JOEBOX-L Archives

Joebox User

JOEBOX-L@LISTS.MAINE.EDU

Options: Use Forum View

Use Monospaced Font
Show Text Part by Default
Show All Mail Headers

Message: [<< First] [< Prev] [Next >] [Last >>]
Topic: [<< First] [< Prev] [Next >] [Last >>]
Author: [<< First] [< Prev] [Next >] [Last >>]

Print Reply
Subject:
From:
Ray Soucy <[log in to unmask]>
Reply To:
Joebox User <[log in to unmask]>
Date:
Wed, 24 Nov 2010 15:36:43 -0500
Content-Type:
text/plain
Parts/Attachments:
text/plain (136 lines)
Hi All,

I wanted to drop a note to everyone on the work being done to improve
MECguard, the website filter used by the Joebox.




It's a fairly long email so here are some highlights:

* New Joebox NE software should be ready for production testing next week.

* This update include a new version of MECguard and production-quality
MECguard SSL.

* MECguard SSL moves from a transparent to a proxy server model.
Requires browser configuration.

* Browser configuration simplified when possible using Web Proxy
Auto-Discovery (WPAD) and Proxy Auto-Configuration (PAC).

* Proxy-based HTTPS filtering is done by web server hostname (e.g.
"www.facebook.com") not full URL filtering (which is not possible
without breaking SSL encryption).

* Option to block HTTPS traffic for groups unless they use the HTTPS
proxy server.




The Joebox software release Networkmaine Edition 12.x will provide a
new version of MECguard.  This long-awaited upgrade provides stronger
group-based filtering (group ordering is now respected, a host will
now always get filtered in the first group that it matches; groups
will always be in the same order that they appear on the web
interface), more stable configuration updates (active connections are
no longer reset when MECguard is restarted), fixes for outstanding
bugs, and improved performance.

This release also introduces a production-quality SSL filter, MECguard
SSL.  The current Joebox SSL filter was a beta feature in an attempt
to see if transparent SSL filtering was possible.  The user experience
for this proved to be unacceptable for production use, and further
work on this method has been abandoned in favor of a proxy-based
solution.

The Joebox now provides the ability to act as an HTTPS proxy server,
and will make filtering determinations on the hostname of the website
requested.  The hostname is the only information provided to the proxy
server from the browser, so more specific URL filtering, or content
filtering for HTTPS is not possible with MECguard SSL (note that it
isn’t possible with any filter without breaking encryption).

Note that only HTTPS filtering makes use of the proxy server model.
Normal HTTP filtering is still transparent and requires no browser
configuration.

Filtering using this method means that MECguard SSL can take advantage
of its existing category lists and apply them to HTTPS requests.  It
also makes it possible to allow or block HTTPS websites using the same
global or group-level block and allow lists by specifying the hostname
you wish blocked.

For example, if you wanted to block access to Facebook for a group,
you could add "facebook.com" to the group-level block list.  This
would block Facebook for both HTTP and HTTPS requests made using
MECguard SSL.

Without a proxy-based solution HTTPS filtering can only be
accomplished by IP address (which is the method used by Bess).  We do
not have access to a database of inappropriate secure website IP
addresses to block, so this method would have proven to be inadequate
for the majority of our users.

The up side is that you can easily block HTTPS by hostname instead of
keeping track of IP addresses.  The down side is that the browsers
require proxy configuration.

In order to make this easier, the Joebox provides automatic proxy
server configuration through WPAD (Web Proxy Auto-Discovery protocol).
 This will allow for most browsers to automatically detect and
configure proxy server information provided by the Joebox (with the
correct exceptions) and has been tested with current versions of
popular browsers.

The only requirement for WPAD to work for your network is that a DNS
record exist under the same domain that your host computers are
configured with.  For example, if the domain name provided to your PC
by DHCP is "something.k12.me.us", you simply need to create a DNS
record for "wpad.something.k12.me.us" to point to "192.0.0.1" (a
special reserved address used by the Joebox).

Some browsers may be set to detect and use proxy servers through WPAD
by default.  For others, you will need to enable the option in the
connection settings (generally the first checkbox or two).  We are
preparing more detailed instructions.

As a last resort, manual configuration can be made using the IP
address of 192.0.0.1 and port 8616 for "Secure" connections only in
your browser.  You will need to add appropriate exceptions to the
exception list so that local services over HTTPS do not get proxied,
including the 192.0.0.1 address which is used by MECguard for the
override login page.

The "Enable MECguard SSL" group-level checkbox has been replaced with
a "Force MECguard SSL" checkbox which will block HTTPS requests unless
they are made using the MECguard SSL proxy.




This is the only way are able to deliver reliable and effective HTTPS
filter on the Joebox that can easily be configured and is not
disruptive for normal, allowed, traffic.  Given that it takes time to
verify browsers are set correctly we have offered the option to use
Bess for HTTPS filtering until the end of February break as mentioned
in a recent announcement.

Testing is looking very good so far and we are close to being able to
release this upgrade.  MECguard specifically is looking much, much,
better.




-- 
Ray Soucy

Epic Communications Specialist

Phone: +1 (207) 561-3526

Networkmaine, a Unit of the University of Maine System
http://www.networkmaine.net/

ATOM RSS1 RSS2