Proxies 101: Top Five Tips to Securing Your Network

1.Blocking URLs Is Not Enough - There are many free, open source, proxy software packages available on the Internet. Students download these programs, install them on their home computers, then text message the IP address of their computer to a few trusted friends. Pure URL-based filtering using a "blacklist" of known sites is hopelessly overmatched by these "anonymous" proxies, which can appear and disappear on a daily or hourly basis. Effective filters must have a proxy pattern blocking feature that writes signatures against known proxies and provides zero-day protection against anonymous proxies.
Bottom Line: Ensure that your filtering solution has signatures that automatically protect against ever-changing proxies. 

2.Stopping HTTPS is Essential - Filtering HTTPS is an important component of blocking proxies. Circumventor - a free, open source, proxy package from Peacefire.org - provides an SSL configuration that is very easy to set up. In China, there are a number of proxy packages delivered over SSL, which allow political dissidents access to material that is blocked by the government. Students in the United States use these to gain access to social networking and other Web sites containing inappropriate material. 
Bottom Line: Effective filters must have the capability to identify HTTPS proxies and block them.   

3.Client-Side Proxies - Most administrators tend to think of proxies as server-side programs, and many are unaware that there are a number of client-side proxies that can be installed on school and library computers that allow students to bypass filtering. Managing and blocking these proxies is similar to handling IM and peer-to-peer applications.
Bottom Line: Application management must be included as part of an overall Web security posture.  

4.Beware of Non-Standard Ports - IT departments must go beyond monitoring only the standard HTTP and HTTPS ports, since many proxies are found on non-standard ports. Open proxies, which students can utilize by configuring browsers to route all Web requests through a specific IP and port, are regularly published and distributed via mailing lists. While it appears that traffic is going directly to a single IP address, it is actually being proxied by that IP to sites that might otherwise have been blocked.
Bottom Line: A filter must be configured to identify and monitor all ports, much the same as how a traffic cop would not only need to monitor a freeway, but the side streets as well.  

5.Enforce the Acceptable Use Policy (AUP) - Administrators have a general sense of their students' willingness to bypass the AUP. Students, with "nothing to lose," are much more relentless than enterprise end users in finding ways to get around a filter. School districts that explain their AUPs to students and make an effort at enforcing their AUPs have a better success rate in blocking proxies. Administrators need to utilize the reporting feature of their filter, sit down with students and let them know that their Internet use is being monitored and any inappropriate sites will be blocked. Through these practices, proxy use tends to decrease considerably.
Bottom Line: Communicate the rules, use the reporting feature of your filter to determine who is bypassing the filter via proxies, and enforce the policies.