Hello, Is there som kind od rules that can block access to anonymous proxies? The problem I often face is that the most advanced users always can work around the firewall by using proxies. I know that I could run a proxy myself but this is not exactly what I want. The best would be if there could be a filter similar to ipp2p which would check for a "proxy signature" and block those communications. Viuwier ------------------------------------------------------------------------- Take Surveys. Earn Cash. Influence the Future of IT Join SourceForge.net''s Techsay panel and you''ll get the chance to share your opinions on IT & business topics through brief surveys - and earn cash http://www.techsay.com/default.php?page=join.php&p=sourceforge&CID=DEVDEV
On Tue, Jan 23, 2007 at 09:41:37AM +0100, viuwier wrote:> Hello, > > Is there som kind od rules that can block access to > anonymous proxies? The problem I often face is that the most advanced > users always can work around the firewall by using proxies. >Umm, it sounds like you have a policy issue and you are trying to solve it with technology. If this is a workplace you are talking about, make it a terminating offence for people to do this. Have a grace period, say one month. During that time, if you detect someone doing it, send them a friendly reminder. After that, start firing people for violating the policy. Of course, you would need support from management to do this. Also, ask yourself what harm this is causing you, the organization or the user(s). If people are sucking up all the available precious bandwidth, then maybe you should take action. If people are just wasting a little time each day going to "prohibited" sites (lots of places block things like slashdot, news sites, etc to prevent time wasting), ask yourself if this is something that really "should" be fixed. That is, aren''t people going to waste time making personal telephone calls, standing around the water cooler and generally goofing off anyways?> I know that I could run a proxy myself but this is not exactly what I > want. The best would be if there could be a filter similar to ipp2p > which would check for a "proxy signature" and block those > communications. >What if the proxies are themselves transparent? At any rate, you would probably need to block all outbound traffic on every port except for 80 (or chosen proxy port) and setup a non-transparent authenticating proxy to really make this work. However, that is rather draconian if you ask me. Regards, -Roberto -- Roberto C. Sanchez http://people.connexer.com/~roberto http://www.connexer.com ------------------------------------------------------------------------- Take Surveys. Earn Cash. Influence the Future of IT Join SourceForge.net''s Techsay panel and you''ll get the chance to share your opinions on IT & business topics through brief surveys - and earn cash http://www.techsay.com/default.php?page=join.php&p=sourceforge&CID=DEVDEV
On Tue, Jan 23, 2007 at 05:41:26AM -0500, Roberto C. Sanchez wrote:> At any rate, you would > probably need to block all outbound traffic on every port except for 80 > (or chosen proxy port) and setup a non-transparent authenticating proxy > to really make this work. However, that is rather draconian if you ask > me.And it still doesn''t work. There''s a piece of software around somewhere that sets up an IP tunnel over HTTP get/post messages - it''ll go right through any kind of proxy because it looks like normal web traffic (there''s even a proof-of-concept implementation that uses valid HTML content in the messages). For practical purposes: either block outbound internet access entirely or don''t waste your time trying. A person with control over a generic computer on both sides of a firewall can always tunnel through it somehow, if they can get any data through at all. Firewalls are useless against such people; if you want to control what they do, use something else instead (like a cattle prod). (We can consider a filtering proxy to be a strange kind of firewall) ------------------------------------------------------------------------- Take Surveys. Earn Cash. Influence the Future of IT Join SourceForge.net''s Techsay panel and you''ll get the chance to share your opinions on IT & business topics through brief surveys - and earn cash http://www.techsay.com/default.php?page=join.php&p=sourceforge&CID=DEVDEV
viuwier escribió:> which would check for a "proxy signature""proxy signature" smells terrible bad (aka. insecure) You are trying to solve the problem the wrong way IMHO. Last time I checked this kind of tools ( a year ago or so), they were all using highly sophisticated techniques to bypass your firewall, Im sorry to tell you are propably in a no-win situation, You will be unable to stop these tools unless you mutilate your network functionality in really bad way. I suggest you to fix this problem with LART :) human beings are the most vulnerable element in security. ------------------------------------------------------------------------- Take Surveys. Earn Cash. Influence the Future of IT Join SourceForge.net''s Techsay panel and you''ll get the chance to share your opinions on IT & business topics through brief surveys - and earn cash http://www.techsay.com/default.php?page=join.php&p=sourceforge&CID=DEVDEV