I am an administrator of a company and I have a peer-to-peer network. When I block certain sites, employees can still open them via proxy. What should I do to prevent this?
Blocking peer-to-peer (P2P) traffic is a sticky problem. P2P traffic, unlike other Web traffic, travels on dynamic ports and is difficult to block by tweaking firewall port rules. In addition, the distributed nature of P2P traffic makes it hard to pinpoint which server IP address to block.
If employees are going to various anonymous proxies available for free on the Web, there are many websites that list available proxies for bypassing blocking software. All users have to do is change the configuration settings on their browsers to connect to the Web through these proxies to bypass their organizations' gateways altogether.
The problem is that the URLs of these proxies change constantly and are hard to block. Another equally frustrating factor is that the sites a corporation is trying to block shift around just as fast.
Here are some ideas an organization might want to consider to defeat these problems. First, make sure all connections between the company and the Internet, including any Web traffic and TCP protocols, go through a single firewall and gateway that the organization controls. If there is more than one, make sure all external connections are under corporate control.
Second, there are "smart" blocking tools that are specifically designed to block access to websites that don't involve shifting IP addresses or black lists. Tools from companies such as Blue Coat, WebSense and FaceTime use various filters for checking HTTP packets and headers to block nefarious sites and P2P traffic. Blue Coat, for example, also uses behavioral engines to check for types of sites rather than specific IP addresses.
All of these tools use sophisticated screening and content monitoring to block unwanted Web traffic. They also have logging and monitoring capabilities to track down any offending desktop trying to access blocked sites.
And, of course, they can still be tuned with old-fashioned black lists for blocking specific sites that might not fit into any category.
There isn't a totally foolproof way to completely prevent proxy access to external proxies and inappropriate websites, but these tools and techniques can help significantly cut down unwanted Web access.
This was first published in February 2008