Re: Restricting Open Proxies

[krymson () gmail com]

If the Symantec proxy has a blacklist for restricting the use of other open proxies on the Internet, you could turn 
that on. But be aware this is just a blacklist, meaning it must be kept up to date or you're giving yourself a false 
sense of security. You may reduce your risk of people using known proxies, but you don't prevent someone from using a 
private one.

In fact, I don't think you can truly stop this kind of behavior. At least you have everyone in the corporate network 
using a proxy you enforce, but beyond that they likely can connect anywhere they want, no? It might be a better value 
to implement the policy saying no open proxies should be used, be sure to log what people do through your proxy, and 
use those two to prosecute any violators later on. This might be one of those areas where prevention is just not 
possible, but being able to verify use after an incident is paramount. If I use a proxy to send some of your 
confidential information to my house, and you find out I'm doing that, you can then correlate my actions with my use of 
the open proxy in your proxy server.

Thinking further, perhaps browser histories will still show the URLs visited, including sites visited through an open 
proxy? Again, this is more an audit function than prevention, from my point of view.


<- snip ->
We are in the process of strengthening our Information Security Policy. As part of this initiative we want to restrict 
access to Open Proxies from the Corporate Network.

We are currently providing Internet Access through Symantec Web Security which also acts as a Proxy Server.

The access to Open Proxies that keep floating in the wild is bothering us because it might ultimately lead to 
Information Leakage. Has any one of you faced the same issue? What are the best practices for the same?

Any ideas or suggestions are most welcome.