Understood. I'm also not going to get into the whack-a-mole game of trying to shut down access to external ssl proxies - it's a losing proposition. I figure that at that point it's a management issue, and I can turn it over to them to deal with.
On Tue, Sep 28, 2010 at 20:52, James Hill <[email protected]> wrote: > I'm not disagreeing with only allowing 443 out from the squid proxy. That's > the best way to go for sure. > > I'm just saying that if the end user is connecting to an external proxy using > encrypted traffic through the squid then it makes no difference to that end > user. > > Hence my initial comment about using 443 to bypass internal filtering unless > there is https inspection in place. It's a comment trick used particularly > in schools it seems. > > -----Original Message----- > From: Kurt Buff [mailto:[email protected]] > Sent: Wednesday, 29 September 2010 1:48 PM > To: NT System Admin Issues > Subject: Re: Outbound firewall ports > > Yes, it does matter. > > The inspection of traffic in this case is fairly irrelevant. > > What I'm after is that *only* the squid proxy gets out on port 443. > Anything trying to get out on port 443 that doesn't go through the squid > proxy is by definition bad, and therefore blocked. > > I don't have the resources to inspect traffic. That's a hard fact I have to > live with. Therefore, I have to rely on endpoint protection, and the idea > that only one host is allowed out. > > You do what you can with what you have. > > Kurt > > On Tue, Sep 28, 2010 at 20:35, James Hill <[email protected]> > wrote: >> If you aren't inspecting the traffic then it doesn't really matter that it's >> going through squid they'll still get to wherever they like. >> >> -----Original Message----- >> From: Kurt Buff [mailto:[email protected]] >> Sent: Wednesday, 29 September 2010 1:24 PM >> To: NT System Admin Issues >> Subject: Re: Outbound firewall ports >> >> Nope - I proxy SSL through my squid box. Of course, I don't actually inspect >> the traffic, but I do log the URLs. It stops potential zombies that don't >> understand/respect IE or FF proxy settings. >> >> On Tue, Sep 28, 2010 at 17:13, James Hill <[email protected]> >> wrote: >>> 443? Isn't that the port to connect to your external proxy server so >>> you can bypass any internal filtering? :) >>> >>> Unless of course the internal filtering has good https inspection. Not >>> many do though. >>> >>> -----Original Message----- >>> From: Kurt Buff [mailto:[email protected]] >>> Sent: Wednesday, 29 September 2010 4:03 AM >>> To: NT System Admin Issues >>> Subject: Re: Outbound firewall ports >>> >>> Ports 21, 80 and 443, and only for the proxy server. I have ssh open >>> outbound to specific customer sites that we support . >>> >>> I was forced to open 544 (rtsp) recently for a live video event, but did >>> that for a single IP address so that the machine showing the event in the >>> lunchroom could get to it. >>> >>> I allow DNS outbound only for our DNS servers, and NTP for our NTP servers. >>> >>> That covers most of it. >>> >>> On Tue, Sep 28, 2010 at 10:55, Tom Miller <[email protected]> wrote: >>>> Folks, >>>> >>>> Anyone have a list of the protocols/ports they allow outside their >>>> firewalls? I am locking down our firewall outbound traffic to >>>> certain ports and am looking for other "standard" items I may be missing. >>>> >>>> Thanks >>>> Tom >>>> >>>> Confidentiality Notice: This e-mail message, including attachments, >>>> is for the sole use of the intended recipient(s) and may contain >>>> confidential and privileged information. Any unauthorized review, >>>> use, disclosure, or distribution is prohibited. If you are not the >>>> intended recipient, please contact the sender by reply e-mail and >>>> destroy all copies of the original message. >>>> >>>> ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ >>>> <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~ >>>> >>>> --- >>>> To manage subscriptions click here: >>>> http://lyris.sunbelt-software.com/read/my_forums/ >>>> or send an email to [email protected] >>>> with the body: unsubscribe ntsysadmin >>> >>> ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ >>> <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~ >>> >>> --- >>> To manage subscriptions click here: >>> http://lyris.sunbelt-software.com/read/my_forums/ >>> or send an email to [email protected] >>> with the body: unsubscribe ntsysadmin >>> >>> >>> ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ >>> <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~ >>> >>> --- >>> To manage subscriptions click here: >>> http://lyris.sunbelt-software.com/read/my_forums/ >>> or send an email to [email protected] >>> with the body: unsubscribe ntsysadmin >> >> ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ >> <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~ >> >> --- >> To manage subscriptions click here: >> http://lyris.sunbelt-software.com/read/my_forums/ >> or send an email to [email protected] >> with the body: unsubscribe ntsysadmin >> >> >> ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ >> <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~ >> >> --- >> To manage subscriptions click here: >> http://lyris.sunbelt-software.com/read/my_forums/ >> or send an email to [email protected] >> with the body: unsubscribe ntsysadmin > > ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ > <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~ > > --- > To manage subscriptions click here: > http://lyris.sunbelt-software.com/read/my_forums/ > or send an email to [email protected] > with the body: unsubscribe ntsysadmin > > > ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ > ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~ > > --- > To manage subscriptions click here: > http://lyris.sunbelt-software.com/read/my_forums/ > or send an email to [email protected] > with the body: unsubscribe ntsysadmin ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to [email protected] with the body: unsubscribe ntsysadmin
