| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
From: jan.meijer at surfnet.nl (Jan Meijer) Subject: Proxies On Fri, 31 Oct 2003, Earl Keyser wrote: > We use all cisco networking gear. Currently using a cisco cache engine > with SmartFilter to "manage" the surfing for our staff/students. As > usual, the little devils figured a way to get around it. > > They went to Google, entered "open proxy list" and bingo-bango. From > this list they found open proxies to use in IE. > > Besides suspending them, we made one technological change. Outgoing > ports 8000, 8080, 8888 and 3128 are now blocked at the firewall. > > Can anyone suggest further refinements to reduce this kind of abuse? I > know some proxies run on port 80, but I'll have to live with that. Yeah. Implement technological measures at the end-nodes to prevent them from using other proxies then yours. As long as you allow outgoing traffic from the end-nodes *and* they can set their own proxies there is no way to prevent them doing just that. And there are proxies anywhere, on any port. And if there are no proxies available, they'll just set them up at home, using their broadband connectivity. Might be a bit slower, but gets the job done. And, invest more in organisational measures. Make sure everyone *knows* about your local websurfing-rules. And knows what happens if they don't adhere. Focussing on the end-nodes will give you an added bonus if you choose to implement it: more secure end-nodes. Nice to have before the next MS worm hits. Jan -- /~\ The ASCII / Jan Meijer \ / Ribbon Campaign -- -- SURFnet bv X Against HTML / http://www.surfnet.nl/organisatie/jm/ / \ Email http://cert-nl.surfnet.nl/
Powered by blists - more mailing lists