A few comments,
Depending on the size of the company and the industry you could look at a white
list. Granted if the company is large or the userbase is sales oriented and
less technical it may be a mess reviewing and approving all the sites they need
access to.
On the same note if the company is huge, detecting and reviewing open proxy use
could also be cumbersome. If the Open Proxy is using SSL it may be diffcult to
inspect the traffic. Cleansing browers logs are trivial so I wouldn't count on
any value from that.
Detective controls are just that and I would try to look at a preventative one.
That way you can discipline said employees instead of going and getting coffee
for your Incident Team.
Jay
----- Original Message -----
From: krymson@gmail.com [mailto:krymson@gmail.com]
To: security-basics@securityfocus.com
Sent: 19 Jun 2007 20:15:05 -0000
Subject: Re: Restricting Open Proxies
If the Symantec proxy has a blacklist for restricting the use of other open
proxies on the Internet, you could turn that on. But be aware this is just a
blacklist, meaning it must be kept up to date or you're giving yourself a false
sense of security. You may reduce your risk of people using known proxies, but
you don't prevent someone from using a private one.
In fact, I don't think you can truly stop this kind of behavior. At least you
have everyone in the corporate network using a proxy you enforce, but beyond
that they likely can connect anywhere they want, no? It might be a better value
to implement the policy saying no open proxies should be used, be sure to log
what people do through your proxy, and use those two to prosecute any violators
later on. This might be one of those areas where prevention is just not
possible, but being able to verify use after an incident is paramount. If I use
a proxy to send some of your confidential information to my house, and you find
out I'm doing that, you can then correlate my actions with my use of the open
proxy in your proxy server.
Thinking further, perhaps browser histories will still show the URLs visited,
including sites visited through an open proxy? Again, this is more an audit
function than prevention, from my point of view.
<- snip ->
We are in the process of strengthening our Information Security Policy. As part
of this initiative we want to restrict access to Open Proxies from the
Corporate Network.
We are currently providing Internet Access through Symantec Web Security which
also acts as a Proxy Server.
The access to Open Proxies that keep floating in the wild is bothering us
because it might ultimately lead to Information Leakage. Has any one of you
faced the same issue? What are the best practices for the same?
Any ideas or suggestions are most welcome.
