[MACEP] Kids bypassing district filters via proxys
Greg Buchan
gbuchan at yahoo.com
Wed Jun 14 14:17:46 PDT 2006
Greg,
the blog string is interesting but I feel that both
Blue Coat and Microsoft are being miss represented or
over simplified, it seems like they are comparing
apples (not Macs)to oranges in the discussion. It
seems overly Marketingized.
I am assuming you want some feed back on this blog. I
can only give my own honest experience since have
worked on squid, IPcop, ISA servers and Blue Coat
products.
First confusion: Blue Coat is not a Firewall and not
intended to be one. What Blue Coat ProxySG provides is
Web acceleration and control using a proxy. What I
think Blue Coat was trying to take aim at in the ISA
environmentt is the ISA Proxying Services running on a
over stressed Firewall configuration.
Every device has their advantages and detractors. For
many small organizations, squid/IPcop/ISA works fine
and will get them by. However, in many larger
organizations, they need high performace boxes they
don't need to continually reconfigure or reboot
everynight to keep running. These issue are what I
hear daily from ISA users who want a ProxySG, Blue
Coat's solution. Personally, I have ran ISA with out
issue but it was always in a small organization or
20-30 users. I did have to tweek it often and set it
to reboot several times a week, overall it worked
fine.
So there are School districts that have 30,000+ users
and would need 20-30 ISA boxes to manage the traffic
that 4-5 ProxySGs can do. The SGs are not plug and
play, but once configured, they run with few to no
issues. What many organizations see as Web traffic
increases, and thus their firewalls can not keep up
with all the activity when it is also proxying,
caching, content filtering, applying policy, etc. They
often want to get the Proxy off the firewall and they
want a hardened firewall that will preform well.
Now regarding SSL, ISA does SSL services in a reverse
proxy configuration. What we have been talking about
is a forward Proxy archetecture. Meaning, a user going
out to the internet and needing to see and apply
policy to these connections.
The issue where a student sets up a proxy server at
home and logs into it with SSL (encrypted) and then
goes anywhere they want on the web. The proxySG can
open this traffic and allow or stop the traffic
depending on the policy/authentication of the user.
If anyone is intersted, I can show this technology in
a webex.
Greg
--- Greg Collver <greg.collver at threerivers.k12.or.us>
wrote:
>
http://blogs.isaserver.org/shinder/2006/02/27/response-assertions-made-by-bl
> ue-coat-about-the-isa-firewall/
> Greg Collver
> IT Manager / Programmer
> Three Rivers School District
> PO Box 160, Murphy OR 97533
> 541-862-3111
> -----Original Message-----
> From: macep-bounces at macep.net
> [mailto:macep-bounces at macep.net] On Behalf Of
> Greg Collver
> Sent: Tuesday, June 13, 2006 2:04 PM
> To: macep at macep.net
> Subject: RE: [MACEP] Kids bypassing district filters
> via proxys
>
>
>
> Sorry, something happened in the transmission, the
> original message had a
>
> correct link, you will probably need to copy the
> entire link and paste it in
>
> your browser.
>
>
>
>
http://blogs.isaserver.org/shinder/2006/02/27/response-assertions-made-by-bl
>
> ue-coat-about-the-isa-firewall/
>
>
>
>
>
> Greg Collver
>
> IT Manager / Programmer
>
> Three Rivers School District
>
> PO Box 160, Murphy OR 97533
>
> 541-862-3111
>
>
>
>
>
> -----Original Message-----
>
> From: macep-bounces at macep.net
> [mailto:macep-bounces at macep.net] On Behalf Of
>
> Richardson, Jim
>
> Sent: Tuesday, June 13, 2006 1:58 PM
>
> To: macep at macep.net
>
> Subject: RE: [MACEP] Kids bypassing district filters
> via proxys
>
>
>
> Link does not reach a readable page
>
>
>
> -----Original Message-----
>
> From: macep-bounces at macep.net
> [mailto:macep-bounces at macep.net] On Behalf
>
> Of Greg Collver
>
> Sent: Tuesday, June 13, 2006 1:57 PM
>
> To: macep at macep.net
>
> Subject: RE: [MACEP] Kids bypassing district filters
> via proxys
>
>
>
>
>
>
http://blogs.isaserver.org/shinder/2006/02/27/response-assertions-made-b
>
> y-bl
>
> ue-coat-about-the-isa-firewall/
>
>
>
>
>
> Greg Collver
>
> IT Manager / Programmer
>
> Three Rivers School District
>
> PO Box 160, Murphy OR 97533
>
> 541-862-3111
>
>
>
>
>
> -----Original Message-----
>
> From: macep-bounces at macep.net
> [mailto:macep-bounces at macep.net] On Behalf
>
> Of Greg Buchan
>
> Sent: Tuesday, June 13, 2006 10:05 AM
>
> To: macep at macep.net
>
> Subject: Re: [MACEP] Kids bypassing district filters
> via proxys
>
>
>
> Hey all,
>
> Can I add my biased 2 cents here. There is one
>
> technologies that I work with daily that can open
> the
>
> SSL/HTTPS traffic and control this traffic by
> applying
>
> policy from a Content filter like Websense.
>
>
>
> So, if a student sets up a home/open proxy with SSL
>
> and then they connect to it from inside your
> network-
>
> which my not matter because the Blue Coat box opens
>
> the encrypted traffic to prevent going to forbidden
>
> web site as assigned in the content filter
> categories.
>
> The Blue Coat System opens the SSL traffic and looks
>
> at the final destination of all SSL traffic. If it
> is
>
> not prohibited, it allows the traffic through. If
> the
>
> traffic is going to a category that is not allowed,
> it
>
> blocks it. Also, you can add a AV scanner to all web
>
> content to prevent malware from being installed on
> the
>
> network.
>
> The technology is called a ProxySG,(Secure
>
> gateway)with SSL interception turned on.
>
> http://www.bluecoat.com/solutions/security/ssl.html
>
>
>
> This technology is running in many school districts
>
> across the world and it does many other cool tricks-
>
> like force all web image searches to "safe search".
>
> This means that if you search images in google and
>
> turn off "safe search", students can look at
> anything
>
> they want in image form. Try it sometime. The
> ProxySG
>
> can force this to make all image searches "rated G"
>
> and block bad content.
>
>
>
> This is not a cheap solution but the alternative is
>
> not cheap either - letting students pull down
> viruses,
>
> spyware, and garbage off the internet onto your
>
> environment.
>
>
>
> Here is my full disclosure: I am currently the
> systems
>
> engineer for Blue Coat Systems and help schools deal
>
> with these issues daily. I was a teacher for more
> then
>
> 10 years and still monitor this list because you all
>
> find great solutions for common issues.
>
>
>
> Greg Buchan
>
>
>
>
>
> --- Eric Harrison <eharrison at mail.mesd.k12.or.us>
>
> wrote:
>
>
>
> > Jamie McParland wrote:
>
> > > I'm sure we're all dealing with this by now, but
>
> > we have kids bypassing
>
> > > our district filters by using proxy servers on
> the
>
> > net.
>
> > >
>
> > > I see a combination of http and https servers
> out
>
> > there and our current
>
> > > blacklist, DG, ipcop isn't doing the trick. Does
>
> > any one have any ideas
>
> > > on how to combat this problem other than trying
> to
>
> > blacklist each and
>
> > > every proxy that pops up?
>
> > >
>
> > > Thanks,
>
> > > Jamie
>
> > > Newberg Public Schools
>
> >
>
> >
>
> > You could always go to a "white listing"
>
> > configuration, where you block
>
> > everything by default and permit only specific
> ports
>
> > on specific IP
>
> > addresses. Even that is tricky in that the more
>
> > enterprising students
>
> > may still find a way to tunnel IP - do a search
> for
>
> > "ip over DNS" or "ip
>
> > over ICMP" or "ip over <insert just about anything
>
> > here>". Oh, and we
>
> > see more and more kids bringing their own networks
>
> > to school... (ip via
>
> > cell phones).
>
> >
>
> > Appended is an email we found useful for
> explaining
>
> > to people why adding
>
> > "myspace.com" to the web filters did not magically
>
> > 100% stop the kids
>
> > from getting there...
>
> >
>
> > -Eric
>
> >
>
> >
>
> >
>
> >
>
> >
>
> > Over the last month, 600 "proxy" web sites have
> been
>
> > added to the web
>
> > filter. This is significant in that "proxy" sites
>
> > are designed
>
> > specifically to evade web filters. Our logs
> indicate
>
> > that the desire to
>
> > reach the recently blocked myspace.com is the
>
> > driving force behind this
>
> > illicit filter evasion behavior.
>
> >
>
> > Many are surprised to learn that students are able
>
> > to reach myspace.com
>
> > even though it is blocked by the web filters. This
>
> > has raised many
>
> > questions.
>
> >
>
> >
>
> > Q: How is it possible that students can get to
>
> > blocked web sites?
>
> >
>
> > A: There are many ways to evade web filters.
> "Proxy"
>
> > web sites are
>
> > only one of many ways to evade a web filter.
>
> >
>
> >
>
> > Q: Surely there is a way to stop this!?
>
> > A: Proper supervision is the most effective
>
> > additional means.
>
> >
>
> >
>
> > Q: Is there a way to use technology to make
>
> > absolutely sure that
>
> > students do not evade the web filters?
>
> >
>
> > A: No, the way Internet technology works it is
>
> > impossible to 100%
>
> > control how it is used.
>
> >
>
> >
>
> > Q: Can we at least make it more difficult to evade
>
> > the filters?
>
> >
>
> > A: Yes, but there are three factors that must be
>
> > considered:
>
> >
>
> > 1. The stricter the access controls, the
> greater
>
> > the conflict with
>
> > the Internet's educational value. Language
>
> > translation tools, such as
>
> > Babelfish, are a valuable educational tool that
> may
>
> > also be abused to
>
> > evade web filters. The educational value of such
>
> > tools are weighed
>
> > against their risk for abuse.
>
> >
>
> > 2. The stricter the access controls, the more
>
> > difficult it can be to
>
> > detect and prove intent to evade. Raising the bar
>
> > beyond a certain point
>
> > provides no additional deterrent while decreasing
>
> > the effectiveness of
>
> > supervision.
>
> >
>
> > 3. The stricter the access controls, the more
>
> > expensive and labor
>
> > intensive they tend to be. Beyond a point,
> increased supervision
>
> > offers a better return on investment.
>
> >
>
> >
>
> > Q: Can we just "turn off" the Internet? Won't that
>
> > stop students from
>
> > accessing inappropriate web sites?
>
> >
>
> > A: In the past, perhaps. Quickly the answer is
>
> > becoming "no". Many
>
> > students are using their own computing devices and
>
> > their own Internet
>
> > access at school. Some new cell phones provide
>
> > excellent web browsing
>
> > capability that operates completely outside of the
>
> > school's Internet
>
> > infrastructure. Soon such devices and wireless
>
> > Internet access will be
>
> > ubiquitous.
>
> >
>
> >
>
> > Q: Surely there is something we can do?
>
> >
>
> > A: From a technological point of view, we continue
>
> > to strive with
>
> > balancing the effectiveness of access controls,
>
> > expenditures, man power,
>
> > and maximizing curriculum value. As it has always
>
> > been, supervision
>
> > of students and consequences for actions will
> remain
>
> > the most effective
>
> > deterrent.
>
> >
>
> >
>
> > _______________________________________________
>
> > MACEP mailing list
>
> > MACEP at macep.net
>
> > Archive: http://macep.net/pipermail/macep/
>
> > http://macep.net/mailman/listinfo/macep
>
> >
>
>
>
>
>
> __________________________________________________
>
> Do You Yahoo!?
>
> Tired of spam? Yahoo! Mail has the best spam
> protection around
>
> http://mail.yahoo.com
>
> _______________________________________________
>
> MACEP mailing list
>
> MACEP at macep.net
>
> Archive: http://macep.net/pipermail/macep/
>
> http://macep.net/mailman/listinfo/macep
>
>
>
> _______________________________________________
>
> MACEP mailing list
>
> MACEP at macep.net
>
> Archive: http://macep.net/pipermail/macep/
>
> http://macep.net/mailman/listinfo/macep
>
>
>
> _______________________________________________
>
> MACEP mailing list
>
> MACEP at macep.net
>
> Archive: http://macep.net/pipermail/macep/
>
> http://macep.net/mailman/listinfo/macep
>
>
>
> _______________________________________________
>
> MACEP mailing list
>
> MACEP at macep.net
>
> Archive: http://macep.net/pipermail/macep/
>
> http://macep.net/mailman/listinfo/macep
>
> > _______________________________________________
> MACEP mailing list
> MACEP at macep.net
> Archive: http://macep.net/pipermail/macep/
> http://macep.net/mailman/listinfo/macep
>
__________________________________________________
Do You Yahoo!?
Tired of spam? Yahoo! Mail has the best spam protection around
http://mail.yahoo.com
More information about the MACEP
mailing list