jlinde
asked on
Help blocking proxy servers on my network
I work for a very small company that is on limited budget, but would like to do there best at preventing access to proxy servers via the web to circumvent our web policies or blocked sites. The current layout for my infrastructure is a PIX 506E at the Firewall (Cisco PIX Firewall Version 6.3(1)) and I have implemented a real on the cheap solution for web filtering by running an Windows 2003 server with DNS/DHCP and IIS on it. I route all DNS through the Windows server where I created Forward Lookup Zones for the sites that I want to block to point back to my IIS server where they receive a warning page (my local index.html) if there is no zone then it passing along to our ISPs DNS for accurate resolution.
Is there a way to better protect the company from users going to the numerous amounts of proxy sites to circumvent the in-house DNS?
Please let me know your thoughts on this one.
Is there a way to better protect the company from users going to the numerous amounts of proxy sites to circumvent the in-house DNS?
Please let me know your thoughts on this one.
Do you have budget to implement TMG 2010?
ASKER
Enzogoy, I total get that trying to create even the simplest of FW rules or adding them to my fwd-zones would take forever given the amount of sites out there and also as you stated the fact that they are creating new ones every day, but I wasn't sure if I could address this at the HTTP protocol level that would prevent connections?
Bhzdkh, I am reading now over the Forefront Threat Management now.
Bhzdkh, I am reading now over the Forefront Threat Management now.
Forefront is amazing, you can block anything u want based on category.
So u can filter proxy servers, pornography, terrorism, and anything you want based on category.
It also does malware-Virus checking online, so any traffic to your network is scanned before it gets to the users.
In order to enable these features you will need to pay an annual fee per user, which is $12/user if I'm not mistaken (This is in addition to the cost of TMG which is $1500)
So u can filter proxy servers, pornography, terrorism, and anything you want based on category.
It also does malware-Virus checking online, so any traffic to your network is scanned before it gets to the users.
In order to enable these features you will need to pay an annual fee per user, which is $12/user if I'm not mistaken (This is in addition to the cost of TMG which is $1500)
ASKER CERTIFIED SOLUTION
membership
Create a free account to see this answer
Signing up is free and takes 30 seconds. No credit card required.
SOLUTION
membership
Create a free account to see this answer
Signing up is free and takes 30 seconds. No credit card required.
I just re-read this thread. I stepped away and came back an hour later to finish typing the post I did above. Sorry for the duplication of mccracky's post. I like his idea of an internal proxy server too.
ASKER
Many thanks to both mccracky and dmcoop for your help. All of your helpful suggestions I believe have me on the right path now.
The best method to stop this is to talk to your boss to create a internet policy. If anyone violate the rules, then do something. It's working hour anyway and they're not supposed to surf those site during that time.
Just a thought.