Preventing Users from Bypassing the Proxy Server

While circumventing Internet censorship and restrictive information access policy may be a laudable political effort, proxies and firewalls are necessary tools in areas with extremely limited bandwidth. Without them, the stability and usability of the network are threatened by legitimate users themselves. Techniques for bypassing a proxy server can be found at www.antiproxy.com. This site is useful for administrators to see how their network measures up against these techniques.

To enforce use of the caching proxy, you might consider simply setting up a network access policy and trusting your users. In the layout below, the administrator has to trust that his users will not bypass the proxy server.

Figure 3.14: This network relies on trusted users to properly configure their PCs to use the proxy server.

In this case the administrator typically uses one of the following techniques:

• Not giving out the default gateway address through DCHP. This may work for a while, but some network-savvy users who want to bypass the proxy might find or guess the default gateway address. Once that happens, word tends to spread about how to bypass the proxy.

• Using domain or group policies. This is very useful for configuring the correct proxy server settings for Internet Explorer on all computers in the domain, but is not very useful for preventing the proxy from being bypassed, because it depends on a user logging on to the NT domain. A user with a Windows 95/98/ME computer can cancel his log-on and then bypass the proxy, and someone who knows a local user password on his Windows NT/2000/XP computer can log on locally and do the same.

• Begging and fighting with users. This is never an optimal situation for a network administrator.

The only way to ensure that proxies cannot be bypassed is by using the correct network layout, by using one of the three techniques described below.