Help blocking proxy servers on my network

Posted on 2010-09-09
Last Modified: 2012-05-10
I work for a very small company that is on limited budget, but would like to do there best at preventing access to proxy servers via the web to circumvent our web policies or blocked sites. The current layout for my infrastructure is a PIX 506E at the Firewall (Cisco PIX Firewall Version 6.3(1)) and I have implemented a real on the cheap solution for web filtering by running an Windows 2003 server with DNS/DHCP and IIS on it. I route all DNS through the Windows server where I created Forward Lookup Zones for the sites that I want to block to point back to my IIS server where they receive a warning page (my local index.html) if there is no zone then it passing along to our ISPs DNS for accurate resolution.

Is there a way to better protect the company from users going to the numerous amounts of proxy sites to circumvent the in-house DNS?

Please let me know your thoughts on this one.  
Question by:jlinde
  • 2
  • 2
  • 2
  • +2

Expert Comment

ID: 33642288
Seriously, proxy website is created everyday and it's really hard to block them all.  I'm working for an education organisation, they found a new proxy everyday after you block the old one.

The best method to stop this is to talk to your boss to create a internet policy.  If anyone violate the rules, then do something.  It's working hour anyway and they're not supposed to surf those site during that time.

Just a thought.

Expert Comment

ID: 33642291
Do you have budget to implement TMG 2010?

Author Comment

ID: 33642347
Enzogoy, I total get that trying to create even the simplest of FW rules or adding them to my fwd-zones would take forever given the amount of sites out there and also as you stated the fact that they are creating new ones every day, but I wasn't sure if I could address this at the HTTP protocol level that would prevent connections?

Bhzdkh, I am reading now over the Forefront Threat Management now.
Portable, direct connect server access

The ATEN CV211 connects a laptop directly to any server allowing you instant access to perform data maintenance and local operations, for quick troubleshooting, updating, service and repair.


Expert Comment

ID: 33642367
Forefront is amazing, you can block anything u want based on category.
So u can filter proxy servers, pornography, terrorism, and anything you want based on category.

It also does malware-Virus checking online, so any traffic to your network is scanned before it gets to the users.
In order to enable these features you will need to pay an annual fee per user, which is $12/user if I'm not mistaken (This is in addition to the cost of TMG which is $1500)
LVL 12

Accepted Solution

mccracky earned 250 total points
ID: 33642435
As you mention small company on a limited budget, I'd look into OpenDNS ( for your filtering.  That way others are helping you pick up new sites.  

The next thing would be to put together a policy like enzogoy mentioned.

Other than that, the technical things to do would be:

1. Something like OpenDNS above.
2. At the firewall, block outgoing DNS for anyone other than your servers so they can't just change DNS servers to get around your blocking.
3. Set up a proxy server, maybe Squid, (transparent or not) on your network and force everyone through that by blocking outgoing connections from machines other than your proxy server and have the proxy resolve all DNS queries.
4. Set up log reports from the proxy logs that get sent monthly to the person in charge of the Internet policy enforcement.

Assisted Solution

dmcoop earned 250 total points
ID: 33642750
I manage several small offices that branch off our main.  We prevent proxies by using OpenDNS for webfiltering and using DD-WRT on their Linksys router (nothing fancy here cause we have just a few clients at each office).  I then enter a special piece of code (found on the DD-WRT forum) on the DD-WRT to redirect all DNS request to OpenDNS.  With OpenDNS you can block proxies as a category too.  Also I have taken the additional step of blocking the keywords "proxy" and "prox" in the DD-WRT router so no page with that word loads.  That last option may not work for your business model but it does for ours.  
Enzogoy is correct in that proxies come online everyday so the solution is not bullet proof.  However - you have a reasonable expectation that anyone trying to use a proxy will be unsuccessful because OpenDNS will always be updating.  Also like Enzogoy said having a good Acceptable Usage Policy in place will go a long way towards stopping it - especially if they know their job may be on the line.  They can also proxy by IP address if they find one (OpenDNS would not prevent this and neither would the router) but again - they have to find it and then be willing to implement it.  By watching the logging I have going on I found a guy doing this.  I blocked the IP outright and reported him to HR.  Since he was in violation of a AUP he was given a warning.  As far as we can tell - and we check often - this has pretty much stopped people from proxing out.
I have no idea how to use the Cisco product to force all DNS request through the DNS servers you specify - but I imagine that if a free product like DD-WRT will do it then surely Cisco will too.
I have not gone into specific steps here of how to achieve all this.  If you want to implement this solution let me know and I will outline in this thread specifically what you will need to do to make it work.  You will have to have help from a Cisco guru though for that part.

Expert Comment

ID: 33642762
I just re-read this thread.  I stepped away and came back an hour later to finish typing the post I did above.  Sorry for the duplication of mccracky's post.  I like his idea of an internal proxy server too.

Author Comment

ID: 33645564
Many thanks to both mccracky and dmcoop for your help. All of your helpful suggestions I believe have me on the right path now.

Featured Post

Free Tool: ZipGrep

ZipGrep is a utility that can list and search zip (.war, .ear, .jar, etc) archives for text patterns, without the need to extract the archive's contents.

One of a set of tools we're offering as a way to say thank you for being a part of the community.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Cybersecurity has become the buzzword of recent years and years to come. The inventions of cloud infrastructure and the Internet of Things has made us question our online safety. Let us explore how cloud- enabled cybersecurity can help us with our b…
For months I had no idea how to 'discover' the IP address of the other end of a link (without asking someone who knows), and it drove me batty. Think about it. You can't use Cisco Discovery Protocol (CDP) because it's not implemented on the ASAs.…
Both in life and business – not all partnerships are created equal. As the demand for cloud services increases, so do the number of self-proclaimed cloud partners. Asking the right questions up front in the partnership, will enable both parties …
As a trusted technology advisor to your customers you are likely getting the daily question of, ‘should I put this in the cloud?’ As customer demands for cloud services increases, companies will see a shift from traditional buying patterns to new…

830 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question