Re: Blocking users from using web proxies

Tech-Archive recommends: Repair Windows Errors & Optimize Windows Performance

yaro137 wrote:
You may be surprised but I run Squid as a proxy.It acts mostly as a
file proxy but as it has much more features than just that I thought
I'll give it a try. There is another box that acts as a firewall. It's
a Draytek product. Even after updating the firmware I couldn't make
the filter rules to work properly. It's a pretty ancient piece of
equipment though. I managed to get squid to deal with at least some
anonymous proxies by keyword filter rules. GPOs were set to force
users to use Squid. They probably wont work for other than IE web
browser. I would have to figure out how to force users to use only IE
but that would be nasty. I don't use it much myself. Maybe some
software use policies with hashing rules.... Too troublesome. Thanks
yaro

Depending on which Draytek box it is, you may be able to deny all outgoing port 80 traffic to everything but the Squid device. My Vigor 2800 certainly should be able to do it, but I have never actually tried using the filters, which seem over-complicated to configure. I do egress filtering and transparent proxying on a separate box in series with the Vigor.

About the only way to be certain is to run the Squid box 2-NIC i.e. as a firewall. That way, you enforce proxy use even if someone brings in a laptop or runs a live CD operating system on their workstation. You're saving a bit of money over using a dedicated firewall box (which probably runs Squid, among other things), but probably not time.

As has been mentioned, this is really a management issue. If the management wishes to set rules on Internet use of work computers, and they'd probably have to be insane not to, these days, they also have to have the will to enforce them. But even then, a set of Squid or firewall logs or equivalent may be required for evidence of misuse. All workstations can be configured to keep firewall logs by policy, but with little detail other than time, destination IP address and protocol/port.

--
Joe
.

Relevant Pages

  • Re: Blocking users from using web proxies
    ... file proxy but as it has much more features than just that I thought ... There is another box that acts as a firewall. ... I managed to get squid to deal with at least some ... anonymous proxies by keyword filter rules. ...
    (microsoft.public.windows.server.sbs)
  • Re: Squid+Privoxy or Snort?
    ... >>Squid can be used if you redirect all web traffic through the squid ... > squid as a firewall only isnt very smart. ... The proxy should speed up access if the same sites are being hit, ... incoming mail. ...
    (freebsd-questions)
  • Re: Can any Squid gurus help me?
    ... Okay on setting up the Linux server as the main firewall/router. ... You can setup squid either as a transparent proxy. ... listens on a specific port like 8080, ... I have my server setup with a basic set of firewall rules that only lets ...
    (alt.os.linux.suse)
  • Need Freeware Firewall applicance.
    ... Do I need to go a Linux route with iptables / squid manually built by hand. ... Configure OS / IP-Tables / FW-builder / SQUID or some equivalent solutions or are there already free canned distro/appliances that will let me remotely push a firewall policy onto this machine and manage its proxy settings from a remote location. ...
    (comp.security.firewalls)
  • Re: Kernel Upgrade Help needed!
    ... Now if I am not mistaken it is not the firewall like somebody mentioned. ... in my case it just goes like zzzzt and saves only 1 kb and says download ... I know for sure it is squid in my case because if I login to the server ...
    (Fedora)