• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 14531
  • Last Modified:

How to block anonymous web proxies?

Hello,  I work for a school district and I am being told to block anonymous web proxies.  We currently use Bess / N2H2 Filtering but unless I specify the proxy's URL, it wont block anything.  Does anyone out there know how to block anonymous web proxies?
0
eptexascrazy
Asked:
eptexascrazy
4 Solutions
 
tnapolitanoCommented:
If I am misunderstanding your question, please give more information on requirements.

As far as I know, BESS (along with just about every other content filter) has Control categories for Anonymizers and Anonymizing Utilities.
0
 
venom96737Commented:
you really cant block that outbound conection unless your going to filter the port used but it still would help there is a way around it
0
 
giltjrCommented:
The only way is to block based on their URL and/or IP address.  Because of the way they work they look like any other Web server on the Internet.
0
Evaluating UTMs? Here's what you need to know!

Evaluating a UTM appliance and vendor can prove to be an overwhelming exercise.  How can you make sure that you're getting the security that your organization needs without breaking the bank? Check out our UTM Buyer's Guide for more information on what you should be looking for!

 
ahoffmannCommented:
you mean outgoing connections to an proxy?
then redirect all traffic to your own proxy, ready.
Works as long as you have no SSL and/or accept that your proxy terminates SSL (which breaks the basic intention of SSL:)
0
 
jhanceCommented:
You need to "fix" your network, probably by changing your router's settings, so that NONE of the client PCs can directly access the internet on ANY port. That way your default settings of the BESS/N2H2 proxy will be the only way out.

I'm assuming you don't have an active domain setup here where you can force the proxy settings with group policy and that even though you have setup the proxy for the web browser, users are changing these settings themselves and using an outside proxy.  Fix the problem at a place where they don't have control.  So then even if they do change the client PC proxy settings, it will do them do good because YOUR proxy is the only way out.
0
 
zgrpCommented:
Hello,

AFAIK, is impossible block all anonymizers, they exist in several ways like web anonymizer (with http CONNECT method, over SSL, site redirector, site encapsulation, etc), socks proxy, http proxys, etc.

Maybe you could find on the internet some blacklists of Web anonymizers, it can help you, but never will solve the problem.

My suggestion (if possible) is:

- Configure your network servers in a way that only essincial protocols are avaible (example HTTP and FTP).

- Create ACL (Access Control List) in your proxy based in Deny, so all contents is blocked, and you will "allowing" with the time what is essincial, that users go showing for their job. I know that in many cases in can be unpratical (impossible), because the start time to implement will be a big fight against users, however, you can gain much time, based in analyzing the logs from your actual Proxy to generate new "Allow rules" of what is essencial, and then just "granulate it"..... :)

Hope this help,

Cheers,
0
 
robsondeCommented:
we have just work through this problem on our network.

unless you want to make a "white list" of sites you will let through the proxy.......

1.  black list as many as you can find and make it well knowen to the users that are found to be using a web/php proxy will get you baned from the network.

2. find a users who has used another web proxy that you havent yet found/blocked and make an example of him/her in a very public way.

3. keep updating the list of blocked sites.

there are many way around a proxy, you can never stop the users if they realy want to get around the proxy.

use the computer usage policy as a big stick and they will fall in to line.
0
 
floorman67Commented:
you do it by use of blacklists ... and there are a ton of them ... add them to your filtration application/iptables

http://www.google.com/search?hl=en&q=proxy+blacklist
0
 
bloodrazorCommented:
What you're really asking is if there's a way to have a computer "know" the contents of a webpage.
The short answer: no.

However, i suppose if your filtering system will allow it you could add certain words, both in the URL, and in the actual body of the page to the automatic block list (i.e. if the URL of the webpage, or part of the main body of the page contain the phrase "free anonymizer service"... auto-block).

I do stress that if the users want to get around all this, some spark that knows what they are doing can simply create their own website to do this, that could be as simple as a form on its own, that will show the contents of whatever URL is typed into the form. Another method is to simply find the IP of the site (e.g. the "blocked anonymiser site"), and use that, as it will get around the URL-based filtering with ease.

Personally, i'm very much against the concept of filtering, and various restrictions. It's wrong, although i can understand that you would have to in schools to stop some very angry parents. Although i suppose i'm biased, as i'm one of the students that takes pleasure in simply evading restrictions, and dislikes being mommy-coddled (I can check my own browsing habits, thank you). Basically, if you can think of a way to avoid using the restrictions while maintaining "clean" browsing, i am sure 99% of the userbase would be pleased, as the filtering can often catch sites that are used for work purposes (An example, an english assignment on Leicester City football club. Oh look, the website's blocked ;) )
0
 
floorman67Commented:
NO THAT REALLY ISNT WHAT HE IS ASKING AT ALL.

HE IS ASKING ABOUT BLOCKING PROXY SERVERS SO USERS CAN NOT BYPASS PORT/PROTOCOL/USE RESTRICTIONS.
0
 
floorman67Commented:
AND NO ONE CARES WHAT YOU ARE AGAINST ..IT ISNT YOUR RESOURCES BEING CONSUMED ... ITS THE SCHOOLS AND THE TAXPAYERS.

STUDENTS ARE THERE FOR THE CURRICULUM, ITS EDUCATION, AND THE ADMINISTRATION NOT ONLY HAS THE RIGHT, BUT THE OBLIGATION TO RESTRICT ACCESS TO AREAS EXCEPT THOSE PERTAINING TO SAID.

IF THE SITES ARE BLOCKED, DNS BLOCKED, PORTS ARE SHUT DOWN, AND THE PROXIES ARE BLOCKED, YOU CANT GAIN ACCESS BY THE SIMPLE CREATION OF A WEB SITE.

YOU REALLY DO NOT KNOW WAHT YOU ARE TALKING ABOUT. iF THE RESOURCES ARE FILTERED/BLOCKED, THEY WONT EVEN LOAD.

wHAT YOU TRYING TO EXPLAIN IN ANONYMIZER IS CALLED A PROXY SERVER.
0
 
giltjrCommented:
bloodrazor, you need to learn to think outside of the box.  If you don't will be in one the rest of your life.  Filtering is NOT wrong.  It is no different that preventing a under age person from buying beer, wine, liquer, or anything else they should not have because they are not mature enough to handle it.  They have done studies and have shown that the part of the brain that is responsible for making "informed decisions" does not mature until the age of 25 on average.

You may beleive that you can check your own browsing habit, and you may, but the average school age child can't.  It's been proven.  I personally do not want my 6 year old to accidently see something because a 15 year old setup a computer to bypass normal filtering.  

Yes, somebody can get around it, in fact people can get around most anything.  Sooner or later the odds are they will get caught.

If a site is valid, it can be unblocked.

One day hopefully you will  have a child and your attitude will change.  Some mommy-coddlling is needed in every childs life.
0
 
NightofthecowCommented:
You could also take a look at what proxies your students are using. You can check the logs for commonly visited sites. Generally, using an anonymous proxy server means the user will spend an extended amount of time on that site. That will be a red flag to you. The sites are fairly obvious, for example, proxyspinner, etc... You can manually block these entries, however, that all depends on how large the problem at hand is. If it's on a small scale, the manual way isn't a bad way to go.
0
 
Serverman2001Commented:
I to work in a school and have problems with proxy anonymizers. I am now going to try to turn the whole thing around by implementing a Squid Proxy server on the Network and blocking all websites and building up a whitelist rather than a black list. Black lists are ok but they need keeping up to date. The joy of White lists is i can put a web front end on Squid and get the teachers to build it up them selves.
Hopefully our ISP will sort this out as we pay them enough for content filtering but its clearly not adequate.

I did purchase a program called Browse Control that allows you to garden wall websites which works quite well, again you can build up white lists with this to along with turning the internet off and on in different rooms. www.codeworks.com

hope this helps

0
 
Serverman2001Commented:
oooops  Web site should read www.codework.com

sorry
0
 
SSPICommented:
I would recommend you look into Bloxx, Inc. http://www.bloxx.com. Anonymous proxies  which let students bypass filters  are blocked instantly with Bloxx meaning your students can't access the internet through the back door. You can also choose to enable the Safesearch feature on Internet search engines so that students cannot bypass it and access inappropriate material. Due to the essential nature of education, many types of sites need to be accessed by users and the flexible group policies within the Bloxx internet filtering system provide for these diverse requirements. Also, Bloxx's thorough and clear reporting allows you to see if your group Internet policies are working sufficiently or if they need fine tuning, and provides invaluable real time monitoring to see which users are frequently violating policies.
0
 
Serverman2001Commented:
OK some time has passed since my post but my final solution was the school guardian from Smoothwall.
Dam good product and the best part about it is the students at the school i work in have presented me with a nice petition about over blocking. When i looked into it in more detail they really wanted me to unban game sites and proxies. This product works well and the tech support we bought into are great to help with any new features you want or issues.

what you waiting for buy it
0

Featured Post

Technology Partners: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

Tackle projects and never again get stuck behind a technical roadblock.
Join Now