JOEBOX-L Archives

Joebox User

JOEBOX-L@LISTS.MAINE.EDU

Options: Use Forum View

Use Monospaced Font
Show Text Part by Default
Show All Mail Headers

Message: [<< First] [< Prev] [Next >] [Last >>]
Topic: [<< First] [< Prev] [Next >] [Last >>]
Author: [<< First] [< Prev] [Next >] [Last >>]

Print Reply
Subject:
From:
Ray Soucy <[log in to unmask]>
Reply To:
Joebox User <[log in to unmask]>
Date:
Mon, 11 Apr 2011 12:22:09 -0400
Content-Type:
text/plain
Parts/Attachments:
text/plain (316 lines)
This is not totally correct...

1. We can't filter data service on Cell phones (or iPads) brought into
your facility, they connect off our (and your) network and we have no
control over that.

2. We can filter WiFi connections that are on your network behind the
Joebox... To some extent.

HTTP filtering is transparent, and will always happen if enabled,
regardless of the device.

HTTPS is a different story.  It will depend on the ability of the
mobile device to discover and make use of an HTTPS proxy server, or be
manually configured to use a proxy server (e.g. 192.0.0.1 port 8616).

If you use "Force MECguard SSL" it will always block non-proxy HTTPS
requests (on the standard port, 443) since this block is a transparent
redirect like the HTTP filter.

On Mon, Apr 11, 2011 at 12:07 PM, Networkmaine <[log in to unmask]> wrote:
> Hi Seth,
>     It doesn't matter if your trying to reach an HTTPS site from a computer,
> a phone, or a rock. As long as you're connecting through the Joebox and SSL
> is enabled, the traffic will be filtered.
> Anthony
> Networkmaine Support Center
> University of Maine System
> Maine School and Library Network
>    Communications and Network Services
> (207) 561-3587
> [log in to unmask]
>
>
> On Mon, Apr 11, 2011 at 11:51 AM, Seth Thompson <[log in to unmask]> wrote:
>>
>> Ray,
>> Do you know if MECGuard SSL will work with cell phones, iPads, etc?
>> Thanks,
>> Seth
>>
>> On Fri, Apr 8, 2011 at 12:49 PM, Ray Soucy <[log in to unmask]> wrote:
>>>
>>> No, "Force MECguard SSL" will block _all_ HTTPS traffic (the idea is
>>> that you check this box after you have your browsers setup to use
>>> MECguard for HTTPS as a proxy server to enforce it).
>>>
>>> On Fri, Apr 8, 2011 at 12:36 PM, Jaimie Moores <[log in to unmask]> wrote:
>>> > Does "Force MECGuard SSL" have to be checked in order for the closed
>>> > port
>>> > rules to work?
>>> >
>>> > Jaimie Moores
>>> > Technology Coordinator
>>> > PowerSchool Administrator
>>> > Machias Memorial High School
>>> >
>>> >
>>> > On Fri, Apr 8, 2011 at 11:34 AM, Ray Soucy <[log in to unmask]> wrote:
>>> >>
>>> >> Facebook currently has 2 IP networks:
>>> >> 1. MailScanner has detected a possible fraud attempt from
>>> >> "66.220.144.0"
>>> >> claiming to be MailScanner has detected a possible fraud attempt from
>>> >> "66.220.144.0" claiming to be 66.220.144.0/20
>>> >> 2. MailScanner has detected a possible fraud attempt from
>>> >> "69.63.176.0"
>>> >> claiming to be MailScanner has detected a possible fraud attempt from
>>> >> "69.63.176.0" claiming to be 69.63.176.0/20
>>> >>
>>> >> Steps for a Firewall block of Facebook (as opposed to MECguard):
>>> >>
>>> >> Step 1: Create two "Closed Port" rules with the following settings:
>>> >>
>>> >> Rule 1:
>>> >>
>>> >> Description: Facebook
>>> >> Rule Chain: FORWARD
>>> >> Source Type: Firewall Group
>>> >> Source Group: LAN (or whatever group you want blocked)
>>> >> Destination Type: IP/Hostname
>>> >> Destination IP/Hostname: MailScanner has detected a possible fraud
>>> >> attempt
>>> >> from "66.220.144.0" claiming to be MailScanner has detected a possible
>>> >> fraud attempt from "66.220.144.0" claiming to be 66.220.144.0/20
>>> >> Protocol: TCP
>>> >> Closed Ports: 80,443
>>> >>
>>> >> Rule 2:
>>> >>
>>> >> Description: Facebook
>>> >> Rule Chain: FORWARD
>>> >> Source Type: Firewall Group
>>> >> Source Group: LAN (or whatever group you want blocked)
>>> >> Destination Type: IP/Hostname
>>> >> Destination IP/Hostname: MailScanner has detected a possible fraud
>>> >> attempt
>>> >> from "69.63.176.0" claiming to be MailScanner has detected a possible
>>> >> fraud attempt from "69.63.176.0" claiming to be 69.63.176.0/20
>>> >> Protocol: TCP
>>> >> Closed Ports: 80,443
>>> >>
>>> >> On Fri, Apr 8, 2011 at 11:14 AM, Eric R. Warren <[log in to unmask]>
>>> >> wrote:
>>> >> > That's a useful trick!  Would you mind sharing those
>>> >> > Facebook-blocking
>>> >> > settings with us?
>>> >> >
>>> >> > Eric
>>> >> > MSAD 45
>>> >> >
>>> >> > -----Original Message-----
>>> >> > From: Joebox User [mailto:[log in to unmask]] On Behalf Of Ray
>>> >> > Soucy
>>> >> > Sent: Friday, April 08, 2011 11:08 AM
>>> >> > To: [log in to unmask]
>>> >> > Subject: Re: Joebox Updates
>>> >> >
>>> >> > Linda,
>>> >> >
>>> >> > If you were using the old "MECguard SSL" it would no longer be
>>> >> > active
>>> >> > after the upgrade (to my knowledge only a handful of people were
>>> >> > trying to use it because of all the browser errors it would
>>> >> > generate).
>>> >> >
>>> >> > The "Force MECguard SSL" option will block SSL requests unless made
>>> >> > using a proxy server, but requires that browsers know about the
>>> >> > proxy
>>> >> > server (as described in the MECguard notes I posted a few days ago).
>>> >> >
>>> >> > Other than that, it shouldn't have changed.
>>> >> >
>>> >> > I've created two "Closed Port" rules in your Firewall that will
>>> >> > block
>>> >> > web access to the Facebook IP networks, but left them disabled.  You
>>> >> > can enable these rules and restart your firewall if you want to
>>> >> > start
>>> >> > blocking access to Facebook over HTTPS.
>>> >> >
>>> >> > I've noticed that you only have one Group for MECguard.  If you
>>> >> > block
>>> >> > Facebook using the Firewall you might want to create a "Teachers"
>>> >> > group with the IP addresses of teacher PCs so you can create a rule
>>> >> > to
>>> >> > not block Facebook for those users.
>>> >> >
>>> >> > Because you're running a "LOW" Firewall policy, you'll need to apply
>>> >> > the 12.1 software update before Open Port rules to do this will
>>> >> > work,
>>> >> > the Software Update can be run at any time.
>>> >> >
>>> >> > Feel free to give support a call if you'd like us to do any of this
>>> >> > for you: 1-888-367-6756
>>> >> >
>>> >> > Sorry about any disruption... The upgrade was a major change and
>>> >> > required a manual process to apply.  Future updates will be provided
>>> >> > through the Software Update tool and be left up to you to apply.
>>> >> >
>>> >> > On Fri, Apr 8, 2011 at 9:38 AM, Linda Chaisson
>>> >> > <[log in to unmask]>
>>> >> > wrote:
>>> >> >> Ray:
>>> >> >> Previously our students couldn’t get to facebook by adding the s to
>>> >> >> http
>>> >> > and
>>> >> >> now they can. Was anything changed?
>>> >> >> Thanks,
>>> >> >> Linda
>>> >> >>
>>> >> >>
>>> >> >>
>>> >> >> On 4/6/11 1:24 PM, "Ray Soucy" <[log in to unmask]> wrote:
>>> >> >>
>>> >> >> We realize that for many of you it seems like you just upgraded,
>>> >> >> but
>>> >> >> some of you have been running the code for over a month and have
>>> >> >> found
>>> >> >> a bug or two.  We have a minor update available.
>>> >> >>
>>> >> >> Feel free to apply this update using the "Software Update" tool on
>>> >> >> the
>>> >> >> Joebox at your convince.  This is a non-critical update and can be
>>> >> >> applied at any time.
>>> >> >>
>>> >> >> As always, if you need help running the Software Update utility, or
>>> >> >> encounter any problems, please give us a call: 1-888-367-6756
>>> >> >>
>>> >> >> New packages are labeled 12.1.
>>> >> >>
>>> >> >> Change Log:
>>> >> >>
>>> >> >> 1. A "Reinitialize Firewall" button has been added to the Firewall
>>> >> >> options page.  This button does a forced restart of the Firewall
>>> >> >> service (all rules are flushed and re-added) to recover from the
>>> >> >> Firewall Engine becoming out of sync.  If you run into a situation
>>> >> >> where using this button is the only way to "fix" your Joebox please
>>> >> >> contact us so we can take a look at your configuration and track
>>> >> >> down
>>> >> >> the invalid rule that is causing problems.
>>> >> >>
>>> >> >> 2. Port Forward rules with protocol "IP" weren't ignoring port
>>> >> >> fields
>>> >> >> (causing invalid rules).   This is now fixed.
>>> >> >>
>>> >> >> 3. Open Port rules were not being applied when a Firewall policy
>>> >> >> level
>>> >> >> of LOW was in use.  They should now be applied correctly.
>>> >> >>
>>> >> >> 4. In isolated circumstances, some traffic making use of TCP window
>>> >> >> scaling was being marked as INVALID by connection state tracking
>>> >> >> and
>>> >> >> being dropped by the Firewall.  This was found to be affecting less
>>> >> >> than 1% of traffic.  This should now be fixed, as TCP window size
>>> >> >> is
>>> >> >> no longer used to determine packet validity.
>>> >> >>
>>> >> >> 5. Minor update to SNMP to facilitate changes in Joebox monitoring
>>> >> >> by
>>> >> >> Networkmaine.
>>> >> >>
>>> >> >> 6. Minor UI update to fix changing of static route to be applied
>>> >> >> without
>>> >> >> reboot.
>>> >> >>
>>> >> >> 7. Minor UI update to allow DHCP service to be disable if in a
>>> >> >> failed
>>> >> >> status (e.g. enabled without a valid configuration), mostly to get
>>> >> >> rid
>>> >> >> of the "red" status indicator for sites not using DHCP on the
>>> >> >> Joebox.
>>> >> >>
>>> >> >> Linda Chaisson
>>> >> >> Technology Coordinator
>>> >> >> Regional School Unit 16
>>> >> >> C/O PRHS - 1457 Maine Street
>>> >> >> Poland, ME 04274
>>> >> >> 207-998-5400 Ext 103
>>> >> >> [log in to unmask]
>>> >> >>
>>> >> >>
>>> >> >
>>> >> >
>>> >> >
>>> >> > --
>>> >> > Ray Soucy
>>> >> >
>>> >> > Epic Communications Specialist
>>> >> >
>>> >> > Phone: +1 (207) 561-3526
>>> >> >
>>> >> > Networkmaine, a Unit of the University of Maine System
>>> >> > http://www.networkmaine.net/
>>> >> >
>>> >>
>>> >>
>>> >>
>>> >> --
>>> >> Ray Soucy
>>> >>
>>> >> Epic Communications Specialist
>>> >>
>>> >> Phone: +1 (207) 561-3526
>>> >>
>>> >> Networkmaine, a Unit of the University of Maine System
>>> >> http://www.networkmaine.net/
>>> >
>>> > The information transmitted herein is intended only for the person or
>>> > entity
>>> > to which it is addressed and may contain confidential material. Any
>>> > review,
>>> > retransmission, dissemination or other use of, or taking of any action
>>> > in
>>> > reliance upon, this information by persons or entities other than the
>>> > intended recipient is prohibited. If you received this in error, please
>>> > contact the sender and delete the e-mail and any attachments from any
>>> > computer.
>>> >
>>> >
>>>
>>>
>>>
>>> --
>>> Ray Soucy
>>>
>>> Epic Communications Specialist
>>>
>>> Phone: +1 (207) 561-3526
>>>
>>> Networkmaine, a Unit of the University of Maine System
>>> http://www.networkmaine.net/
>>
>>
>>
>> --
>> Seth H. Thompson
>> Technology Director
>> Regional School Unit No. 5
>> 207-865-4706 x232
>>
>>
>
>



-- 
Ray Soucy

Epic Communications Specialist

Phone: +1 (207) 561-3526

Networkmaine, a Unit of the University of Maine System
http://www.networkmaine.net/

ATOM RSS1 RSS2