I'm not disagreeing with only allowing 443 out from the squid proxy. That's the best way to go for sure.
I'm just saying that if the end user is connecting to an external proxy using encrypted traffic through the squid then it makes no difference to that end user. Hence my initial comment about using 443 to bypass internal filtering unless there is https inspection in place. It's a comment trick used particularly in schools it seems. -----Original Message----- From: Kurt Buff [mailto:kurt.b...@gmail.com] Sent: Wednesday, 29 September 2010 1:48 PM To: NT System Admin Issues Subject: Re: Outbound firewall ports Yes, it does matter. The inspection of traffic in this case is fairly irrelevant. What I'm after is that *only* the squid proxy gets out on port 443. Anything trying to get out on port 443 that doesn't go through the squid proxy is by definition bad, and therefore blocked. I don't have the resources to inspect traffic. That's a hard fact I have to live with. Therefore, I have to rely on endpoint protection, and the idea that only one host is allowed out. You do what you can with what you have. Kurt On Tue, Sep 28, 2010 at 20:35, James Hill <james.h...@superamart.com.au> wrote: > If you aren't inspecting the traffic then it doesn't really matter that it's > going through squid they'll still get to wherever they like. > > -----Original Message----- > From: Kurt Buff [mailto:kurt.b...@gmail.com] > Sent: Wednesday, 29 September 2010 1:24 PM > To: NT System Admin Issues > Subject: Re: Outbound firewall ports > > Nope - I proxy SSL through my squid box. Of course, I don't actually inspect > the traffic, but I do log the URLs. It stops potential zombies that don't > understand/respect IE or FF proxy settings. > > On Tue, Sep 28, 2010 at 17:13, James Hill <james.h...@superamart.com.au> > wrote: >> 443? Isn't that the port to connect to your external proxy server so >> you can bypass any internal filtering? :) >> >> Unless of course the internal filtering has good https inspection. Not many >> do though. >> >> -----Original Message----- >> From: Kurt Buff [mailto:kurt.b...@gmail.com] >> Sent: Wednesday, 29 September 2010 4:03 AM >> To: NT System Admin Issues >> Subject: Re: Outbound firewall ports >> >> Ports 21, 80 and 443, and only for the proxy server. I have ssh open >> outbound to specific customer sites that we support . >> >> I was forced to open 544 (rtsp) recently for a live video event, but did >> that for a single IP address so that the machine showing the event in the >> lunchroom could get to it. >> >> I allow DNS outbound only for our DNS servers, and NTP for our NTP servers. >> >> That covers most of it. >> >> On Tue, Sep 28, 2010 at 10:55, Tom Miller <tmil...@hnncsb.org> wrote: >>> Folks, >>> >>> Anyone have a list of the protocols/ports they allow outside their >>> firewalls? I am locking down our firewall outbound traffic to >>> certain ports and am looking for other "standard" items I may be missing. >>> >>> Thanks >>> Tom >>> >>> Confidentiality Notice: This e-mail message, including attachments, >>> is for the sole use of the intended recipient(s) and may contain >>> confidential and privileged information. Any unauthorized review, >>> use, disclosure, or distribution is prohibited. If you are not the >>> intended recipient, please contact the sender by reply e-mail and >>> destroy all copies of the original message. >>> >>> ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ >>> <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~ >>> >>> --- >>> To manage subscriptions click here: >>> http://lyris.sunbelt-software.com/read/my_forums/ >>> or send an email to listmana...@lyris.sunbeltsoftware.com >>> with the body: unsubscribe ntsysadmin >> >> ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ >> <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~ >> >> --- >> To manage subscriptions click here: >> http://lyris.sunbelt-software.com/read/my_forums/ >> or send an email to listmana...@lyris.sunbeltsoftware.com >> with the body: unsubscribe ntsysadmin >> >> >> ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ >> <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~ >> >> --- >> To manage subscriptions click here: >> http://lyris.sunbelt-software.com/read/my_forums/ >> or send an email to listmana...@lyris.sunbeltsoftware.com >> with the body: unsubscribe ntsysadmin > > ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ > <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~ > > --- > To manage subscriptions click here: > http://lyris.sunbelt-software.com/read/my_forums/ > or send an email to listmana...@lyris.sunbeltsoftware.com > with the body: unsubscribe ntsysadmin > > > ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ > <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~ > > --- > To manage subscriptions click here: > http://lyris.sunbelt-software.com/read/my_forums/ > or send an email to listmana...@lyris.sunbeltsoftware.com > with the body: unsubscribe ntsysadmin ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.com with the body: unsubscribe ntsysadmin ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.com with the body: unsubscribe ntsysadmin
