[c-nsp] proxy anonymizer blocking
Jimmy Changa
jimmy.changa007 at gmail.com
Sun Jul 24 09:44:01 EDT 2011
You would need local admin rights to change the hosts file.
On Jul 24, 2011, at 9:34 AM, Andrew Miehs <andrew at 2sheds.de> wrote:
>
> On 24/07/2011, at 11:37 AM, James Bensley wrote:
>> Its a tough one. At my last employer we rolled out squidGaurd along
>> side our squid deployments, then used two different black list
>> providers which updated daily (and you can use DNS BL now also if you
>> patch your v1.4 source).
>>
>> Couple these options with word filtering in the URL (so we blocked any
>> URL with words that were found in a word list, that included words
>> like "proxy"). That way users could not go to anything like
>> "www.aproxy.com" nor could they use a search engine such as Google
>> because the URL becomes something like "www.google.com/q=open+proxy".
>> Together, this was all very effective for us.
>
> And this works? If the users can change their proxy settings, they can normally change
> c:\windows\system32\etc\hosts (or whatever the file is called).
>
> The only solution we have found that really works is not allowing clients directly into the
> Internet. All traffic must traverse the DMZ. If they want http, they need to use the HTTP
> proxy that we provide them - not that they have much choice - group policies, etc.
>
>
> Regards
>
> Andrew
> _______________________________________________
> cisco-nsp mailing list cisco-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/
More information about the cisco-nsp
mailing list