Tunneling is a serious security threat not only to the privacy of the employee, but also to the security of the company and the company's internal network. Unfortunately, it may take months or even years before VPN technology reaches the acceptance and sophistication required for everyday usage.
Here's what to do. Properly configure all of your proxy servers and VPN access points with the following techniques:
Regularly review logs and traffic passing through proxies or firewalls that are not work-related or where users linger at sites that don't look work-related.
Limit the ports that a proxy can connect to and what can connect to them. Keep honest people honest; allow access only to the ports inside and outside your system that people really need to do their work. Publish these regularly and make it policy to regularly update employees on what they're allowed or not allowed to do.
Check for unauthorized VPN traffic originating from inside your LAN. If someone is stealing information or making unauthorized entries, a virtual private network (VPN) is one way to mask this activity. All VPN technologies use well-known ports, so look for activity that doesn't belong.
Use a one-time password authentication for proxies and VPNs to verify authorization and maintain an audit trail of accesses. A VPN should always use a strong authentication system to verify the identity of the user who is trying to connect.
Watch for abnormally long connections to ports such as 80, 443, or 563 that use SSH, GRE, ASP, or AH protocols. For example, Generic Routing Encapsulation (GRE) tunnels provide a specific pathway across the shared WAN and encapsulate traffic with new packet headers to ensure delivery to specific destinations. The network is private because traffic can enter a tunnel only at an endpoint. Tunnels don't provide true confidentiality (encryption does) but can carry encrypted traffic. GRE tunneling can also be used to encapsulate nonIP traffic into IP and send it over the Internet or IP network. The Internet Package Exchange (IPX) and AppleTalk protocols are examples of nonIP traffic.
Deploy an intrusion-detection system to alert you to unauthorized internal activity on your network that a firewall cannot detect, and to watch for abnormal traffic into and out of the VPN demilitarized zone (DMZ). It's probably a good idea to also have one inside the LAN proper and one outside the DMZ to give a comprehensive view of any abnormal activity.