how to block web proxy and anonymizers

Unanswered Question
Mar 8th, 2007

what is the best way to utilize the IPS to block web proxy?

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 4 (1 ratings)
mhellman Fri, 03/09/2007 - 06:07

Unless you interested in a full time job of maintaining a list of open proxies/anonymizers, a network IPS isn't going to be very effective at blocking access. You'd probably be better served using a subscription service (i.e. URL category filtering). Just make sure it does HTTPS CONNECT filtering as well, like another poster pointed out. In either case, if you allow outbound HTTP/HTTPS, this is almost impossible to block 100%. Any geek can setup a proxy on their home broadband.

clausonna Thu, 03/15/2007 - 05:09

What are the downsides to dropping any/all HTTP CONNECT attempts? Are there legitimate services that utilize this? For example will it block a internal user trying to SSL VPN to outside?

mhellman Thu, 03/15/2007 - 06:26

Just to clarify, are we talking about outbound user traffic that is going though a company managed non-transparent http proxy...and then utilizing an anonymous proxy? If yes, denying HTTP CONNECT will break HTTPS connections through the company managed proxy, which is unacceptable in most environments. Yes, it would prevent SSL VPN connections from working.

If instead we're talking about non-proxied or transparently proxied outbound user traffic that is simply attempting to use an RFC compliant external anonymous HTTP proxy, then preventing HTTP CONNECT should not break SSL, and might be a good thing to do. It won't necessarily stop all anonymous proxy access for "CGI anonymous proxy". I don't believe it will prevent SSL VPN connections. SSL VPN's do use CONNECT requests, but I believe it's after the initial SSL connection is established (so is encrypted).


This Discussion