lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <Pine.WNT.4.58.0310311840400.804@qjnnyyvpug>
From: jan.meijer at surfnet.nl (Jan Meijer)
Subject: Proxies

On Fri, 31 Oct 2003, Earl Keyser wrote:

> We use all cisco networking gear. Currently using a cisco cache engine
> with SmartFilter to "manage" the surfing for our staff/students.  As
> usual, the little devils figured a way to get around it.
>
> They went to Google, entered "open proxy list" and bingo-bango.  From
> this list they found open proxies to use in IE.
>
> Besides suspending them, we made one technological change. Outgoing
> ports 8000, 8080, 8888 and 3128 are now blocked at the firewall.
>
> Can anyone suggest further refinements to reduce this kind of abuse? I
> know some proxies run on port 80, but I'll have to live with that.

Yeah.  Implement technological measures at the end-nodes to prevent them
from using other proxies then yours.  As long as you allow outgoing
traffic from the end-nodes *and* they can set their own proxies there is
no way to prevent them doing just that.  And there are proxies anywhere,
on any port.  And if there are no proxies available, they'll just set them
up at home, using their broadband connectivity.  Might be a bit slower,
but gets the job done.

And, invest more in organisational measures.  Make sure everyone *knows*
about your local websurfing-rules.  And knows what happens if they don't
adhere.

Focussing on the end-nodes will give you an added bonus if you choose to
implement it: more secure end-nodes.  Nice to have before the next MS worm
hits.

Jan

-- 
/~\ The ASCII                 /     Jan Meijer
\ / Ribbon Campaign        -- --    SURFnet bv
 X  Against HTML            /       http://www.surfnet.nl/organisatie/jm/
/ \ Email                           http://cert-nl.surfnet.nl/


Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ