[MACEP] Kids bypassing district filters via proxys

Greg Collver greg.collver at threerivers.k12.or.us
Tue Jun 13 14:16:43 PDT 2006 

http://blogs.isaserver.org/shinder/2006/02/27/response-assertions-made-by-bl
ue-coat-about-the-isa-firewall/

 

 

 

Greg Collver

IT Manager / Programmer

Three Rivers School District

PO Box 160, Murphy OR 97533

541-862-3111

 

 

-----Original Message-----
From: macep-bounces at macep.net [mailto:macep-bounces at macep.net] On Behalf Of
Greg Collver
Sent: Tuesday, June 13, 2006 2:04 PM
To: macep at macep.net
Subject: RE: [MACEP] Kids bypassing district filters via proxys

 

Sorry, something happened in the transmission, the original message had a

correct link, you will probably need to copy the entire link and paste it in

your browser.

 

http://blogs.isaserver.org/shinder/2006/02/27/response-assertions-made-by-bl

ue-coat-about-the-isa-firewall/

 

 

Greg Collver

IT Manager / Programmer

Three Rivers School District

PO Box 160, Murphy OR 97533

541-862-3111

 

 

-----Original Message-----

From: macep-bounces at macep.net [mailto:macep-bounces at macep.net] On Behalf Of

Richardson, Jim

Sent: Tuesday, June 13, 2006 1:58 PM

To: macep at macep.net

Subject: RE: [MACEP] Kids bypassing district filters via proxys

 

Link does not reach a readable page

 

-----Original Message-----

From: macep-bounces at macep.net [mailto:macep-bounces at macep.net] On Behalf

Of Greg Collver

Sent: Tuesday, June 13, 2006 1:57 PM

To: macep at macep.net

Subject: RE: [MACEP] Kids bypassing district filters via proxys

 

 

http://blogs.isaserver.org/shinder/2006/02/27/response-assertions-made-b

y-bl

ue-coat-about-the-isa-firewall/

 

 

Greg Collver

IT Manager / Programmer

Three Rivers School District

PO Box 160, Murphy OR 97533

541-862-3111

 

 

-----Original Message-----

From: macep-bounces at macep.net [mailto:macep-bounces at macep.net] On Behalf

Of Greg Buchan

Sent: Tuesday, June 13, 2006 10:05 AM

To: macep at macep.net

Subject: Re: [MACEP] Kids bypassing district filters via proxys

 

Hey all,

Can I add my biased 2 cents here. There is one

technologies that I work with daily that can open the

SSL/HTTPS traffic and control this traffic by applying

policy from a Content filter like Websense. 

 

So, if a student sets up a home/open proxy with SSL

and then they connect to it from inside your network-

which my not matter because the Blue Coat box opens

the encrypted traffic to prevent going to forbidden

web site as assigned in the content filter categories.

The Blue Coat System opens the SSL traffic and looks

at the final destination of all SSL traffic. If it is

not prohibited, it allows the traffic through. If the

traffic is going to a category that is not allowed, it

blocks it. Also, you can add a AV scanner to all web

content to prevent malware from being installed on the

network.

The technology is called a ProxySG,(Secure

gateway)with SSL interception turned on.

http://www.bluecoat.com/solutions/security/ssl.html

 

This technology is running in many school districts

across the world and it does many other cool tricks-

like force all web image searches to "safe search".

This means that if you search images in google and

turn off "safe search", students can look at anything

they want in image form. Try it sometime. The ProxySG

can force this to make all image searches "rated G"

and block bad content.

 

This is not a cheap solution but the alternative is

not cheap either - letting students pull down viruses,

spyware, and garbage off the internet onto your

environment.

 

Here is my full disclosure: I am currently the systems

engineer for Blue Coat Systems and help schools deal

with these issues daily. I was a teacher for more then

10 years and still monitor this list because you all

find great solutions for common issues.

 

Greg Buchan

 

 

--- Eric Harrison <eharrison at mail.mesd.k12.or.us>

wrote:

 

> Jamie McParland wrote:

> > I'm sure we're all dealing with this by now, but

> we have kids bypassing

> > our district filters by using proxy servers on the

> net.

> > 

> > I see a combination of http and https servers out

> there and our current

> > blacklist, DG, ipcop isn't doing the trick. Does

> any one have any ideas

> > on how to combat this problem other than trying to

> blacklist each and

> > every proxy that pops up?

> > 

> > Thanks,

> > Jamie

> > Newberg Public Schools

> 

> 

> You could always go to a "white listing"

> configuration, where you block

> everything by default and permit only specific ports

> on specific IP

> addresses. Even that is tricky in that the more

> enterprising students

> may still find a way to tunnel IP - do a search for

> "ip over DNS" or "ip

> over ICMP" or "ip over <insert just about anything

> here>". Oh, and we

> see more and more kids bringing their own networks

> to school... (ip via

> cell phones).

> 

> Appended is an email we found useful for explaining

> to people why adding

> "myspace.com" to the web filters did not magically

> 100% stop the kids

> from getting there...

> 

> -Eric

> 

> 

> 

> 

> 

> Over the last month, 600 "proxy" web sites have been

> added to the web

> filter. This is significant in that "proxy" sites

> are designed

> specifically to evade web filters. Our logs indicate

> that the desire to

> reach the recently blocked myspace.com is the

> driving force behind this

> illicit filter evasion behavior.

> 

> Many are surprised to learn that students are able

> to reach myspace.com

> even though it is blocked by the web filters. This

> has raised many

> questions.

> 

> 

> Q: How is it possible that students can get to

> blocked web sites?

> 

> A: There are many ways to evade web filters. "Proxy"

> web sites are

> only one of many ways to evade a web filter.

> 

> 

> Q: Surely there is a way to stop this!?

> A: Proper supervision is the most effective

> additional means.

> 

> 

> Q: Is there a way to use technology to make

> absolutely sure that

> students do not evade the web filters?

> 

> A: No, the way Internet technology works it is

> impossible to 100%

> control how it is used.

> 

> 

> Q: Can we at least make it more difficult to evade

> the filters?

> 

> A: Yes, but there are three factors that must be

> considered:

> 

>     1. The stricter the access controls, the greater

> the conflict with

> the Internet's educational value. Language

> translation tools, such as

> Babelfish, are a valuable educational tool that may

> also be abused to

> evade web filters. The educational value of such

> tools are weighed

> against their risk for abuse.

> 

>     2. The stricter the access controls, the more

> difficult it can be to

> detect and prove intent to evade. Raising the bar

> beyond a certain point

> provides no additional deterrent while decreasing

> the effectiveness of

> supervision.

> 

>     3. The stricter the access controls, the more

> expensive and labor

> intensive they tend to be. Beyond a point, increased supervision 

> offers a better return on investment.

> 

> 

> Q: Can we just "turn off" the Internet? Won't that

> stop students from

> accessing inappropriate web sites?

> 

> A: In the past, perhaps. Quickly the answer is

> becoming "no". Many

> students are using their own computing devices and

> their own Internet

> access at school. Some new cell phones provide

> excellent web browsing

> capability that operates completely outside of the

> school's Internet

> infrastructure. Soon such devices and wireless

> Internet access will be

> ubiquitous.

> 

> 

> Q: Surely there is something we can do?

> 

> A: From a technological point of view, we continue

> to strive with

> balancing the effectiveness of access controls,

> expenditures, man power,

> and maximizing curriculum value. As it has always

> been, supervision

> of students and consequences for actions will remain

> the most effective

> deterrent.

> 

> 

> _______________________________________________

> MACEP mailing list

> MACEP at macep.net

> Archive: http://macep.net/pipermail/macep/

> http://macep.net/mailman/listinfo/macep

> 

 

 

__________________________________________________

Do You Yahoo!?

Tired of spam?  Yahoo! Mail has the best spam protection around 

http://mail.yahoo.com 

_______________________________________________

MACEP mailing list 

MACEP at macep.net

Archive: http://macep.net/pipermail/macep/

http://macep.net/mailman/listinfo/macep

 

_______________________________________________

MACEP mailing list 

MACEP at macep.net

Archive: http://macep.net/pipermail/macep/

http://macep.net/mailman/listinfo/macep

 

_______________________________________________

MACEP mailing list 

MACEP at macep.net

Archive: http://macep.net/pipermail/macep/

http://macep.net/mailman/listinfo/macep

 

_______________________________________________

MACEP mailing list 

MACEP at macep.net

Archive: http://macep.net/pipermail/macep/

http://macep.net/mailman/listinfo/macep

-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mailman.mesd.k12.or.us/pipermail/macep/attachments/20060613/d38b0b33/attachment-0001.html

More information about the MACEP mailing list