Mike Rambo wrote:
> Tim Bates wrote:
>> On 5/10/2010 9:44 PM, John Dakos wrote:
>>> Kromonos thank you for your message.
>>>
>>> But I know this way with dstdom..... but the problem is... on web
>>> has a
>>> hundreds bypass proxy sites... this is no way for administrators. I
>>> spend a
>>> lot of time to search on google for bypass domains.
>>>
>>> Another idea ?
>>
>> A method I used quite effectively at the school I work for (before the
>> education department got their act together) was this:
>> * Block HTTPS to IP addresses - very very few legitimate reasons for
>> this to be happening.
blocks a few proxies and also blocks Skype.
>> * Block common path names for CGI proxies - I found blocking URLs with
>> "cgi" and "nph" in them to be fairly effective. Only had one case of a
>> legitimate site being blocked here.
this is a bit outdated. There are many proxies with a URL like
www.example.com/index.php and you certainly do not want to block
on "/index.php"
>> * Compile a list of free subdomain based dynamic DNS services -
>> configure a separate log file for requests that hit these, and monitor
>> them. I was randomly checking a few entries when I had a spare few
>> minutes.
I find this too much work since it blocks only a few proxies.
>> * Subscribe to proxy bypass mailing lists such as PeaceFire (subscribe
>> to a few). I found it useful to monitor these for a day or 2 after
>> getting them so I could find out who was getting the info, and from
>> where.
again just helps a little bit. There are too many lists and too many
proxies for an admin to monitor.
>> Tim B
>
> I would add opendns as a suggestion. Their lowest level service is
> without cost and seems reasonably comprehensive. Non-free variants are
> more flexible and have better reporting. We use them for porn and proxy
> and then do our own url filtering in house for everything else. I guess
> it gets a 'works here' certificate. YMMV.
It helps, but only for the mainstream proxies.
I know this for a fact since I maintain a URL database and it has
90.000+ proxies and 90.000+ URLs referring to proxies.
VPNs and SSH tunnels and many modern proxies are not caught.
Do you block teamviewer ? and ultrasurf ?
SSH tunnels are a security nightmare and may leave the LAN unprotected
as if there was no firewall. Whatever you do, you should block
SSH tunnels since anybody can type at Google "how to punch holes in firewalls"
Do you want to enforce SafeSearch on search engines ?
My advise: talk with your management and ask what their view on an
internet usage policy is. If the decision is to block some sites,
investigate options that block more than 99% (they are all paid)
and implement one of them.
Marcus
Received on Tue Oct 05 2010 - 15:43:20 MDT
This archive was generated by hypermail 2.2.0 : Tue Oct 05 2010 - 12:00:02 MDT