Kids bypassing firewall with proxy sites

[jbraly]

I posted this in the comp.security.firewalls group, but got smart @$$
answers from people too proud to say "I dont know"... so I will post
here...


I work for a K - 12 school.

In my opinion, we have some very fair rules and regulations regaurding
internet and computer use.


We use a Sonicwall firewall, 3060, I subscribe to content fltering,
which I love. It keeps out all the horrible junk that kids may
accidently come across (Or purposely) and it covers our rear.


Due to recent events, and some within the school, I have been ordered
to block myspace.com.


I have several other sites faculty and staff have asked me to block
within the content filtering section of my sonicwall admin page.


However, some students got smart, and searched google for proxy and
anonymous. Thousands of results come up, allowing them to type in any
website they like (including myspace) and surf around on it, bypassing
my firewall.


There is an option in sonicwall that says "Restrict Web Features::" and

I checked "Access to HTTP Proxy Servers" But I am still able to get to
sites via these proxy sites that shoulf be blocked...


Any advice?


Thanks in advance!

 

[Carey Frisch [MVP]]

Microsoft Shared Computer Toolkit for Windows XP
http://www.microsoft.com/windowsxp/sharedaccess/default.mspx

--
Carey Frisch
Microsoft MVP
Windows - Shell/User
Microsoft Community Newsgroups
news://msnews.microsoft.com/

---------------------------------------------------------------------------­----------------

:

| I posted this in the comp.security.firewalls group, but got smart @$$
| answers from people too proud to say "I dont know"... so I will post
| here...
|
|
| I work for a K - 12 school.
|
| In my opinion, we have some very fair rules and regulations regaurding
| internet and computer use.
|
|
| We use a Sonicwall firewall, 3060, I subscribe to content fltering,
| which I love. It keeps out all the horrible junk that kids may
| accidently come across (Or purposely) and it covers our rear.
|
|
| Due to recent events, and some within the school, I have been ordered
| to block myspace.com.
|
|
| I have several other sites faculty and staff have asked me to block
| within the content filtering section of my sonicwall admin page.
|
|
| However, some students got smart, and searched google for proxy and
| anonymous. Thousands of results come up, allowing them to type in any
| website they like (including myspace) and surf around on it, bypassing
| my firewall.
|
|
| There is an option in sonicwall that says "Restrict Web Features::" and
|
| I checked "Access to HTTP Proxy Servers" But I am still able to get to
| sites via these proxy sites that shoulf be blocked...
|
|
| Any advice?
|
|
| Thanks in advance!

 

[Shenan Stanley]

I work for a K - 12 school.

In my opinion, we have some very fair rules and regulations
regaurding internet and computer use.

We use a Sonicwall firewall, 3060, I subscribe to content fltering,
which I love. It keeps out all the horrible junk that kids may
accidently come across (Or purposely) and it covers our rear.

Due to recent events, and some within the school, I have been
ordered to block myspace.com.

I have several other sites faculty and staff have asked me to block
within the content filtering section of my sonicwall admin page.

However, some students got smart, and searched google for proxy and
anonymous. Thousands of results come up, allowing them to type in
any website they like (including myspace) and surf around on it,
bypassing my firewall.

There is an option in sonicwall that says "Restrict Web Features::"
and I checked "Access to HTTP Proxy Servers" But I am still able to get
to sites via these proxy sites that shoulf be blocked...

Consider locking down the computers themselves more..

Microsoft Shared Computer Toolkit
http://www.microsoft.com/windowsxp/sharedaccess/default.mspx

And an interesting review on it..
http://testing.onlytherightanswers.com/modules.php?name=News&file=article&sid=38

 

[Jim Hill]

got smart @$$ answers [...] to block myspace.com [...] some students got
smart, and searched google for proxy and anonymous [...] I checked "Access
to HTTP Proxy Servers"
But I am still able to get to sites via these proxy sites that should

be blocked...

It's a different kind of proxy. Preventing students who know enough to
do that search from getting to specific websites is, I think, going to
mean setting up a DMZ and whitelisting, not blacklisting. You'll have
to do it at the DMZ'd proxy not the clients, unless you also want to
whitelist programs on every student-accessible client that can connect
to your net.

That'll give you no more than CYA defense against the hysteria if some
uneducated and unwary and bold and unlucky child learns the hard way.
At least the child's mistake won't have happened using your equipment.

Jim

 

[jimvernon2003]

Well, the problem is that you really can't block access to these
proxies, because most of them run on port 80. Basically they're just
using a website to access another website. However, I believe that it
should be possible to block myspace by blocking URL's that contain the
word "myspace".

I don't know if this article applies to your sonicwall, but it might
give you some insight into something you could try:
http://www.cisco.com/univercd/cc/td...000/mod_icn/fwsm/fwsm_2_2/fwsm_cfg/filter.htm

Also, I would block all outbound ports except 80 (http) for student
machines. They shouldn't need anything else. If they do, they can be
opened on a per case basis. Consider blocking access to the Internet
Options control panel as well.

 

[Leythos]

I posted this in the comp.security.firewalls group, but got smart @$$
answers from people too proud to say "I dont know"... so I will post
here...


I work for a K - 12 school.

In my opinion, we have some very fair rules and regulations regaurding
internet and computer use.


We use a Sonicwall firewall, 3060, I subscribe to content fltering,
which I love. It keeps out all the horrible junk that kids may
accidently come across (Or purposely) and it covers our rear.


Due to recent events, and some within the school, I have been ordered
to block myspace.com.


I have several other sites faculty and staff have asked me to block
within the content filtering section of my sonicwall admin page.


However, some students got smart, and searched google for proxy and
anonymous. Thousands of results come up, allowing them to type in any
website they like (including myspace) and surf around on it, bypassing
my firewall.


There is an option in sonicwall that says "Restrict Web Features::" and

I checked "Access to HTTP Proxy Servers" But I am still able to get to
sites via these proxy sites that shoulf be blocked...


Any advice?

I posted this reply in the firewall group, you didn't reply, and I don't
think there was anything smart a$$ about my reply:

We do the same thing with companies, not with EDU's (yet) and have done
it via several means - first rule, block ALL internet access, no open
access at all (at least for the kids). If you want an adult to have
additional access, then setup a means for the adult to be under a
different set of rules (we authenticate with the firewall and then
permit the group the users is defined in to have X access for HTTP,
other groups have Y access....).

Now, for the "public" (default internet access), you can employ a white
list and a request feature - where certain domains are approved at your
own default choices, where sites that are blocked redirect the user to a
request form that is submitted to your firewall admin for approval (or
rejection).

If you implement the above, they won't be able to get to rogue proxy
sites as they won't be in your approved list by default.

 

[Steven L Umbach]

I would contact Sonicwall support to ask them if they can help. Microsoft
ISA 2004 can be a lot more flexible in managing user access to websites and
has some very powerful capabilities for http filtering and access levels
based on group membership though more than likely that would not be an
option since you already have invested in a firewall. You also could try
adding IP addresses of unauthorized websites to your firewall blocked list
to see if that would help. You can use nslookup [see example below] to help
find the IP addresses though you may need to try it a couple times as some
websites have several IP addresses. --- Steve

D:\Documents and Settings\Steve>nslookup
Default Server: ns6.attbi.com
Address: 63.240.76.4

myspace.com

Server: ns6.attbi.com
Address: 63.240.76.4

Non-authoritative answer:
Name: myspace.com
Addresses: 63.208.226.41, 63.208.226.40, 63.208.226.43, 63.208.226.42

myspace.com

Server: ns6.attbi.com
Address: 63.240.76.4

Non-authoritative answer:
Name: myspace.com
Addresses: 63.208.226.43, 63.208.226.42, 63.208.226.41, 63.208.226.40

myspace.com

Server: ns6.attbi.com
Address: 63.240.76.4

Non-authoritative answer:
Name: myspace.com
Addresses: 63.208.226.42, 63.208.226.41, 63.208.226.40, 63.208.226.43

 

[Jon Phipps]

One other thing would be to check the install permissions, the standard user
SHOULD NOT have any installation rights. As long as you leave this hole open
the kids(and possibly staffers) will use it to circumvent security. Check
group policy, and domain policy to make sure that this is closed also make
sure that only the ports that you need are open on your firewall and
routers; close all others to all traffic this will stop them using
nonstandard ports for access with the anon surfing tools and other things.

Jon

I would contact Sonicwall support to ask them if they can help. Microsoft
ISA 2004 can be a lot more flexible in managing user access to websites and
has some very powerful capabilities for http filtering and access levels
based on group membership though more than likely that would not be an
option since you already have invested in a firewall. You also could try
adding IP addresses of unauthorized websites to your firewall blocked list
to see if that would help. You can use nslookup [see example below] to help
find the IP addresses though you may need to try it a couple times as some
websites have several IP addresses. --- Steve

D:\Documents and Settings\Steve>nslookup
Default Server: ns6.attbi.com
Address: 63.240.76.4

myspace.com

Server: ns6.attbi.com
Address: 63.240.76.4

Non-authoritative answer:
Name: myspace.com
Addresses: 63.208.226.41, 63.208.226.40, 63.208.226.43, 63.208.226.42

myspace.com

Server: ns6.attbi.com
Address: 63.240.76.4

Non-authoritative answer:
Name: myspace.com
Addresses: 63.208.226.43, 63.208.226.42, 63.208.226.41, 63.208.226.40

myspace.com

Server: ns6.attbi.com
Address: 63.240.76.4

Non-authoritative answer:
Name: myspace.com
Addresses: 63.208.226.42, 63.208.226.41, 63.208.226.40, 63.208.226.43

I posted this in the comp.security.firewalls group, but got smart @$$
answers from people too proud to say "I dont know"... so I will post
here...


I work for a K - 12 school.

In my opinion, we have some very fair rules and regulations regaurding
internet and computer use.


We use a Sonicwall firewall, 3060, I subscribe to content fltering,
which I love. It keeps out all the horrible junk that kids may
accidently come across (Or purposely) and it covers our rear.


Due to recent events, and some within the school, I have been ordered
to block myspace.com.


I have several other sites faculty and staff have asked me to block
within the content filtering section of my sonicwall admin page.


However, some students got smart, and searched google for proxy and
anonymous. Thousands of results come up, allowing them to type in any
website they like (including myspace) and surf around on it, bypassing
my firewall.


There is an option in sonicwall that says "Restrict Web Features::" and

I checked "Access to HTTP Proxy Servers" But I am still able to get to
sites via these proxy sites that shoulf be blocked...


Any advice?


Thanks in advance!

 

[jbraly]

no, your reply was awesome... the guy who answered me with "Forget it"
was kind of smart @$$

 

[Leythos]

no, your reply was awesome... the guy who answered me with "Forget it"
was kind of smart @$$

VB's like that - always telling people how nothing they do to protect
their networks is really going to work and that you have to "educate"
and trust users and that everyone is entitled to complete/open/free
access to the internet from work/school.

 

[jbraly]

I am all about privacy, but I work for a private school... these are
OUR computers and OUR T1 line... I tell the kids do whatEVER you want
at home, but not here.

 

[Leythos]

I am all about privacy, but I work for a private school... these are
OUR computers and OUR T1 line... I tell the kids do whatEVER you want
at home, but not here.

And if you combine that with very limited access to the internet you
will have a lot less in the way of support calls and security threat
exposures.