Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

how to block web proxy and anonymizers

what is the best way to utilize the IPS to block web proxy?

4 REPLIES
New Member

Re: how to block web proxy and anonymizers

The HTTP CONNECT sig should handle some of that, I think. If the proxy actually uses the HTTP CONNECT method, anyway. At very least, it can be used to block malicious users from scanning your network looking for servers with the CONNECT method enabled.

Gold

Re: how to block web proxy and anonymizers

Unless you interested in a full time job of maintaining a list of open proxies/anonymizers, a network IPS isn't going to be very effective at blocking access. You'd probably be better served using a subscription service (i.e. URL category filtering). Just make sure it does HTTPS CONNECT filtering as well, like another poster pointed out. In either case, if you allow outbound HTTP/HTTPS, this is almost impossible to block 100%. Any geek can setup a proxy on their home broadband.

Bronze

Re: how to block web proxy and anonymizers

What are the downsides to dropping any/all HTTP CONNECT attempts? Are there legitimate services that utilize this? For example will it block a internal user trying to SSL VPN to outside?

Gold

Re: how to block web proxy and anonymizers

Just to clarify, are we talking about outbound user traffic that is going though a company managed non-transparent http proxy...and then utilizing an anonymous proxy? If yes, denying HTTP CONNECT will break HTTPS connections through the company managed proxy, which is unacceptable in most environments. Yes, it would prevent SSL VPN connections from working.

If instead we're talking about non-proxied or transparently proxied outbound user traffic that is simply attempting to use an RFC compliant external anonymous HTTP proxy, then preventing HTTP CONNECT should not break SSL, and might be a good thing to do. It won't necessarily stop all anonymous proxy access though...google for "CGI anonymous proxy". I don't believe it will prevent SSL VPN connections. SSL VPN's do use CONNECT requests, but I believe it's after the initial SSL connection is established (so is encrypted).

830
Views
4
Helpful
4
Replies