Blocking the use of web proxies.

0 pts.
Tags:
DataCenter
Desktops
Management
Microsoft Windows
Network protocols
Networking
OS
Performance management
Security
Servers
SQL Server
Tech support
Currently we are using a filter by 8e6 technologies called the R3000. The device works great accept for the fact that users can go to a web proxy and get to blocked web sites bypassing our filter. Is there a way to block the proxy traffic as well? Or do I have to manually block the access to the actual proxy site itself. For example, if I block www.myspace.com everything works fine...but, if a user navigates to www.myspaceproxy1.com and uses it to open myspace.com, the user can browse it. Any ideas?
ASKED: January 22, 2007  11:13 AM
UPDATED: November 22, 2010  12:21 PM

Answer Wiki

Thanks. We'll let you know when a new response is added.

Depending on how your network is setup, if your clients are using a Windows Domain and IE or Firefox as web browsers, you can force users to use the proxies that you setup. There are GPO settings built into Windows and you can download ADM policies for Firefox to set and force proxies for all users. This will prevent them from changing the proxy server. If you then use the software 8e6 to block “proxy avoidance” sites such as anonymizer and cached web sites (such as google), you can effectively block most/all users from getting around your proxy. Even if they can get to restricted sites, you can still log the activity because they cannot change the main proxy. The firefox adm files are located here: http://sourceforge.net/projects/firefoxadm

Follow the instructions in the file to implement the GPO settings and test them to ensure they are working

suk dik and fly

Discuss This Question: 15  Replies

 
There was an error processing your information. Please try again later.
Thanks. We'll let you know when a new response is added.
Send me notifications when members answer or reply to this question.

REGISTER or login:

Forgot Password?
By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy
  • Swiftd
    The second thing you can do is restrict ALL outgoing traffic unless it's been authorized and you can get very specific with your firewall ruleset. For example, restrict all TCP port 80 and 443 traffic to the Internet except for the proxy servers, when asked to open a port, get the specific destination or at least the source and only allow that source/destination pair out on that port. If you don't, you're opening up a possible hole for use by P2P or instant messaging programs to use. Current Trojans and Viruses will scan for open ports to use as well as messaging clients, P2P programs and Users... Deny by default until requirements dictate otherwise. Don
    0 pointsBadges:
    report
  • Skepticals
    Thank you for the reply, but I do not think I explained myself very well. The "proxy" is setup fine and blocks web sites. The problem I am having is a user can bypass this by going to a web proxy site and redirect traffic through that site. For instance: My filter blocks www.myspace.com A user can goto www.someproxysite.com and enter in www.myspace.com and my filter will not block the traffic because it looks like it is coming from www.someproxysite.com Does that make sense?
    0 pointsBadges:
    report
  • Brandonbates
    From looking at the lit on 8e6 it appears that it really only does URL and filename/type filtering. I was going to suggest that you set a filter for page content to block any pages that have code matching the header/title tag code of myspace. But since it doesn't do that you'll just have to add the proxy sites to the list of banned sites. I would contact the manufacturer since they say in their literature that anonymous proxy sites are blocked. But web-based proxy sites are apparently still getting through. So I'd call and ask them to add it and/or do a little research to find any others. I'd especially do this if I were paying monthly/yearly support, it's their job at that point.
    0 pointsBadges:
    report
  • MODMOD
    Just a thought, but, is it possible the proxies you're encountering are just mapping to the IP address? if they are, then just filtering any IPs you find on myspace domains may actually kill several birds with one stone. I didn't see anything on the description of the product you're using, but if it supports RegEx, or wildcard, or context based filtering that could also make things easier on you... of course... there's a breaking point where it's easier to target a few problem employees then it is to try to find every possible proxy there is. Another thing that may help, I'm guessing there are some web sites that list active proxies for popular sites, that might be a source for some pre-emptive strikes. good luck...
    0 pointsBadges:
    report
  • Skepticals
    Thanks for all the information; it appears my best bet it to manually enter in the better-known web proxy sites.
    0 pointsBadges:
    report
  • Swiftd
    I understood your question and was offering other ways to block not only sites allowed on the proxy, but preventing users from going totally around your proxy by configuring another proxy (besides the 8e6 proxy) as another way around it. We use Websense, which contains the "proxy avoidance" setting. This setting does exactly what you are saying, by blocking proxy sites on the Internet like anonymizer. Unfortunately, if someone sets up a site at their home, no one is going to know what they are unless they announce it to others or someone stumbles on it as an anonymous proxy. Websense would handle this by putting context keywords to block, but that gets really risky and causes a lot of false positives. I figure if someone is going to go through the process of creating their own, at home, anonymous proxy (which isn't hard), so be it. There's no way I can restrict everything. That's what policy is for. When they get caught, you have your policy to back you up when their supervisor has to take action. Don
    0 pointsBadges:
    report
  • MennoT
    Indeed drawing up a good policy, creating awareness with the users and applying disciplinary measures in case of violation are the final piece. Unless you follow the principle 'anything is prohibited unless it is allowed' as proposed before, with all administrative hassle connected with it, there is no way to block everything. The worst thing is https (port 443); since the traffic is encrypted, anything can be carried through. Skillful people are even able to abuse this to enable inbound connections...
    0 pointsBadges:
    report
  • Skepticals
    Swiftd, We currently do not have a proxy - the 8e6 sits on the side of network and monitors a mirrored stream of packets. The device will send a TCP Reset packet the a web server and a redirect/block page to the client. I believe the intial reason my company wanted this device was because it was not a proxy in the way it sits on the side and does not affect the flow of traffic. The device claims it blocks proxies - even the PHP proxy - that the site claims to use. I will do more research and contact the company if need be. If all else fails I can setup a proxy. Thanks for the suggestions.
    0 pointsBadges:
    report
  • TedRizzi
    Im dont know what proxy your using, but some proxies block websites by catagory. We use CA's SCM and that is how it works. if yours is like that, you should block the annoynmizer catagory, this will block access to those web based proxies.
    0 pointsBadges:
    report
  • Swiftd
    MennoT: Using Squid (and other proxy servers) you can man-in-the middle secure (SSH, HTTPS, etc) requests so that the proxy server knows what is being sent through it. Doing so, you can at least be sure that traffic passing through your proxy is not extraneting your private, confidential information to some third world country. It depends what your policy says about doing that, as it could be seen as privacy invasion. If everyone knows that's the policy (through user education), legal signs off on it, and the user has signed the user agreement stating such, then there is more assurance that they aren't going to try it. I'm not a proponent of not trusting your users, but it usually comes down to liability to the company. We block everything until a justification to allow it has been requested and approved. Obviously, there's a step in between to ensuring it is secured and policies have been written about it, where necessary. While trying to trust users, however, I try to be a good "netizen" (hate that term) and not become some hackers playground. Letting everything out, in this day and age, isn't smart considering some of the new viruses, trojans, P2P, messaging, and script kiddie tools rely on weak outgoing rules (to the Internet). Anyway, back to skepticals response. When I first read this question, I went on to find out what 8e6 was, as I'd never heard of it before. Reading the site and the question, it sounded like an actual proxy server, so I apologize that all of my responses have made that assumption. As you can tell, I am going to be no help with the 8e6 filter. I'm going to say that your best bet is either block individual sites using the 8e6 or scrap it and get something that does this for you. Almost every other solution I can think of doesn't get you closer to that end without replacing it entirely. There are lists of anonymous proxy sites that you can look up and hopefully find an easy way to import into the filter. Of course, I personally think you're going to be old and gray before you're satisfied that they are all blocked personal proxy servers will never show up on that list. This is why content filters such as Websense and Surfcontrol cost so much in maintenance, because they have people physically (and via scripts) surfing the web looking and classifying the sites for their products. However, there will also come a day when everyone simply blocks the Websense and SurfControl sites so they don't get black listed. It's time is coming to an end... But that is the proverbial cat and mouse game of network security. Anyway, sorry for the confusion. I hope this response is more suited to what you were looking for. Don
    0 pointsBadges:
    report
  • Paul144hart
    You could use a security device - Bluecoat lets you block content with scripting on SG type devices. http://www.bluecoat.com/
    0 pointsBadges:
    report
  • Skepticals
    Don, You are correct in that the R3000 does not work the same way as a proxy. All the traffic does not go through the device. The device does have settings for blocking proxies, but they didn't seem to work. I do not need to block all the sites, I would just like to make a reasonable attempt at the better-known sites. I do not expect everyone to know what the R3000 is or take the time to research it - you have been most helpful. I like to get an idea of what other admins are doing. I can't get rid of this device because of budget and we just purchased it. I will look into this further. Thanks for your time and effort.
    0 pointsBadges:
    report
  • Skepticals
    Everyone, I wanted to follow up on this issue. First of all, I was contacted by 8e6, who - to my suprise - came accross my post. The gentleman was very helpful regarding my issues. He was able to lead me in the right direction and show me some settings that I could enable that would help block proxies. Also, he mentioned a future update that will come with enhanced features specific to my needs. The device is working great, it has stopped 8 out of 10 proxies list on Google automatically. If I have to, I can add the extras manually or wait for a new update to the device. The great thing about this device is the fact that it does not work like a proxy, in that the flow of traffic is not interrupted because the R3000 is sent a mirrored stream of data. Thanks everyone.
    0 pointsBadges:
    report
  • Bikecommutr
    The alternate answer here is to find out why people are trying to bypass your proxy. Are they not busy enough? Are they as productive as they could be? Does blocking all of these sites really improve productivity? Has your company measured it? Much like the governments of Iran, China, and Burma/Myanmar have discovered, blocking all outbound traffic is an endless cat and mouse game. You'll never be able to stop all proxy bypassing. For every gain you make, someone will figure out another way. I think you'll find, as I have, that egress filtering is nothing but pain and less productive. Open up the firewall/proxy and let the employees browse. Happier people are productive people.
    80 pointsBadges:
    report
  • Chippy088
    Can your router/firewall block incoming traffic from those sites? If you can't stop them getting out, try to block the incoming packets instead. they will get a 403/404 error and report it, then you can 'educate' them, when they do. You will, of course, have to know the site url/ip of the sites you want to stop access to.
    4,625 pointsBadges:
    report

Forgot Password

No problem! Submit your e-mail address below. We'll send you an e-mail containing your password.

Your password has been sent to:

To follow this tag...

There was an error processing your information. Please try again later.

REGISTER or login:

Forgot Password?
By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy

Thanks! We'll email you when relevant content is added and updated.

Following