mailing list archives
Re: Restricting Open Proxies
From: "Jay" <jay.tomas () infosecguru com>
Date: Thu, 21 Jun 2007 12:11:44 -0400
A few comments,
Depending on the size of the company and the industry you could look at a white list. Granted if the company is large
or the userbase is sales oriented and less technical it may be a mess reviewing and approving all the sites they need
On the same note if the company is huge, detecting and reviewing open proxy use could also be cumbersome. If the Open
Proxy is using SSL it may be diffcult to inspect the traffic. Cleansing browers logs are trivial so I wouldn't count on
any value from that.
Detective controls are just that and I would try to look at a preventative one. That way you can discipline said
employees instead of going and getting coffee for your Incident Team.
----- Original Message -----
From: krymson () gmail com [mailto:krymson () gmail com]
To: security-basics () securityfocus com
Sent: 19 Jun 2007 20:15:05 -0000
Subject: Re: Restricting Open Proxies
If the Symantec proxy has a blacklist for restricting the use of other open proxies on the Internet, you could turn
that on. But be aware this is just a blacklist, meaning it must be kept up to date or you're giving yourself a false
sense of security. You may reduce your risk of people using known proxies, but you don't prevent someone from using a
In fact, I don't think you can truly stop this kind of behavior. At least you have everyone in the corporate network
using a proxy you enforce, but beyond that they likely can connect anywhere they want, no? It might be a better value
to implement the policy saying no open proxies should be used, be sure to log what people do through your proxy, and
use those two to prosecute any violators later on. This might be one of those areas where prevention is just not
possible, but being able to verify use after an incident is paramount. If I use a proxy to send some of your
confidential information to my house, and you find out I'm doing that, you can then correlate my actions with my use of
the open proxy in your proxy server.
Thinking further, perhaps browser histories will still show the URLs visited, including sites visited through an open
proxy? Again, this is more an audit function than prevention, from my point of view.
<- snip ->
We are in the process of strengthening our Information Security Policy. As part of this initiative we want to restrict
access to Open Proxies from the Corporate Network.
We are currently providing Internet Access through Symantec Web Security which also acts as a Proxy Server.
The access to Open Proxies that keep floating in the wild is bothering us because it might ultimately lead to
Information Leakage. Has any one of you faced the same issue? What are the best practices for the same?
Any ideas or suggestions are most welcome.