Video Screencast Help

How to block proxy sites through Custom IPS?

Created: 12 Apr 2010 • Updated: 13 Oct 2010 | 20 comments

We have implemented at work to block the major Social Networking sites but they are easily gotten around by using a proxy site to bypass the www.facebook.com. Is there a way other than manually adding the sites to the ICS list?

Comments 20 CommentsJump to latest comment

blenahan's picture

Check this thread out on how to block addresses using SEP firewall
https://www-secure.symantec.com/connect/articles/how-block-internet-address-sep-manager-firewall-rule

 

_________________________________________________________________

Please remember to mark the thread 'SOLVED' with the answer that most helped you by choosing 'Mark As Solution' on the applicable answer

PeterMacLean's picture

I have tried this one but it is not what I am asking. We blocked facebook but if you google proxy facebook and click on the first hit it iwll take you to a site and you enter in the blocked site and then it will serve up facebook through another site and the url won't even be in the address bar.

blenahan's picture

yeah I didn't mean to block facebook.com this way, I meant to use these rules to block the proxy site addresses

 

_________________________________________________________________

Please remember to mark the thread 'SOLVED' with the answer that most helped you by choosing 'Mark As Solution' on the applicable answer

Topa 101's picture

Firewalled! -
We first started with a Host rule that defines all our internal DNS aliases, and internal proxy server hosts.
The list was about 24 items.
Next we use a two part fire wall rule,

a. The allow rule, we  defined the browsers by name.exe only, we wanted to trap on name.exe only here. 
Next we set the host rule active to filter incoming traffic only - if the browser is not recieving Tx from a defined host  or dns found in this host rule it fail to the next rule.

b. This is the block rule, uses "*" for the application name and Application hashes of all of the browsers version found internaly - about 34 items uniques.
This alowed us to not only stop Webproxy sites, Botnets, and forced machines to use our internal proxy, it also blocks browser that the users had renamed to avoid AD policy- it also works with our remote laptops, because we have an outfacing proxy portal, so even if the user is offline and surfing, it is managed and control via our corp proxy.  I know We'r Cool, Got the right stuff..thank you thank you..

1. 1x host rule
2. 2x application rules , name.exe and "*" - hash
3. 2x firewall rules, a general alow for internal dns and proxy host, and a block all rule for the same applications.
4. you must have a working DNS infrastructure at your company to do this and internal proxy server. this technique can be use with simpler nework implementations by using Ip ranges and hosts names only.

This is just a overview of what my team accomplished, the purpose was to save money, no new harware or software needed to do the same function.

Gregory A Anderson

Symantec Certified specialist - SEP v11.x - v12.1.x

Symantec DLP 12.x Boot Camp survivor

 

blenahan's picture

Here's another.  Ultrasurf is a proxy-type application.  Here are some instructions for it.  If they do not hit head on what you need, maybe they'll give you some new ideas
https://www-secure.symantec.com/connect/articles/most-detailed-way-block-ultrasurf

 

_________________________________________________________________

Please remember to mark the thread 'SOLVED' with the answer that most helped you by choosing 'Mark As Solution' on the applicable answer

PeterMacLean's picture

Great article and read but you don't even have to install anything to proxy.

blenahan's picture

This is not done via SEP, but check this out.  This may be the easiest way:
http://perishablepress.com/press/2008/04/20/how-to-block-proxy-servers-via-htaccess/

 

_________________________________________________________________

Please remember to mark the thread 'SOLVED' with the answer that most helped you by choosing 'Mark As Solution' on the applicable answer

Vikram Kumar-SAV to SEP's picture

block these websites using Firewall proxy 
eg block
http://www.facebookproxy.co.uk/
http://www.facebookproxyserver.com/
http://www.proxyforfacebook.com/ (Few are in this link )
http://facebook-login-proxy.com/

Vikram Kumar

Symantec Consultant

The most helpful part of entire Symantec connect is the Search button..do use it.

PeterMacLean's picture

I will try this. We have run into another snag. Some sites use facebook and twitter on there site and now it is blocking those sites. Is there a way to allow these sites that have facebook or twitter embedded?

Grant_Hall's picture

Hi Peter,

Can you give an example of such a site. How to block it might depend on what kind of embed it is. For instance is it like a advertisement for facebook that is getting blocked or some web app that "embeds" facebook?

Thanks,
Grant

Please don't forget to mark your thread solved with whatever answer helped you : )

PeterMacLean's picture

thechronicleherald.ca, Globe & Mail, CNN, MSNBC and Environmental News Network  to name a few.

Vikram Kumar-SAV to SEP's picture

Nowadays almost every site has its links to twitter and facebook so taking action per site is impossible..
However you can try doing nslookup twitter.com it will give you local ip address for twitter in your region it might block most of the requests.

Vikram Kumar

Symantec Consultant

The most helpful part of entire Symantec connect is the Search button..do use it.

PeterMacLean's picture

Do I still use the custom ips to do so or do I use firewall?

Vikram Kumar-SAV to SEP's picture

Use firewall..its easier to handle/Manager/configure

Vikram Kumar

Symantec Consultant

The most helpful part of entire Symantec connect is the Search button..do use it.

PeterMacLean's picture

Do you have any documentation on this. Attached is a pic of the settings I have setup.

socialnetworkfirewall.JPG
PeterMacLean's picture

I think I know what my problem was before. I had and Intrusion Prevention rule on as well. I had everything checked and this was interferring. What settings can I have checked in Intrusion Prevention and still have the firewall working.

Vikram Kumar-SAV to SEP's picture

You can have both the Rules on and they will work as long as Netowkr Threat Protection feature is installed on your machine both will work..

Vikram Kumar

Symantec Consultant

The most helpful part of entire Symantec connect is the Search button..do use it.

PeterMacLean's picture

As soon as I withdrew the IPS everything worked like it should have. I will try it tomorrow again and see what happens.

Thank you everyone for all of your help.

Saeed's picture

You might find this help full.

Title : Symantec Endpoint Protection Manager - Intrusion Prevention - Policies explained

http://service1.symantec.com/SUPPORT/ent-security....

If a forum post solves your problem, please flag it as a solution. If you like an article, blog post or download vote it up.