. However management were shocked at the amount of time people were actually spending on these sites, after all it didn’t seem like they had much time left for actual work.

So we ended up blocking Facebook  completely…..

Now for ordinary people who just want to keep in touch, or check in with friends occasionally this can be a bit annoying. So I want to tell you a bit about how websites are normally blocked within a corporate network. However if you are thinking of circumventing them, then first of all though you check your  employment and internet use policies – if  there’s stuff in there about not using the internet for personal use etc, etc and phrases like subject to disciplinary actions APPEAR – then you’re probably best waiting until you get home. Accessing  web sites that your company have specifically decided to block is likely to get you into trouble – but hey that’s your choice.

Facebook Blocked By Firewall – Using A Web Proxy

The very simplest way to block access to a website is just by using a proxy or firewall combination. Here you can just create a single black list of websites which will not be allowed through. So for instance in this case we might-have the URL – www.facebook.com listed, perhaps the IP address of the Facebook servers or maybe both. All internet traffic will go through the firewall or proxy so when you request any websites in this list you just get sent to a pre-prepared pages instead (usually a warning or information page).

This is the way everyone used to do this, although it’s pretty easy to get round now. If you look on the internet about ways to access Facebook at work or school you’ll find that the usual suggestion is to use an external proxy (they’ll often have stupid names like shadow proxy or something like that!) What happens here is you go to a proxy website, then type in your URL (eg Facebook) into the web proxy,  which then fetches the page and displays it in a little frame for you. From your site you are communicating with the proxy server (not Facebook) and so the Firewall does not block your request.

In MOST places this does not work anymore for a variety of reasons, however these are the main ones:

  1. The proxy sites are themselves blocked by the firewall
  2. Firewalls only allow access through the company proxy (which will not allow a proxy chain).
  3. Most companies now use more sophisticated filters which will look inside the network packet for the blocked site. Meaning using just a proxy won’t work.

If your company does not bother with these restrictions, then you may be able to use the web proxies to access sites online but  most simply won’t work. In fact if your company network is that insecure then you may actually find a free online proxy and surf directly through it (instead of through frames in a web proxy). Just search for some free proxies, find their IP address and input the address into your browser under the screen below which you can find under Internet Options / Connections / LAN settings or something like that.

Facebook Blocked - Using A Proxy

Here you relay all your web requests directly through the external proxy which is normally quicker and you shouldn’t have advertisements and little frames added to your browsing session. If you find a fast enough proxy then you may not even notice the difference in speed from normal surfing.

Remember this only works in environments that have limited security settings so check it out before hand. Most places you won’t be able to even modify those settings in Internet Explorer (there’s ways around this little problem as well but that’s for another post).

Facebook Blocked By Content Filter

This is by far the most difficult scenario to bypass as content filters  actually look at the data in each network packet. So even if you are using a proxy to relay your request to a blocked site like Facebook, then the content filter will still see the url in your data.  So not only do you need the protection of a proxy server, you also need some way to stop the filter reading the contents of your web requests too.

The solution is encryption, if you encrypt your connection nobody can see anything except the IP address of the server you are accessing.  To do this you need to set up either your own remote VPN or you use a trusted service like Identity Cloaker which encrypts everything by default anyway. Of course Identity Cloaker is a paid service but if you just want to get round a facebook block Then you’re in luck as the demo version is available for free which actually allows access to Facebook!

See this video – Facebook Blocked


Click on the graphic to go to the download page, use the demo account and you can connect through a secure encrypted tunnel to-any of Identity Cloaker’s servers and effectively change your IP address at will. Through this you can surf through all of the most sophisticated content filters and secure infrastructures.  This version is only the demonstration so it will only work with a specific list of  websites – Facebook and Twitter Both are both currently on the allowed list.

So if Facebook is Blocked and you want a solution – there you have it.  i did mention this earlier, but remember if you’re sitting at your desk and someone sees you accessing Faceboo0k then you might have some problems. They’re  certainly going to know you’ve BYPASSED Their filter !!! So be aware of you company policy. This method will also work in the many countries which -have Facebook Blocked and filtered as well. There are quite a few other sites allowed in the demo modes which have been blocked in countries across the world – such as Blogger, Twitter, Squidoo and Wikimedia for instance. If you want to use it for accessing –other websites like BBC Iplayer , Hulu, Pandora etc, etc. which are normally restricted by location – then you’ll need to upgrade your subscription any problems ask the Identity Cloaker guys.   I like watching loads of stuff which is blocked where I am, including some of the Australian and Canadian TV channels normally inaccessible from the UK.

Anyway hope this helps people and do not get in to-any trouble !!

Debugging or Checking Out a Proxy

Before you trust your data using that nice, new shiny proxy that you found online. You’re going to want to check it out – so what can you do. Well believe it or not every single one of us has the perfect tool on our computer – it’s called telnet. Now you may think this is a little bit basic but you can actually get quite a lot of information on a proxy server just by using this simple program.

HTTP (Hyper Text Transfer Protocol) is the mainstay of our proxy, it’s raison d’etre if you like. Fortunately for us HTTP is a completely ASCII protocol operating in clear text which makes it perfect for using Telnet with. None of that complicated decompiling of binary data for us, all our responses can be read in plain (well a little Geeky) English.


Understanding Proxies

So How Do We Use Telnet to Debug?

It’s actually quite straight forward and uses the standard Telnet Syntax –

Telnet {Proxy Address} (Proxy Port}

So if you wanted to check out your college proxy server then simply –

Telnet collegeproxy.com 8080

This will get the telnet program to attempt to connect to the proxy server (or in fact any web server as well).   If you don’t get blocked by a firewall or restricted by policy you’ll get something like this –

Connected to collegeproxy.com

Escape character is   ‘^]’

Followed by a cursor sign (usually an underscore _).  When you’re at this point anything you’ll type will be sent to the server.

So here you can forward any HTTP requests directly to the server without using a browser.  But it will also allow you to see proper error codes and the responses the server is making.

For instance if you get the response

– telnet: Unable to connect to remote host: Connection refused

This suggests that the server process is not running or it’s not listening on the port you specified (telnet will connect by default on 23 if  you don’t specify).  It’s really great way of troubleshooting issues with web servers, proxies or any web enabled device.  It’s also helpful in determining when problems are occurring in other services,  for instance you can check out problems with Smart DNS  or HTTP services by logging on to their specific ports.


Type of Filtering and Ninja Bypassing

Internet filtering used to be relatively scarce but it’s extremely common now and takes a variety of forms.  The two most basic forms are URL and content filtering .

URL Filtering

Typical examples of URL filtering is where the requested URL of a web site is intercepted by the proxy or firewall and compared to a big list of ‘bad urls’.  If the URLs match then the request is denied and blocked.  In  this case the user is normally redirected to an error page, although in some cases the request will be logged and an administrator alerted.   It’s not a great system as if you have an extensive list of URLs it can have a big performance impact – and remember this impact is for all requests even those that don’t contain a blocked site.

In recent years some performance improvements have been made to alleviate the issues.  For instance some URL filtering systems use hash values of the URLs rather than the addresses themselves.  The hash values can be ordered so that the system can locate information faster (by jumping to specific points in the list rather than searching from start to finish).   Most systems you’ll find in corporate environments will use URL filtering to some extent.

There can be lots of other problems with filtering simply based on a list especially if you use the hash value searching system.  The URLs have to complete and only that exact, specific address is restricted.   Many websites have multiple domain names and aliases so any list has to have all these URLs listed too.

Content Filtering

Just like URL filtering has a noticeable impact on performance, the same can be said of content filtering.   Content filters look inside the data being transmitted – their goal is not only to block access to inappropriate sites but also to check for security risks.  A content filtering system will often be set to filter out specific objects like Java or ActiveX.   They also check for viruses and other security problems entering the network.

These filtering systems are very sophisticated – analysing the actual packet data though is bound to have an impact on any networks performance.  Content filters will usually defeat the use of anonymous proxies as the end URL is irrelevant – the data itself is being scanned which will reveal both the proxy address and the destination URL.   An example of one of the most widely used content filters is WebSense – which uses a variety of plug ins and runs on dedicated hardware strategically placed with a tap into all network traffic.

Ninja Bypassing of Filtering Systems

To defeat the URL filtering system is normally fairly straight forward, most anonymous ninja proxy servers available on the internet will suffice.  The only difficulty is that most URL lists contain a large selection of these sites – so if the one you use is on the list you’re going to get blocked.   Not only that but the administrator will likely be informed that someone is deliberately trying to bypass corporate restrictions.  If you set up your own using a hosting account and a Glype installation then you’ll likely be able to surf under the radar.

Unfortunately the mass majority of filtering devices now use both URL and Content filtering technology. The normal web proxy sites you’ll see on the internet promising you complete anonymity and the ability to bypass filters are completely useless. The content filter will look into the packet itself – the fact you are using a proxy and a fake ip are irrelevant.

There is only one effective way to defeat a genuine content filter and that is to encrypt your surfing. In this case the URLs and sites you are visiting are unable to be read by the content filters.