Link to home
Create AccountLog in
Avatar of jlinde
jlinde

asked on

Help blocking proxy servers on my network

I work for a very small company that is on limited budget, but would like to do there best at preventing access to proxy servers via the web to circumvent our web policies or blocked sites. The current layout for my infrastructure is a PIX 506E at the Firewall (Cisco PIX Firewall Version 6.3(1)) and I have implemented a real on the cheap solution for web filtering by running an Windows 2003 server with DNS/DHCP and IIS on it. I route all DNS through the Windows server where I created Forward Lookup Zones for the sites that I want to block to point back to my IIS server where they receive a warning page (my local index.html) if there is no zone then it passing along to our ISPs DNS for accurate resolution.

Is there a way to better protect the company from users going to the numerous amounts of proxy sites to circumvent the in-house DNS?

Please let me know your thoughts on this one.  
Avatar of enzogoy
enzogoy

Seriously, proxy website is created everyday and it's really hard to block them all.  I'm working for an education organisation, they found a new proxy everyday after you block the old one.

The best method to stop this is to talk to your boss to create a internet policy.  If anyone violate the rules, then do something.  It's working hour anyway and they're not supposed to surf those site during that time.

Just a thought.
Do you have budget to implement TMG 2010?
Avatar of jlinde

ASKER

Enzogoy, I total get that trying to create even the simplest of FW rules or adding them to my fwd-zones would take forever given the amount of sites out there and also as you stated the fact that they are creating new ones every day, but I wasn't sure if I could address this at the HTTP protocol level that would prevent connections?

Bhzdkh, I am reading now over the Forefront Threat Management now.
Forefront is amazing, you can block anything u want based on category.
So u can filter proxy servers, pornography, terrorism, and anything you want based on category.

It also does malware-Virus checking online, so any traffic to your network is scanned before it gets to the users.
In order to enable these features you will need to pay an annual fee per user, which is $12/user if I'm not mistaken (This is in addition to the cost of TMG which is $1500)
ASKER CERTIFIED SOLUTION
Avatar of mccracky
mccracky
Flag of United States of America image

Link to home
membership
Create a free account to see this answer
Signing up is free and takes 30 seconds. No credit card required.
See answer
SOLUTION
Link to home
membership
Create a free account to see this answer
Signing up is free and takes 30 seconds. No credit card required.
I just re-read this thread.  I stepped away and came back an hour later to finish typing the post I did above.  Sorry for the duplication of mccracky's post.  I like his idea of an internal proxy server too.
Avatar of jlinde

ASKER

Many thanks to both mccracky and dmcoop for your help. All of your helpful suggestions I believe have me on the right path now.