Re: [squid-users] block usres who create their own proxy behind main proxy

From: Jose Ildefonso Camargo Tolosa <ildefonso.camargo_at_gmail.com>
Date: Mon, 26 Jul 2010 16:07:42 -0430

Hi!

On Mon, Jul 26, 2010 at 2:01 AM, goody goody <thinkodd_at_yahoo.com> wrote:
> Hi,
>
> In our organization we have restricted access to only limited IPs as per company
> policy, but what some users are doing that they are building their own proxy
> servers on any single allowed IP addresses and distribute access to their
> locally formed group.

Wow, these are good co-workers.

Let me guess: the restriction has recently been applied (ie, less than
one month ago).

I think that, the best to do is: When someone does that, and is
"discovered", he/she gets his/her privileges removed (ie: no more
navigation for you), also, I would implement a fine too (but this
depends on each country's law, in mine: I can't). But, I'm also a
little flexible when it comes to navigation privileges, thus: I have a
whitelist (with sites that are interesting to most employees, like the
bank's page) and I give them full access at certain hours every day.

>
> In this way our main proxy thinks that it is allowing access to only one IP
> whereas in real it is not the case.
>
> This has become a challenge and if there is any solution / work around to this
> please let me know.

And even if you find a way to avoid that, they will find a way of
doing that again.

I, actually, use user authentication instead of per-ip. Why? simple:
this makes user responsable for his/her actions with his/her username
(IP can be forged), we use the username to apply any administrative
sanction that needs to be applied, also, this let us give other users
in our network a "full internet access, on certain hours" (in our
case: nights, noons, and weekends).

I hope this helps,

Ildefonso Camargo
Received on Mon Jul 26 2010 - 20:37:43 MDT

This archive was generated by hypermail 2.2.0 : Tue Jul 27 2010 - 12:00:04 MDT