Home page logo

basics logo Security Basics mailing list archives

Re: Restricting Open Proxies
From: "Jay" <jay.tomas () infosecguru com>
Date: Thu, 21 Jun 2007 12:11:44 -0400

A few comments,

Depending on the size of the company and the industry you could look at a white list. Granted if the company is large 
or the userbase is sales oriented and less technical it may be a mess reviewing and approving all the sites they need 
access to.

On the same note if the company is huge, detecting and reviewing open proxy use could also be cumbersome. If the Open 
Proxy is using SSL it may be diffcult to inspect the traffic. Cleansing browers logs are trivial so I wouldn't count on 
any value from that.

Detective controls are just that and I would try to look at a preventative one. That way you can discipline said 
employees instead of going and getting coffee for your Incident Team.


----- Original Message -----
From: krymson () gmail com [mailto:krymson () gmail com]
To: security-basics () securityfocus com
Sent: 19 Jun 2007 20:15:05 -0000
Subject: Re: Restricting Open Proxies

If the Symantec proxy has a blacklist for restricting the use of other open proxies on the Internet, you could turn 
that on. But be aware this is just a blacklist, meaning it must be kept up to date or you're giving yourself a false 
sense of security. You may reduce your risk of people using known proxies, but you don't prevent someone from using a 
private one.

In fact, I don't think you can truly stop this kind of behavior. At least you have everyone in the corporate network 
using a proxy you enforce, but beyond that they likely can connect anywhere they want, no? It might be a better value 
to implement the policy saying no open proxies should be used, be sure to log what people do through your proxy, and 
use those two to prosecute any violators later on. This might be one of those areas where prevention is just not 
possible, but being able to verify use after an incident is paramount. If I use a proxy to send some of your 
confidential information to my house, and you find out I'm doing that, you can then correlate my actions with my use of 
the open proxy in your proxy server.

Thinking further, perhaps browser histories will still show the URLs visited, including sites visited through an open 
proxy? Again, this is more an audit function than prevention, from my point of view.

<- snip ->

We are in the process of strengthening our Information Security Policy. As part of this initiative we want to restrict 
access to Open Proxies from the Corporate Network.

We are currently providing Internet Access through Symantec Web Security which also acts as a Proxy Server.

The access to Open Proxies that keep floating in the wild is bothering us because it might ultimately lead to 
Information Leakage. Has any one of you faced the same issue? What are the best practices for the same?

Any ideas or suggestions are most welcome.

  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]