Proxies route traffic indirectly between clients, making them a common tool for bypassing network detection. When used inside a corporate cloud environment without authorization, proxies can undermine intrusion prevention system (IPS) rules, access control policies, and threat intelligence rules.
Cloud Firewall includes IPS rules that detect SOCKS5 proxy activity. These rules run in Monitor mode by default. Switch them to Block mode to stop proxy-based threats before they cause damage.
Potential impacts
Leaving proxy traffic unblocked exposes your environment to the following risks:
Unauthorized data exfiltration — Employees can use proxies to forward internal data outside the network, evading IPS rules, access control policies, and threat intelligence rules.
Internal network intrusion — Attackers can relay traffic through internal networks via proxies, enabling reconnaissance and lateral movement across your infrastructure.
Malware propagation — Worms and trojans can use proxies to evade detection by IPS rules, access control policies, and threat intelligence rules.
Block SOCKS5 communication
Switch the SOCKS5-related IPS rules from Monitor to Block mode to prevent proxy-based attacks.
Procedure
Log on to the Cloud Firewall console.
Choose Prevention Configuration > IPS Configuration.
In the Basic Protection section, click Configure.
In the Basic Protection dialog box, change the mode of some or all SOCKS5-related rules from Monitor to Block.
After switching to Block mode, Cloud Firewall actively drops SOCKS5 proxy traffic, preventing or minimizing the impacts described above.