Mike Rambo wrote:
Tim Bates wrote:
On 5/10/2010 9:44 PM, John Dakos wrote:
Kromonos thank you for your message.
But I know this way with dstdom..... but the problem is... on web
has a
hundreds bypass proxy sites... this is no way for administrators. I
spend a
lot of time to search on google for bypass domains.
Another idea ?
A method I used quite effectively at the school I work for (before the
education department got their act together) was this:
* Block HTTPS to IP addresses - very very few legitimate reasons for
this to be happening.
blocks a few proxies and also blocks Skype.
* Block common path names for CGI proxies - I found blocking URLs with
"cgi" and "nph" in them to be fairly effective. Only had one case of a
legitimate site being blocked here.
this is a bit outdated. There are many proxies with a URL like
www.example.com/index.php and you certainly do not want to block
on "/index.php"
* Compile a list of free subdomain based dynamic DNS services -
configure a separate log file for requests that hit these, and monitor
them. I was randomly checking a few entries when I had a spare few
minutes.
I find this too much work since it blocks only a few proxies.
* Subscribe to proxy bypass mailing lists such as PeaceFire (subscribe
to a few). I found it useful to monitor these for a day or 2 after
getting them so I could find out who was getting the info, and from
where.
again just helps a little bit. There are too many lists and too many
proxies for an admin to monitor.
Tim B
I would add opendns as a suggestion. Their lowest level service is
without cost and seems reasonably comprehensive. Non-free variants are
more flexible and have better reporting. We use them for porn and proxy
and then do our own url filtering in house for everything else. I guess
it gets a 'works here' certificate. YMMV.
It helps, but only for the mainstream proxies.
I know this for a fact since I maintain a URL database and it has
90.000+ proxies and 90.000+ URLs referring to proxies.
VPNs and SSH tunnels and many modern proxies are not caught.
Do you block teamviewer ? and ultrasurf ?
SSH tunnels are a security nightmare and may leave the LAN unprotected
as if there was no firewall. Whatever you do, you should block
SSH tunnels since anybody can type at Google "how to punch holes in firewalls"
Do you want to enforce SafeSearch on search engines ?
My advise: talk with your management and ask what their view on an
internet usage policy is. If the decision is to block some sites,
investigate options that block more than 99% (they are all paid)
and implement one of them.
Marcus
