Go Premium for a chance to win a PS4. Enter to Win


Help blocking proxy servers on my network

Posted on 2010-09-09
Medium Priority
Last Modified: 2012-05-10
I work for a very small company that is on limited budget, but would like to do there best at preventing access to proxy servers via the web to circumvent our web policies or blocked sites. The current layout for my infrastructure is a PIX 506E at the Firewall (Cisco PIX Firewall Version 6.3(1)) and I have implemented a real on the cheap solution for web filtering by running an Windows 2003 server with DNS/DHCP and IIS on it. I route all DNS through the Windows server where I created Forward Lookup Zones for the sites that I want to block to point back to my IIS server where they receive a warning page (my local index.html) if there is no zone then it passing along to our ISPs DNS for accurate resolution.

Is there a way to better protect the company from users going to the numerous amounts of proxy sites to circumvent the in-house DNS?

Please let me know your thoughts on this one.  
Question by:jlinde
  • 2
  • 2
  • 2
  • +2

Expert Comment

ID: 33642288
Seriously, proxy website is created everyday and it's really hard to block them all.  I'm working for an education organisation, they found a new proxy everyday after you block the old one.

The best method to stop this is to talk to your boss to create a internet policy.  If anyone violate the rules, then do something.  It's working hour anyway and they're not supposed to surf those site during that time.

Just a thought.

Expert Comment

ID: 33642291
Do you have budget to implement TMG 2010?

Author Comment

ID: 33642347
Enzogoy, I total get that trying to create even the simplest of FW rules or adding them to my fwd-zones would take forever given the amount of sites out there and also as you stated the fact that they are creating new ones every day, but I wasn't sure if I could address this at the HTTP protocol level that would prevent connections?

Bhzdkh, I am reading now over the Forefront Threat Management now.
Ready for your healthcare security check-up?

In the past few years, healthcare organizations have become a prime target for advanced attacks. Does your organization have what it needs to defend itself? Schedule your healthcare security check-up today and download our free Healthcare Security Resource Kit today!


Expert Comment

ID: 33642367
Forefront is amazing, you can block anything u want based on category.
So u can filter proxy servers, pornography, terrorism, and anything you want based on category.

It also does malware-Virus checking online, so any traffic to your network is scanned before it gets to the users.
In order to enable these features you will need to pay an annual fee per user, which is $12/user if I'm not mistaken (This is in addition to the cost of TMG which is $1500)
LVL 12

Accepted Solution

mccracky earned 1000 total points
ID: 33642435
As you mention small company on a limited budget, I'd look into OpenDNS (www.opendns.com) for your filtering.  That way others are helping you pick up new sites.  

The next thing would be to put together a policy like enzogoy mentioned.

Other than that, the technical things to do would be:

1. Something like OpenDNS above.
2. At the firewall, block outgoing DNS for anyone other than your servers so they can't just change DNS servers to get around your blocking.
3. Set up a proxy server, maybe Squid, (transparent or not) on your network and force everyone through that by blocking outgoing connections from machines other than your proxy server and have the proxy resolve all DNS queries.
4. Set up log reports from the proxy logs that get sent monthly to the person in charge of the Internet policy enforcement.

Assisted Solution

dmcoop earned 1000 total points
ID: 33642750
I manage several small offices that branch off our main.  We prevent proxies by using OpenDNS for webfiltering and using DD-WRT on their Linksys router (nothing fancy here cause we have just a few clients at each office).  I then enter a special piece of code (found on the DD-WRT forum) on the DD-WRT to redirect all DNS request to OpenDNS.  With OpenDNS you can block proxies as a category too.  Also I have taken the additional step of blocking the keywords "proxy" and "prox" in the DD-WRT router so no page with that word loads.  That last option may not work for your business model but it does for ours.  
Enzogoy is correct in that proxies come online everyday so the solution is not bullet proof.  However - you have a reasonable expectation that anyone trying to use a proxy will be unsuccessful because OpenDNS will always be updating.  Also like Enzogoy said having a good Acceptable Usage Policy in place will go a long way towards stopping it - especially if they know their job may be on the line.  They can also proxy by IP address if they find one (OpenDNS would not prevent this and neither would the router) but again - they have to find it and then be willing to implement it.  By watching the logging I have going on I found a guy doing this.  I blocked the IP outright and reported him to HR.  Since he was in violation of a AUP he was given a warning.  As far as we can tell - and we check often - this has pretty much stopped people from proxing out.
I have no idea how to use the Cisco product to force all DNS request through the DNS servers you specify - but I imagine that if a free product like DD-WRT will do it then surely Cisco will too.
I have not gone into specific steps here of how to achieve all this.  If you want to implement this solution let me know and I will outline in this thread specifically what you will need to do to make it work.  You will have to have help from a Cisco guru though for that part.

Expert Comment

ID: 33642762
I just re-read this thread.  I stepped away and came back an hour later to finish typing the post I did above.  Sorry for the duplication of mccracky's post.  I like his idea of an internal proxy server too.

Author Comment

ID: 33645564
Many thanks to both mccracky and dmcoop for your help. All of your helpful suggestions I believe have me on the right path now.

Featured Post

Get your Conversational Ransomware Defense e‑book

This e-book gives you an insight into the ransomware threat and reviews the fundamentals of top-notch ransomware preparedness and recovery. To help you protect yourself and your organization. The initial infection may be inevitable, so the best protection is to be fully prepared.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

This article provides a convenient collection of links to Microsoft provided Security Patches for operating systems that have reached their End of Life support cycle. Included operating systems covered by this article are Windows XP,  Windows Server…
This article explains the fundamentals of industrial networking which ultimately is the backbone network which is providing communications for process devices like robots and other not so interesting stuff.
Both in life and business – not all partnerships are created equal. As the demand for cloud services increases, so do the number of self-proclaimed cloud partners. Asking the right questions up front in the partnership, will enable both parties …
As a trusted technology advisor to your customers you are likely getting the daily question of, ‘should I put this in the cloud?’ As customer demands for cloud services increases, companies will see a shift from traditional buying patterns to new…
Suggested Courses

879 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question