Re: [suse-security] forcing use of proxy
first you can block the port 80,443 from internal network to outside, its only allowed for ipadress of the proxy to go outside to port 80,443 so the users are forced to use the proxy, because no direct connection is allowed any more.
But an evil user can run a proxy on say port 53, or another port you don't block on the firewall, then I can browse sites you are blocking. Some universities have this problem, they only allow Web Access and SMTP, but clever students use thigns like CIPE and ssh to get to the other stuff
ok then maybe try the hard way, formide every workstation into lan direct connections to the internet, only allow the proxy to enter the i-net an easy solution with ip tables ----- Original Message ----- From: "Robert Davies" <Rob_Davies@NTLWorld.Com> To: "rene marhold" <rene@mail.marhold.net> Sent: Friday, June 01, 2001 12:09 AM Subject: Re: [suse-security] forcing use of proxy they
want.
If you want to 'force' use of something private networks are the only way, then they really _do_ have to use the services you offer, through application level proxies.
Rob
ok then maybe try the hard way, formide every workstation into lan direct connections to the internet, only allow the proxy to enter the i-net
Possible but inherently less secure, as you're relying on the outside router filtering, this router is often provided by and managed by an ISP, it is not unknown for rules to disappear due to error and for it to pass through everything. With a private network solution, the gateway router should not even know how to route to the private networks, and only sees the DMZ network. It makes it easier to secure internal hosts, as any intrusion has to come from the DMZ network or via the internal firewall/NAT box, they can be set up to treat these machines with suspicion. Other advantages include simplifying dual ISP operation, and avoiding network renumbering on change of ISP, or the overhead of dealing with split network blocks and negotiating transfer of PTR zones. If you're able to do _that_ much blocking that you suggest, then your hosts aren't really on the internet in any meaningful way and you may as well use a private network. When you open up ports to use other applications that don't have application level proxies, then those ports may be used from outside in, whereas with masquerading the internal hosts, have to initiate the connections as there's no IP to address but the firewall bastion. Rob
participants (2)
-
rene marhold
-
Robert Davies