The HTTP CONNECT sig should handle some of that, I think. If the proxy actually uses the HTTP CONNECT method, anyway. At very least, it can be used to block malicious users from scanning your network looking for servers with the CONNECT method enabled.
Unless you interested in a full time job of maintaining a list of open proxies/anonymizers, a network IPS isn't going to be very effective at blocking access. You'd probably be better served using a subscription service (i.e. URL category filtering). Just make sure it does HTTPS CONNECT filtering as well, like another poster pointed out. In either case, if you allow outbound HTTP/HTTPS, this is almost impossible to block 100%. Any geek can setup a proxy on their home broadband.
Just to clarify, are we talking about outbound user traffic that is going though a company managed non-transparent http proxy...and then utilizing an anonymous proxy? If yes, denying HTTP CONNECT will break HTTPS connections through the company managed proxy, which is unacceptable in most environments. Yes, it would prevent SSL VPN connections from working.
If instead we're talking about non-proxied or transparently proxied outbound user traffic that is simply attempting to use an RFC compliant external anonymous HTTP proxy, then preventing HTTP CONNECT should not break SSL, and might be a good thing to do. It won't necessarily stop all anonymous proxy access though...google for "CGI anonymous proxy". I don't believe it will prevent SSL VPN connections. SSL VPN's do use CONNECT requests, but I believe it's after the initial SSL connection is established (so is encrypted).
Table of ContentsIntroductionVersion HistoryPossible Future
UpdatesDocuments PurposeNAT Operation in ASA 8.3+ SectionsRule Types
Network Object NATTwice NAT / Manual NATRule Types used per SectionNAT
Types used with Twice NAT / Manual NAT and Network Obje...
Table of Contents Introduction:This document describes details on how
NAT-T works. Background: ESP encrypts all critical information,
encapsulating the entire inner TCP/UDP datagram within an ESP header.
ESP is an IP protocol in the same sense that TCP an...