I've seen all sorts of people proclaiming that it's impossible to block people from using external web proxies to sites (like myspace) without blocking the whole internet.
Why could'nt you...
- Require everybody on your internal network to use YOUR authenticated proxy.
- Block ALL encrypted outgoing activity by default through the proxy (except for authorized individuals). This is to keep somebody from setting up squid at home through a broadband connection and connecting to it via SSL or some other encryption. Basically if your sniffer does not recognize/can't decipher the traffic...block it.
- Sniff packets at your proxy for your blocked sites (like myspace) and deny them outbound access.
This way anybody trying to access myspace through a public or private external proxy would be stopped cold. Even if they successfully connect unencrypted to a public proxy your sniffer should be able to sniff the "myspace.com" address from the packets and keep it from going through. Plus you'd have their userid and IPaddress on the inside (so you can drop an anvil on them!). In addition things like SSH would get blocked (due to encryption) so no forward or reverse port forwarding/layer 2 vpn would work.
Are there holes in my Evil(TM) network admin setup? :)