-----Original Message----- From: Paul Mansfield <it-admin-pfse...@taptu.com> To: support@pfsense.com Date: Wed, 06 Jan 2010 18:05:45 +0000 Subject: Re: Fwd: [pfSense Support] Re: [***SPAM*** Score/Req: 05.6/5.0] Re: [pfSense Support] blocking Tor Networks
> On 06/01/10 16:46, Robert Mortimer wrote: > >>> On 05/01/10 16:11, Luke Jaeger wrote: > >>>> Has anyone had any success blocking Tor thru pfsense/squidguard? > >> Some > >>> of > >>>> our savvier students are starting to use it to get around the > >> content > >>>> filters ... > >>> > >>> that's a classic case of having a "permit any + deny specific" > >> policy. > >>> You'll have to turn it round, make it "deny all + permit specific", > >> set > >>> up an http proxy with same policy and (don't allow CONNECT except > >> under > >>> fine control) and don't allow anything else out of your network > >> except > >>> that explicitly wanted. > >>> > >> > >> You are wrong, "deny all + permit specific" is not enough for > blocking > >> > >> TOR. > >> > > > > Depends how specific you are - if it looks like web access then it's > going to be hard to be specific enough without being too specific > > well, I did say to use a web proxy, which also has a whitelist of > permitted sites, you literally only let your users access very specific > services and hosts on the internet, and NOTHING else is allowed. > > you're now going to say "but that's unmanageable", and I have two > answers. > 1/ security is a moving target and hard work, so if you can't trust > your > users you'll have to have the resources to manage their access > effectively > OR > 2/ educate your users so that you can trust them and have suitable > contracts and measures in place to punish them so that they will follow > procedures > A proxy server (squid, or another webfilter) cannot stop it (TOR clients), because it's unable to analyze TOR traffic (encrypted traffic). I dont say that is impossible block it, but is not easy. --------------------------------------------------------------------- To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org
