[c-nsp] proxy anonymizer blocking

Andrew Miehs andrew at 2sheds.de
Sun Jul 24 09:34:22 EDT 2011


On 24/07/2011, at 11:37 AM, James Bensley wrote:
> Its a tough one. At my last employer we rolled out squidGaurd along
> side our squid deployments, then used two different black list
> providers which updated daily (and you can use DNS BL now also if you
> patch your v1.4 source).
> 
> Couple these options with word filtering in the URL (so we blocked any
> URL with words that were found in a word list, that included words
> like "proxy"). That way users could not go to anything like
> "www.aproxy.com" nor could they use a search engine such as Google
> because the URL becomes something like "www.google.com/q=open+proxy".
> Together, this was all very effective for us.

And this works? If the users can change their proxy settings, they can normally change
c:\windows\system32\etc\hosts (or whatever the file is called).

The only solution we have found that really works is not allowing clients directly into the
Internet. All traffic must traverse the DMZ. If they want http, they need to use the HTTP
proxy that we provide them - not that they have much choice - group policies, etc.


Regards

Andrew


More information about the cisco-nsp mailing list