blocking web proxies

blocking web proxies
Secure Home | Search | About
Login Password
Register Now! Lost Password?
 Networking Firewalls    Post an article   get this group's latest topics as an RSS feed add this group's latest topics to your My MSN content add this group's latest topics to your My Yahoo content add this group's latest topics to your Google content
Subject Author Date
blocking web proxies Doug.Baggett 05-23-2006
Posted by on May 23, 2006, 4:34 pm
If you were  Registered and logged in, you could reply and use other advanced thread options
I've seen all sorts of people proclaiming that it's impossible to block
people from using external web proxies to sites (like myspace) without
blocking the whole internet.

Why could'nt you...

1. Require everybody on your internal network to use YOUR authenticated
proxy.

2. Block ALL encrypted outgoing activity by default through the proxy
(except for authorized individuals). This is to keep somebody from
setting up squid at home through a broadband connection and connecting
to it via SSL or some other encryption. Basically if your sniffer does
not recognize/can't decipher the traffic...block it.

3. Sniff packets at your proxy for your blocked sites (like myspace)
and deny them outbound access.

This way anybody trying to access myspace through a public or private
external proxy would be stopped cold. Even if they successfully connect
unencrypted to a public proxy your sniffer should be able to sniff the
"myspace.com" address from the packets and keep it from going through.
Plus you'd have their userid and IPaddress on the inside (so you can
drop an anvil on them!). In addition things like SSH would get blocked
(due to encryption) so no forward or reverse port forwarding/layer 2
vpn would work.

Are there holes in my Evil(TM) network admin setup? :)


Posted by Sebastian Gottschalk on May 23, 2006, 4:52 pm
If you were  Registered and logged in, you could reply and use other advanced thread options
Doug.Baggett@gmail.com wrote:
> I've seen all sorts of people proclaiming that it's impossible to block
> people from using external web proxies to sites (like myspace) without
> blocking the whole internet.
>
> Why could'nt you...
>
> 1. Require everybody on your internal network to use YOUR authenticated
> proxy.

man proxy chaining
man non-http proxying

It's still a good idea in terms of real security.

> 2. Block ALL encrypted outgoing activity by default through the proxy
> (except for authorized individuals).

man steganography

> 3. Sniff packets at your proxy for your blocked sites (like myspace)
> and deny them outbound access.

man non-http proxying

> Are there holes in my Evil(TM) network admin setup? :)

I would call them huge craters instead.

Posted by Leythos on May 24, 2006, 7:15 am
If you were  Registered and logged in, you could reply and use other advanced thread options
Doug.Baggett@gmail.com says...
> I've seen all sorts of people proclaiming that it's impossible to block
> people from using external web proxies to sites (like myspace) without
> blocking the whole internet.

There is nothing that says you have to provide internet access to any
employees at any time. A simple fact is that if you only provide
internet access to those that actually have a business need and then you
only allow access to business partner sites, you don't have problems
like many describe here.

Allowing unrestricted internet access to ALL employees is a foolish
thing that is done by people that don't care about their networks.

You can eliminate 99% of all web browsing threats by using white lists,
content filtering, black lists, and rules based browsing.

--

spam999free@rrohio.com
remove 999 in order to email me

Posted by Lars Geiger on May 24, 2006, 2:24 pm
If you were  Registered and logged in, you could reply and use other advanced thread options
It's impossible to block certain sites by using black-listing.
And that's good :-)

Everyone should have access to all information.

You can just install PHProxy [1] on your Webserver and can bypass
content-filtering things even without using SSL / TLS.

[1] http://whitefyre.com/poxy/

Similar ThreadsPosted
New Proxies October 30, 2007, 1:40 am
New proxies November 6, 2007, 7:23 am
New proxies November 9, 2007, 10:30 pm
i need proxies April 22, 2008, 8:53 pm
Websense and Proxies February 1, 2005, 1:26 am
New and fast proxies October 17, 2007, 9:19 am
New Proxies unleashed. October 22, 2007, 1:30 pm
Unblocked Proxies November 20, 2007, 7:16 am
Unblocked proxies November 20, 2007, 9:55 am
Newest Proxies January 8, 2008, 6:51 am

The site map in XML format XML site map

Contact Us | Privacy Policy