[MACEP] Kids bypassing district filters via proxys

[Eric Harrison]

Jamie McParland wrote:
> I'm sure we're all dealing with this by now, but we have kids bypassing
> our district filters by using proxy servers on the net.
> 
> I see a combination of http and https servers out there and our current
> blacklist, DG, ipcop isn't doing the trick. Does any one have any ideas
> on how to combat this problem other than trying to blacklist each and
> every proxy that pops up?
> 
> Thanks,
> Jamie
> Newberg Public Schools


You could always go to a "white listing" configuration, where you block
everything by default and permit only specific ports on specific IP
addresses. Even that is tricky in that the more enterprising students
may still find a way to tunnel IP - do a search for "ip over DNS" or "ip
over ICMP" or "ip over <insert just about anything here>". Oh, and we
see more and more kids bringing their own networks to school... (ip via
cell phones).

Appended is an email we found useful for explaining to people why adding
"myspace.com" to the web filters did not magically 100% stop the kids
from getting there...

-Eric





Over the last month, 600 "proxy" web sites have been added to the web
filter. This is significant in that "proxy" sites are designed
specifically to evade web filters. Our logs indicate that the desire to
reach the recently blocked myspace.com is the driving force behind this
illicit filter evasion behavior.

Many are surprised to learn that students are able to reach myspace.com
even though it is blocked by the web filters. This has raised many
questions.


Q: How is it possible that students can get to blocked web sites?

A: There are many ways to evade web filters. "Proxy" web sites are
only one of many ways to evade a web filter.


Q: Surely there is a way to stop this!?
A: Proper supervision is the most effective additional means.


Q: Is there a way to use technology to make absolutely sure that
students do not evade the web filters?

A: No, the way Internet technology works it is impossible to 100%
control how it is used.


Q: Can we at least make it more difficult to evade the filters?

A: Yes, but there are three factors that must be considered:

    1. The stricter the access controls, the greater the conflict with
the Internet's educational value. Language translation tools, such as
Babelfish, are a valuable educational tool that may also be abused to
evade web filters. The educational value of such tools are weighed
against their risk for abuse.

    2. The stricter the access controls, the more difficult it can be to
detect and prove intent to evade. Raising the bar beyond a certain point
provides no additional deterrent while decreasing the effectiveness of
supervision.

    3. The stricter the access controls, the more expensive and labor
intensive they tend to be. Beyond a point, increased supervision offers
a better return on investment.


Q: Can we just "turn off" the Internet? Won't that stop students from
accessing inappropriate web sites?

A: In the past, perhaps. Quickly the answer is becoming "no". Many
students are using their own computing devices and their own Internet
access at school. Some new cell phones provide excellent web browsing
capability that operates completely outside of the school's Internet
infrastructure. Soon such devices and wireless Internet access will be
ubiquitous.


Q: Surely there is something we can do?

A: From a technological point of view, we continue to strive with
balancing the effectiveness of access controls, expenditures, man power,
and maximizing curriculum value. As it has always been, supervision
of students and consequences for actions will remain the most effective
deterrent.