Re: Proxies

[Jan Meijer <jan.meijer () surfnet nl>]

On Fri, 31 Oct 2003, Earl Keyser wrote:

> We use all cisco networking gear. Currently using a cisco cache engine
> with SmartFilter to "manage" the surfing for our staff/students.  As
> usual, the little devils figured a way to get around it.
>
> They went to Google, entered "open proxy list" and bingo-bango.  From
> this list they found open proxies to use in IE.
>
> Besides suspending them, we made one technological change. Outgoing
> ports 8000, 8080, 8888 and 3128 are now blocked at the firewall.
>
> Can anyone suggest further refinements to reduce this kind of abuse? I
> know some proxies run on port 80, but I'll have to live with that.

Yeah.  Implement technological measures at the end-nodes to prevent them
from using other proxies then yours.  As long as you allow outgoing
traffic from the end-nodes *and* they can set their own proxies there is
no way to prevent them doing just that.  And there are proxies anywhere,
on any port.  And if there are no proxies available, they'll just set them
up at home, using their broadband connectivity.  Might be a bit slower,
but gets the job done.

And, invest more in organisational measures.  Make sure everyone *knows*
about your local websurfing-rules.  And knows what happens if they don't
adhere.

Focussing on the end-nodes will give you an added bonus if you choose to
implement it: more secure end-nodes.  Nice to have before the next MS worm
hits.

Jan

-- 
/~\ The ASCII                 /     Jan Meijer
\ / Ribbon Campaign        -- --    SURFnet bv
 X  Against HTML            /       http://www.surfnet.nl/organisatie/jm/
/ \ Email                           http://cert-nl.surfnet.nl/

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html