proxy to restrict the client systems from downloading anything from internet - Security

This is a discussion on proxy to restrict the client systems from downloading anything from internet - Security ; hi,im new to system admin.can anyone tell me what proxy can i use to restrict my client systems from downloading anything from internet.i need this because my management wants to speedup the internet by restricting the users from downloading anything ...

+ Reply to Thread
Results 1 to 13 of 13

Thread: proxy to restrict the client systems from downloading anything from internet

  1. proxy to restrict the client systems from downloading anything from internet

    hi,im new to system admin.can anyone tell me what proxy can i use to
    restrict my client systems from downloading anything from internet.i
    need this because my management wants to speedup the internet by
    restricting the users from downloading anything from internet.but it
    should not restrict them from browsing or surfing.

    thanking you,
    smart


  2. Re: proxy to restrict the client systems from downloading anythingfrom internet

    smart wrote:
    > hi,im new to system admin.can anyone tell me what proxy can i use to
    > restrict my client systems from downloading anything from internet.i
    > need this because my management wants to speedup the internet by
    > restricting the users from downloading anything from internet.but it
    > should not restrict them from browsing or surfing.


    I'm sorry, but there is NO difference (protocol wise). When you
    surf, you are effectively downloading the web page. Many sites
    now prefer http protcol for their downloads.

    With that said, there might be some kind of QoS tweak that
    could be used (might not prevent, but might make the
    network more responsive). Anybody else have a good idea on this one?

  3. Re: proxy to restrict the client systems from downloading anything from internet

    "smart" wrote in message
    news:1160491069.243179.306340@c28g2000cwb.googlegr oups.com

    > hi,im new to system admin.can anyone tell me what proxy can i use to
    > restrict my client systems from downloading anything from internet.i
    > need this because my management wants to speedup the internet by
    > restricting the users from downloading anything from internet.but it
    > should not restrict them from browsing or surfing.


    Your statement is a simple contradiction.

  4. Re: proxy to restrict the client systems from downloading anything from internet

    hi chris,
    thanks for your reply.though i couldn't find an answer i
    understood the complication in this from your reply.if you come to know
    about that please do post it.
    thanks,
    smart
    Chris Cox wrote:
    > smart wrote:
    > > hi,im new to system admin.can anyone tell me what proxy can i use to
    > > restrict my client systems from downloading anything from internet.i
    > > need this because my management wants to speedup the internet by
    > > restricting the users from downloading anything from internet.but it
    > > should not restrict them from browsing or surfing.

    >
    > I'm sorry, but there is NO difference (protocol wise). When you
    > surf, you are effectively downloading the web page. Many sites
    > now prefer http protcol for their downloads.
    >
    > With that said, there might be some kind of QoS tweak that
    > could be used (might not prevent, but might make the
    > network more responsive). Anybody else have a good idea on this one?



  5. Re: proxy to restrict the client systems from downloading anythingfrom internet

    Chris Cox (06-10-10 12:34:27):

    > > hi,im new to system admin.can anyone tell me what proxy can i use to
    > > restrict my client systems from downloading anything from internet.i
    > > need this because my management wants to speedup the internet by
    > > restricting the users from downloading anything from internet.but it
    > > should not restrict them from browsing or surfing.

    >
    > I'm sorry, but there is NO difference (protocol wise). When you
    > surf, you are effectively downloading the web page. Many sites
    > now prefer http protcol for their downloads.


    That's wrong. Each file sent by the server is associated with a
    MIME-type, by which you can filter. By only allowing text/* and image/*
    types, or by disallowing application/* you effectively prevent people
    from downloading anything than a web-page and its images.


    > With that said, there might be some kind of QoS tweak that could be
    > used (might not prevent, but might make the network more responsive).
    > Anybody else have a good idea on this one?


    Again wrong. QoS has nothing to do with a protocol's content. It's
    also useless in this case, because it has to be properly configured on
    the sending machine, which is not the proxy server. It's much better to
    use MIME-based filtering at the proxy stage.


    Regards,
    E.S.

  6. Re: proxy to restrict the client systems from downloading anything from internet

    Ertugrul Soeylemez wrote:

    > Chris Cox (06-10-10 12:34:27):
    >
    >> > hi,im new to system admin.can anyone tell me what proxy can i use to
    >> > restrict my client systems from downloading anything from internet.i
    >> > need this because my management wants to speedup the internet by
    >> > restricting the users from downloading anything from internet.but it
    >> > should not restrict them from browsing or surfing.

    >>
    >> I'm sorry, but there is NO difference (protocol wise). When you
    >> surf, you are effectively downloading the web page. Many sites
    >> now prefer http protcol for their downloads.

    >
    > That's wrong. Each file sent by the server is associated with a
    > MIME-type, by which you can filter. By only allowing text/* and image/*
    > types, or by disallowing application/* you effectively prevent people
    > from downloading anything than a web-page and its images.

    Nice idea. However, even assuming that the remote server is set up with
    correct MIME types, there are still some application/ types that you should
    let through - here is a non-exhaustive list

    application/xhtml+xml -- the correct MIME type for XHTML (many servers serve
    it as text/html because MSIE does not understand applicationn/xhtml+xml

    application/xslt+xml -- client-side xsl stylesheets

    application/x-whatever-the-mime-type-for-pdf-files-is


    >
    >
    >> With that said, there might be some kind of QoS tweak that could be
    >> used (might not prevent, but might make the network more responsive).
    >> Anybody else have a good idea on this one?

    >
    > Again wrong. QoS has nothing to do with a protocol's content. It's
    > also useless in this case, because it has to be properly configured on
    > the sending machine, which is not the proxy server. It's much better to
    > use MIME-based filtering at the proxy stage.
    >
    >
    > Regards,
    > E.S.


    QoS might not have been the correct term, but an idea along the same lines
    could be to use iptables --limit (whatever) with a reasonably large burst
    size, which will slow down connections that hog bandwidth for a long period
    of time without stopping small web pages from downloading quickly.


  7. Re: proxy to restrict the client systems from downloading anything from internet

    On 2006-10-10, smart wrote:

    > thanks for your reply.though i couldn't find an answer i
    > understood the complication in this from your reply.if you come to know
    > about that please do post it.


    If you're worried about users downloading specific types of files, you
    can use a filtering proxy (e.g. "privoxy" http://www.privoxy.org) to
    block them. Just edit the filter to block *.exe or *.zip or whatever it
    is you're concerned about.

    --

    John (john@os2.dhs.org)

  8. Re: proxy to restrict the client systems from downloading anythingfrom internet

    John Thompson (06-10-10 23:05:50):

    > > thanks for your reply.though i couldn't find an answer i understood
    > > the complication in this from your reply.if you come to know about
    > > that please do post it.

    >
    > If you're worried about users downloading specific types of files, you
    > can use a filtering proxy (e.g. "privoxy" http://www.privoxy.org) to
    > block them. Just edit the filter to block *.exe or *.zip or whatever
    > it is you're concerned about.


    What about *.com? *.rar? *.tar? *.bz2? There are hundrets of them.
    Name-based filtering is pointless, IMO. Filter by MIME-type, it's
    effectively the same, safer and much easier.


    Regards,
    E.S.

  9. Re: proxy to restrict the client systems from downloading anythingfrom internet

    Chris Kerr (06-10-10 22:29:34):

    > > > I'm sorry, but there is NO difference (protocol wise). When you
    > > > surf, you are effectively downloading the web page. Many sites
    > > > now prefer http protcol for their downloads.

    > >
    > > That's wrong. Each file sent by the server is associated with a
    > > MIME-type, by which you can filter. By only allowing text/* and
    > > image/* types, or by disallowing application/* you effectively
    > > prevent people from downloading anything than a web-page and its
    > > images.

    >
    > Nice idea. However, even assuming that the remote server is set up
    > with correct MIME types, there are still some application/ types that
    > you should let through - here is a non-exhaustive list
    >
    > application/xhtml+xml -- the correct MIME type for XHTML (many servers
    > serve it as text/html because MSIE does not understand
    > applicationn/xhtml+xml
    >
    > application/xslt+xml -- client-side xsl stylesheets
    >
    > application/x-whatever-the-mime-type-for-pdf-files-is


    True. We shouldn't ban XHTML in the first place. =)

    The types for RSS/RDF belong on that list, too.


    > > > With that said, there might be some kind of QoS tweak that could
    > > > be used (might not prevent, but might make the network more
    > > > responsive). Anybody else have a good idea on this one?

    > >
    > > Again wrong. QoS has nothing to do with a protocol's content. It's
    > > also useless in this case, because it has to be properly configured
    > > on the sending machine, which is not the proxy server. It's much
    > > better to use MIME-based filtering at the proxy stage.

    >
    > QoS might not have been the correct term, but an idea along the same
    > lines could be to use iptables --limit (whatever) with a reasonably
    > large burst size, which will slow down connections that hog bandwidth
    > for a long period of time without stopping small web pages from
    > downloading quickly.


    That's well possible, but doing that on 80 would be an annoyance. These
    days you quite often download lots of megabytes for a single page (not
    counting Flash or Java content). That method couldn't distinguish a
    download from normal web content -- at least not for sites, where you
    usually would download something.

    However, there is use for QoS for such scenarios. I usually give HTTP a
    pretty low priority, so it doesn't disturb, e.g. IRC, NNTP, NTP or my
    e-mail traffic.


    Regards,
    E.S.

  10. Re: proxy to restrict the client systems from downloading anything from internet

    In comp.os.linux.security smart :
    > hi,im new to system admin.can anyone tell me what proxy can i use to
    > restrict my client systems from downloading anything from internet.i
    > need this because my management wants to speedup the internet by
    > restricting the users from downloading anything from internet.but it
    > should not restrict them from browsing or surfing.


    You need to ensure at first that all client are forced to use the
    proxy to make any further control possible. This can be done via
    forcing transparent proxy. Squid can be used as proxy and has
    various ways to restrict client speed/download, like delay pools
    which work pretty well. Check the squid FAQ, just use Google for
    what it was intended to do.

    There are even more restrictive ways if you add squidguard or
    dansguard to your proxy. However I'd just run squid in
    transparent proxy mode for some time and then check the cache
    manager statistics. Perhaps only using squid can speed up
    internet pretty much for your users without restricting anything.

    Comes with most distro per default:

    http://www.squid-cache.org/

    Good luck

    BTW
    Please quote context on reply, thx:
    http://groups.google.com/support/bin...y?answer=14213

    --
    Michael Heiming (X-PGP-Sig > GPG-Key ID: EDD27B94)
    mail: echo zvpunry@urvzvat.qr | perl -pe 'y/a-z/n-za-m/'
    #bofh excuse 14: sounds like a Windows problem, try calling
    Microsoft support

  11. Re: proxy to restrict the client systems from downloading anythingfrom internet

    Ertugrul Soeylemez wrote:
    > John Thompson (06-10-10 23:05:50):
    >
    >>>thanks for your reply.though i couldn't find an answer i understood
    >>>the complication in this from your reply.if you come to know about
    >>>that please do post it.

    >>If you're worried about users downloading specific types of files, you
    >>can use a filtering proxy (e.g. "privoxy" http://www.privoxy.org) to
    >>block them. Just edit the filter to block *.exe or *.zip or whatever
    >>it is you're concerned about.

    >
    > What about *.com? *.rar? *.tar? *.bz2? There are hundrets of them.
    > Name-based filtering is pointless, IMO. Filter by MIME-type, it's
    > effectively the same, safer and much easier.


    Not to mention dynamic downloads via php/asp/etc.

  12. Re: proxy to restrict the client systems from downloading anythingfrom internet

    Ertugrul Soeylemez wrote:
    > Chris Cox (06-10-10 12:34:27):
    >
    >>>hi,im new to system admin.can anyone tell me what proxy can i use to
    >>>restrict my client systems from downloading anything from internet.i
    >>>need this because my management wants to speedup the internet by
    >>>restricting the users from downloading anything from internet.but it
    >>>should not restrict them from browsing or surfing.

    >>I'm sorry, but there is NO difference (protocol wise). When you
    >>surf, you are effectively downloading the web page. Many sites
    >>now prefer http protcol for their downloads.

    >
    > That's wrong. Each file sent by the server is associated with a
    > MIME-type, by which you can filter. By only allowing text/* and image/*
    > types, or by disallowing application/* you effectively prevent people
    > from downloading anything than a web-page and its images.


    Actually, what I said is quite true. While it is certainly
    possible to do SOME mimetype restriction.... well.. it's not
    quite as simple as you make it out to be. With that said, using
    a proxy with mime filtering might be a good solution for MANY
    of the downloads.

    Might be better to mime filter allowing ONLY certain
    types. It'll barf on some poorly done sites of course.

    Running a proxy where there was none before opens up other
    issues though.... OP might want to experiment with a proxy.

    >
    >
    >>With that said, there might be some kind of QoS tweak that could be
    >>used (might not prevent, but might make the network more responsive).
    >>Anybody else have a good idea on this one?

    >
    > Again wrong. QoS has nothing to do with a protocol's content. It's
    > also useless in this case, because it has to be properly configured on
    > the sending machine, which is not the proxy server. It's much better to
    > use MIME-based filtering at the proxy stage.


    Huh? I was merely suggesting a possible solution to the root
    cause of the problem. A proxy might be the right answer... might not.
    In a small business environment a proxy might be just the thing.

    But my response isn't WRONG... it's just a bit more open minded

    I think you missed what I meant with regards to QoS.


  13. Re: proxy to restrict the client systems from downloading anythingfrom internet

    Chris Cox (06-10-13 10:36:13):

    > > > With that said, there might be some kind of QoS tweak that could
    > > > be used (might not prevent, but might make the network more
    > > > responsive). Anybody else have a good idea on this one?

    > >
    > > Again wrong. QoS has nothing to do with a protocol's content. It's
    > > also useless in this case, because it has to be properly configured
    > > on the sending machine, which is not the proxy server. It's much
    > > better to use MIME-based filtering at the proxy stage.

    >
    > Huh? I was merely suggesting a possible solution to the root cause of
    > the problem. A proxy might be the right answer... might not. In a
    > small business environment a proxy might be just the thing.
    >
    > But my response isn't WRONG... it's just a bit more open minded
    >
    > I think you missed what I meant with regards to QoS.


    If that was right, then it would also be right to play soccer with your
    hard disk. Since it's possible, it's not wrong.


    Regards,
    E.S.

+ Reply to Thread