Privacy and Proxy Avoidance

Today, the most common mention about proxies deals with either proxy avoidance (getting around that proxy at work or school), or using an anonymizing proxy to prevent leaving footprints on the web that could possibly be used for identification theft or other malicious intent.

Proxy avoidance is popular in both workplaces and schools where proxies have limited the web access of end-users. Proxy avoidance is a big headache for IT administrators trying to enforce corporate or school policy. The most common form of proxy avoidance is to use an open proxy on the internet to bypass the proxy in the local environment. Typically, the end-user just changes the setting in the browser to point to the open proxy IP address and port number, and in an insecure deployment, this allows them to surf freely without policy restrictions.

So how does an organization protect themselves from end-users that use proxy avoidance techniques? The first step is to make sure the proxy is capable of recognizing proxy avoidance techniques and can prevent end-users from getting to those sites. With open proxies coming on line daily, the URL list we talked about is really no solution for this problem. On the other hand a dynamic rating system, would be able to solve most of this problem as most of these open proxies, if you go directly to their IP address with a browser have a landing page describing how to use the open proxy. This would allow a dynamic rating system to pick up on new pages and automatically detect and rate new open proxies correctly in the "proxy avoidance" category. According to Blue Coat Systems, this is exactly what their ProxySG product's DRTR (Dynamic Real Time Rating) system does, and with the correct policy prevents end-users from getting to the open proxy.

In addition to open proxies there's less well known techniques for avoiding proxies that are used when there is malicious intent in mind. I'll save that for another post tomorrow.