Help blocking proxy servers on my network

Posted on 2010-09-09
Last Modified: 2012-05-10
I work for a very small company that is on limited budget, but would like to do there best at preventing access to proxy servers via the web to circumvent our web policies or blocked sites. The current layout for my infrastructure is a PIX 506E at the Firewall (Cisco PIX Firewall Version 6.3(1)) and I have implemented a real on the cheap solution for web filtering by running an Windows 2003 server with DNS/DHCP and IIS on it. I route all DNS through the Windows server where I created Forward Lookup Zones for the sites that I want to block to point back to my IIS server where they receive a warning page (my local index.html) if there is no zone then it passing along to our ISPs DNS for accurate resolution.

Is there a way to better protect the company from users going to the numerous amounts of proxy sites to circumvent the in-house DNS?

Please let me know your thoughts on this one.  
Question by:jlinde
  • 2
  • 2
  • 2
  • +2

Expert Comment

ID: 33642288
Seriously, proxy website is created everyday and it's really hard to block them all.  I'm working for an education organisation, they found a new proxy everyday after you block the old one.

The best method to stop this is to talk to your boss to create a internet policy.  If anyone violate the rules, then do something.  It's working hour anyway and they're not supposed to surf those site during that time.

Just a thought.

Expert Comment

ID: 33642291
Do you have budget to implement TMG 2010?

Author Comment

ID: 33642347
Enzogoy, I total get that trying to create even the simplest of FW rules or adding them to my fwd-zones would take forever given the amount of sites out there and also as you stated the fact that they are creating new ones every day, but I wasn't sure if I could address this at the HTTP protocol level that would prevent connections?

Bhzdkh, I am reading now over the Forefront Threat Management now.

Expert Comment

ID: 33642367
Forefront is amazing, you can block anything u want based on category.
So u can filter proxy servers, pornography, terrorism, and anything you want based on category.

It also does malware-Virus checking online, so any traffic to your network is scanned before it gets to the users.
In order to enable these features you will need to pay an annual fee per user, which is $12/user if I'm not mistaken (This is in addition to the cost of TMG which is $1500)
What Security Threats Are You Missing?

Enhance your security with threat intelligence from the web. Get trending threat insights on hackers, exploits, and suspicious IP addresses delivered to your inbox with our free Cyber Daily.

LVL 12

Accepted Solution

mccracky earned 250 total points
ID: 33642435
As you mention small company on a limited budget, I'd look into OpenDNS ( for your filtering.  That way others are helping you pick up new sites.  

The next thing would be to put together a policy like enzogoy mentioned.

Other than that, the technical things to do would be:

1. Something like OpenDNS above.
2. At the firewall, block outgoing DNS for anyone other than your servers so they can't just change DNS servers to get around your blocking.
3. Set up a proxy server, maybe Squid, (transparent or not) on your network and force everyone through that by blocking outgoing connections from machines other than your proxy server and have the proxy resolve all DNS queries.
4. Set up log reports from the proxy logs that get sent monthly to the person in charge of the Internet policy enforcement.

Assisted Solution

dmcoop earned 250 total points
ID: 33642750
I manage several small offices that branch off our main.  We prevent proxies by using OpenDNS for webfiltering and using DD-WRT on their Linksys router (nothing fancy here cause we have just a few clients at each office).  I then enter a special piece of code (found on the DD-WRT forum) on the DD-WRT to redirect all DNS request to OpenDNS.  With OpenDNS you can block proxies as a category too.  Also I have taken the additional step of blocking the keywords "proxy" and "prox" in the DD-WRT router so no page with that word loads.  That last option may not work for your business model but it does for ours.  
Enzogoy is correct in that proxies come online everyday so the solution is not bullet proof.  However - you have a reasonable expectation that anyone trying to use a proxy will be unsuccessful because OpenDNS will always be updating.  Also like Enzogoy said having a good Acceptable Usage Policy in place will go a long way towards stopping it - especially if they know their job may be on the line.  They can also proxy by IP address if they find one (OpenDNS would not prevent this and neither would the router) but again - they have to find it and then be willing to implement it.  By watching the logging I have going on I found a guy doing this.  I blocked the IP outright and reported him to HR.  Since he was in violation of a AUP he was given a warning.  As far as we can tell - and we check often - this has pretty much stopped people from proxing out.
I have no idea how to use the Cisco product to force all DNS request through the DNS servers you specify - but I imagine that if a free product like DD-WRT will do it then surely Cisco will too.
I have not gone into specific steps here of how to achieve all this.  If you want to implement this solution let me know and I will outline in this thread specifically what you will need to do to make it work.  You will have to have help from a Cisco guru though for that part.

Expert Comment

ID: 33642762
I just re-read this thread.  I stepped away and came back an hour later to finish typing the post I did above.  Sorry for the duplication of mccracky's post.  I like his idea of an internal proxy server too.

Author Comment

ID: 33645564
Many thanks to both mccracky and dmcoop for your help. All of your helpful suggestions I believe have me on the right path now.

Featured Post

How to run any project with ease

Manage projects of all sizes how you want. Great for personal to-do lists, project milestones, team priorities and launch plans.
- Combine task lists, docs, spreadsheets, and chat in one
- View and edit from mobile/offline
- Cut down on emails

Join & Write a Comment

Using in-flight Wi-Fi when you travel? Business travelers beware! In-flight Wi-Fi networks could rip the door right off your digital privacy portal. That’s no joke either, as it might also provide a convenient entrance for bad threat actors.
Learn about cloud computing and its benefits for small business owners.
Illustrator's Shape Builder tool will let you combine shapes visually and interactively. This video shows the Mac version, but the tool works the same way in Windows. To follow along with this video, you can draw your own shapes or download the file…
This video explains how to create simple products associated to Magento configurable product and offers fast way of their generation with Store Manager for Magento tool.

708 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

13 Experts available now in Live!

Get 1:1 Help Now