[MACEP] Kids bypassing district filters via proxys

Greg Buchan gbuchan at yahoo.com
Tue Jun 13 10:05:26 PDT 2006 

Hey all,
Can I add my biased 2 cents here. There is one
technologies that I work with daily that can open the
SSL/HTTPS traffic and control this traffic by applying
policy from a Content filter like Websense. 

So, if a student sets up a home/open proxy with SSL
and then they connect to it from inside your network-
which my not matter because the Blue Coat box opens
the encrypted traffic to prevent going to forbidden
web site as assigned in the content filter categories.
The Blue Coat System opens the SSL traffic and looks
at the final destination of all SSL traffic. If it is
not prohibited, it allows the traffic through. If the
traffic is going to a category that is not allowed, it
blocks it. Also, you can add a AV scanner to all web
content to prevent malware from being installed on the
network.
The technology is called a ProxySG,(Secure
gateway)with SSL interception turned on.
http://www.bluecoat.com/solutions/security/ssl.html

This technology is running in many school districts
across the world and it does many other cool tricks-
like force all web image searches to "safe search".
This means that if you search images in google and
turn off "safe search", students can look at anything
they want in image form. Try it sometime. The ProxySG
can force this to make all image searches "rated G"
and block bad content.

This is not a cheap solution but the alternative is
not cheap either - letting students pull down viruses,
spyware, and garbage off the internet onto your
environment.

Here is my full disclosure: I am currently the systems
engineer for Blue Coat Systems and help schools deal
with these issues daily. I was a teacher for more then
10 years and still monitor this list because you all
find great solutions for common issues.
 
Greg Buchan


--- Eric Harrison <eharrison at mail.mesd.k12.or.us>
wrote:

> Jamie McParland wrote:
> > I'm sure we're all dealing with this by now, but
> we have kids bypassing
> > our district filters by using proxy servers on the
> net.
> > 
> > I see a combination of http and https servers out
> there and our current
> > blacklist, DG, ipcop isn't doing the trick. Does
> any one have any ideas
> > on how to combat this problem other than trying to
> blacklist each and
> > every proxy that pops up?
> > 
> > Thanks,
> > Jamie
> > Newberg Public Schools
> 
> 
> You could always go to a "white listing"
> configuration, where you block
> everything by default and permit only specific ports
> on specific IP
> addresses. Even that is tricky in that the more
> enterprising students
> may still find a way to tunnel IP - do a search for
> "ip over DNS" or "ip
> over ICMP" or "ip over <insert just about anything
> here>". Oh, and we
> see more and more kids bringing their own networks
> to school... (ip via
> cell phones).
> 
> Appended is an email we found useful for explaining
> to people why adding
> "myspace.com" to the web filters did not magically
> 100% stop the kids
> from getting there...
> 
> -Eric
> 
> 
> 
> 
> 
> Over the last month, 600 "proxy" web sites have been
> added to the web
> filter. This is significant in that "proxy" sites
> are designed
> specifically to evade web filters. Our logs indicate
> that the desire to
> reach the recently blocked myspace.com is the
> driving force behind this
> illicit filter evasion behavior.
> 
> Many are surprised to learn that students are able
> to reach myspace.com
> even though it is blocked by the web filters. This
> has raised many
> questions.
> 
> 
> Q: How is it possible that students can get to
> blocked web sites?
> 
> A: There are many ways to evade web filters. "Proxy"
> web sites are
> only one of many ways to evade a web filter.
> 
> 
> Q: Surely there is a way to stop this!?
> A: Proper supervision is the most effective
> additional means.
> 
> 
> Q: Is there a way to use technology to make
> absolutely sure that
> students do not evade the web filters?
> 
> A: No, the way Internet technology works it is
> impossible to 100%
> control how it is used.
> 
> 
> Q: Can we at least make it more difficult to evade
> the filters?
> 
> A: Yes, but there are three factors that must be
> considered:
> 
>     1. The stricter the access controls, the greater
> the conflict with
> the Internet's educational value. Language
> translation tools, such as
> Babelfish, are a valuable educational tool that may
> also be abused to
> evade web filters. The educational value of such
> tools are weighed
> against their risk for abuse.
> 
>     2. The stricter the access controls, the more
> difficult it can be to
> detect and prove intent to evade. Raising the bar
> beyond a certain point
> provides no additional deterrent while decreasing
> the effectiveness of
> supervision.
> 
>     3. The stricter the access controls, the more
> expensive and labor
> intensive they tend to be. Beyond a point, increased
> supervision offers
> a better return on investment.
> 
> 
> Q: Can we just "turn off" the Internet? Won't that
> stop students from
> accessing inappropriate web sites?
> 
> A: In the past, perhaps. Quickly the answer is
> becoming "no". Many
> students are using their own computing devices and
> their own Internet
> access at school. Some new cell phones provide
> excellent web browsing
> capability that operates completely outside of the
> school's Internet
> infrastructure. Soon such devices and wireless
> Internet access will be
> ubiquitous.
> 
> 
> Q: Surely there is something we can do?
> 
> A: From a technological point of view, we continue
> to strive with
> balancing the effectiveness of access controls,
> expenditures, man power,
> and maximizing curriculum value. As it has always
> been, supervision
> of students and consequences for actions will remain
> the most effective
> deterrent.
> 
> 
> _______________________________________________
> MACEP mailing list 
> MACEP at macep.net
> Archive: http://macep.net/pipermail/macep/
> http://macep.net/mailman/listinfo/macep
> 


__________________________________________________
Do You Yahoo!?
Tired of spam?  Yahoo! Mail has the best spam protection around 
http://mail.yahoo.com

More information about the MACEP mailing list