Absolutely. There are many anonymiser sites out there which you can sort of keep on top of if you are subscribed to a list that is kept up to date. But as soon as individuals start running their own on home broadband connections etc it gets very tricky.
Even then you can only catch them out with https inspection if they stick their head out by accessing something that triggers an inspection rule or their data usage is high. Luckily I'm not supporting an environment where it is a major issue. But I have in the past supported environments that provided internet access for free to the public and misuse was high. -----Original Message----- From: Kurt Buff [mailto:[email protected]] Sent: Wednesday, 29 September 2010 1:58 PM To: NT System Admin Issues Subject: Re: Outbound firewall ports Understood. I'm also not going to get into the whack-a-mole game of trying to shut down access to external ssl proxies - it's a losing proposition. I figure that at that point it's a management issue, and I can turn it over to them to deal with. On Tue, Sep 28, 2010 at 20:52, James Hill <[email protected]> wrote: > I'm not disagreeing with only allowing 443 out from the squid proxy. That's > the best way to go for sure. > > I'm just saying that if the end user is connecting to an external proxy using > encrypted traffic through the squid then it makes no difference to that end > user. > > Hence my initial comment about using 443 to bypass internal filtering unless > there is https inspection in place. It's a comment trick used particularly > in schools it seems. > > -----Original Message----- > From: Kurt Buff [mailto:[email protected]] > Sent: Wednesday, 29 September 2010 1:48 PM > To: NT System Admin Issues > Subject: Re: Outbound firewall ports > > Yes, it does matter. > > The inspection of traffic in this case is fairly irrelevant. > > What I'm after is that *only* the squid proxy gets out on port 443. > Anything trying to get out on port 443 that doesn't go through the squid > proxy is by definition bad, and therefore blocked. > > I don't have the resources to inspect traffic. That's a hard fact I have to > live with. Therefore, I have to rely on endpoint protection, and the idea > that only one host is allowed out. > > You do what you can with what you have. > > Kurt > > On Tue, Sep 28, 2010 at 20:35, James Hill <[email protected]> > wrote: >> If you aren't inspecting the traffic then it doesn't really matter that it's >> going through squid they'll still get to wherever they like. >> >> -----Original Message----- >> From: Kurt Buff [mailto:[email protected]] >> Sent: Wednesday, 29 September 2010 1:24 PM >> To: NT System Admin Issues >> Subject: Re: Outbound firewall ports >> >> Nope - I proxy SSL through my squid box. Of course, I don't actually inspect >> the traffic, but I do log the URLs. It stops potential zombies that don't >> understand/respect IE or FF proxy settings. >> >> On Tue, Sep 28, 2010 at 17:13, James Hill <[email protected]> >> wrote: >>> 443? Isn't that the port to connect to your external proxy server >>> so you can bypass any internal filtering? :) >>> >>> Unless of course the internal filtering has good https inspection. Not >>> many do though. >>> >>> -----Original Message----- >>> From: Kurt Buff [mailto:[email protected]] >>> Sent: Wednesday, 29 September 2010 4:03 AM >>> To: NT System Admin Issues >>> Subject: Re: Outbound firewall ports >>> >>> Ports 21, 80 and 443, and only for the proxy server. I have ssh open >>> outbound to specific customer sites that we support . >>> >>> I was forced to open 544 (rtsp) recently for a live video event, but did >>> that for a single IP address so that the machine showing the event in the >>> lunchroom could get to it. >>> >>> I allow DNS outbound only for our DNS servers, and NTP for our NTP servers. >>> >>> That covers most of it. >>> >>> On Tue, Sep 28, 2010 at 10:55, Tom Miller <[email protected]> wrote: >>>> Folks, >>>> >>>> Anyone have a list of the protocols/ports they allow outside their >>>> firewalls? I am locking down our firewall outbound traffic to >>>> certain ports and am looking for other "standard" items I may be missing. >>>> >>>> Thanks >>>> Tom >>>> >>>> Confidentiality Notice: This e-mail message, including attachments, >>>> is for the sole use of the intended recipient(s) and may contain >>>> confidential and privileged information. Any unauthorized review, >>>> use, disclosure, or distribution is prohibited. If you are not the >>>> intended recipient, please contact the sender by reply e-mail and >>>> destroy all copies of the original message. >>>> >>>> ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ >>>> ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~ >>>> >>>> --- >>>> To manage subscriptions click here: >>>> http://lyris.sunbelt-software.com/read/my_forums/ >>>> or send an email to [email protected] >>>> with the body: unsubscribe ntsysadmin >>> >>> ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ >>> <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~ >>> >>> --- >>> To manage subscriptions click here: >>> http://lyris.sunbelt-software.com/read/my_forums/ >>> or send an email to [email protected] >>> with the body: unsubscribe ntsysadmin >>> >>> >>> ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ >>> <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~ >>> >>> --- >>> To manage subscriptions click here: >>> http://lyris.sunbelt-software.com/read/my_forums/ >>> or send an email to [email protected] >>> with the body: unsubscribe ntsysadmin >> >> ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ >> <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~ >> >> --- >> To manage subscriptions click here: >> http://lyris.sunbelt-software.com/read/my_forums/ >> or send an email to [email protected] >> with the body: unsubscribe ntsysadmin >> >> >> ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ >> <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~ >> >> --- >> To manage subscriptions click here: >> http://lyris.sunbelt-software.com/read/my_forums/ >> or send an email to [email protected] >> with the body: unsubscribe ntsysadmin > > ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ > <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~ > > --- > To manage subscriptions click here: > http://lyris.sunbelt-software.com/read/my_forums/ > or send an email to [email protected] > with the body: unsubscribe ntsysadmin > > > ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ > <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~ > > --- > To manage subscriptions click here: > http://lyris.sunbelt-software.com/read/my_forums/ > or send an email to [email protected] > with the body: unsubscribe ntsysadmin ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to [email protected] with the body: unsubscribe ntsysadmin ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to [email protected] with the body: unsubscribe ntsysadmin
