mhellman Fri, 03/09/2007 - 06:07
User Badges:
  • Blue, 1500 points or more

Unless you interested in a full time job of maintaining a list of open proxies/anonymizers, a network IPS isn't going to be very effective at blocking access. You'd probably be better served using a subscription service (i.e. URL category filtering). Just make sure it does HTTPS CONNECT filtering as well, like another poster pointed out. In either case, if you allow outbound HTTP/HTTPS, this is almost impossible to block 100%. Any geek can setup a proxy on their home broadband.

clausonna Thu, 03/15/2007 - 05:09
User Badges:
  • Bronze, 100 points or more

What are the downsides to dropping any/all HTTP CONNECT attempts? Are there legitimate services that utilize this? For example will it block a internal user trying to SSL VPN to outside?

mhellman Thu, 03/15/2007 - 06:26
User Badges:
  • Blue, 1500 points or more

Just to clarify, are we talking about outbound user traffic that is going though a company managed non-transparent http proxy...and then utilizing an anonymous proxy? If yes, denying HTTP CONNECT will break HTTPS connections through the company managed proxy, which is unacceptable in most environments. Yes, it would prevent SSL VPN connections from working.


If instead we're talking about non-proxied or transparently proxied outbound user traffic that is simply attempting to use an RFC compliant external anonymous HTTP proxy, then preventing HTTP CONNECT should not break SSL, and might be a good thing to do. It won't necessarily stop all anonymous proxy access though...google for "CGI anonymous proxy". I don't believe it will prevent SSL VPN connections. SSL VPN's do use CONNECT requests, but I believe it's after the initial SSL connection is established (so is encrypted).

Actions

This Discussion