I recently discovered (through traffic analysis) that one of my users is running an application called TOR (see http://www.torproject.org/index.html.en). Long story short he claims he is using it to redirect non-HTTP traffic through port 80, becuase we have that allowed for all users. My bigger concern is that this application also allows bandwidth sharing and from what I read on the TOR website, can actually lead to legal threats being made against my organization if illegal or questionable activities are relayed through our IP.
So the problem is that it can use any port the user sets and will simply redirect through whatever we have available. How do I block against that?
Something sounds fishy here. If you are using the ISA Web Proxy filter correctly, non-HTTP traffic over port 80 should fail because it would be rejected by ISA with 400 bad request. Did you unhook the web proxy from the http protocol or something? Is there some way that your users can route out of your LAN without going through ISA? If you have another firewall as your gateway, it should block all port 80 access except from your ISA server!
The only other thing I can think of is that maybe the tor proxy is hiding its traffic inside valid looking HTTP requests/responses, but I'm not under the impression hat Tor has that capability...
As for your question of legal risks, IANAlawyer, but as long as your user is not running a tor "exit node" (which he is probably not), then by design it is unlikely that tor traffic will be traced back through your IPs. The whole point is to use the onion routing to bounce traffic through so many layers that tracing is not possible. It's the people and orgs that run "exit nodes" (where the tor traffic merges back to the normal internet) that get hammered with legal hassles. All tor users' traffic appears to be coming out of these nodes, and so they often draw attention of law enforcement.
On a higher level note, if you have users running Tor on your lan without permission then IMO you really should keep an eye on those guys. Tor is a fairly sophisticated thing that your average luser wouldn't even know about, much less figure out how to use. I'd be far more worried about what your users are really using it for (and potentially bringing into and storing on your hosts) than what other tor network users might be transiently bouncing through the node.
Thanks for your insight. I'm still trying to sort out what the previous admin has done as far as the ISA settings go. It seems that every time I try to change something to make it more secure, something else breaks. So in fixing all of this up, I may fix the TOR problem at the same time.