JOEBOX-L Archives

Joebox User

JOEBOX-L@LISTS.MAINE.EDU

Options: Use Forum View

Use Monospaced Font
Show Text Part by Default
Show All Mail Headers

Message: [<< First] [< Prev] [Next >] [Last >>]
Topic: [<< First] [< Prev] [Next >] [Last >>]
Author: [<< First] [< Prev] [Next >] [Last >>]

Print Reply
Subject:
From:
Ray Soucy <[log in to unmask]>
Reply To:
Joebox User <[log in to unmask]>
Date:
Mon, 31 Jan 2011 17:09:45 -0500
Content-Type:
text/plain
Parts/Attachments:
text/plain (139 lines)
Quick Instructions:

1. Create (or update) a test group in MECguard that has the IP
addresses of the hosts you want to test.
2. Check the "Force MECguard SSL" box for the group.
3. Setup your browser to point to the proxy configuration script on the Joebox.

In Windows:
Internet Explorer -> Tools -> Internet Options -> Connections -> LAN Settings
Check "Automatically detect settings"
Check "Use automatic configuration script"
Enter "http://192.0.0.1/wpad.dat" into the Address field (there is a
way to avoid typing this in for a larger deployment).

Most browsers will use the system default proxy settings unless
configured otherwise, so this change should apply to Firefox, Chrome,
etc.

On a Mac, pretty much the same thing.  Under System Preferences ->
Network -> Advanced -> Proxies
Check "Auto Proxy Discovery"
Check "Automatic Proxy Configuration"
Enter "http://192.0.0.1/wpad.dat" as the proxy configuration URL.

Once you want to try it on more hosts, you can create a DNS record
that will be discovered by the PC automatically instead of having to
type in the URL.

Create an "A" address record that points to 192.0.0.1 for the hostname
"wpad" and the same domain as your PCs are configured with.  For
example, if they're configured with a domain name of "otsd.lan" create
the DNS record of "wpad.otsd.lan", so that
"http://wpad.otsd.lan/wpad.dat" is reachable.

You'll still have to check the boxes, likely.  But you might be able
to push that out to clients with a script if you have them setup on a
domain.

Give us a call if you have any trouble.

Note that once a PC is setup to use the proxy server it will use it
regardless of if the Force SSL box is checked or not.  The "Force SSL"
box only blocks the non-proxy traffic.

Enter "facebook.com" in the Block list for the group, sit back, and
watch as your not-so-responsible students get bent out of shape. ;-)

On Mon, Jan 31, 2011 at 4:32 PM, Jef H. HamLin <[log in to unmask]> wrote:
> I'm in.  What would you like me to do?  Would love to cut off https:\\facebook
>
> H
>
> -----Original Message-----
> From: Joebox User [mailto:[log in to unmask]] On Behalf Of Ray Soucy
> Sent: Monday, January 31, 2011 4:17 PM
> To: [log in to unmask]
> Subject: MECguard SSL testing
>
> The next Joebox software update seems to be running stable for most testers save a few minor bugs that are being fixed.
>
> One outstanding item that needs testing is the SSL filter.
>
> I am looking for a school that is willing to test this.  This can be tested a few hosts at a time (using MECguard groups).
>
> If interested please contact Networkmaine by phone at 1-888-367-6756 (toll free) or 207-561-3587, or by email at [log in to unmask]
>
>
>
>
> About the SSL filter:
>
> 1. A "Force MECguard SSL" checkbox is provided.  Checking this box will redirect all HTTPS requests (TCP port 443) to a block page unless they are made using the Joebox as a proxy server.
>
> 2. Browsers that are configured to use the Joebox as a proxy server for HTTPS provide the Joebox with the hostname of the requested site (not the full URL).  The Joebox makes a determination based on the hostname (e.g. facebook.com) and either allows the request or re-directs the user to a block page.
>
> 3. The Joebox provides a browser configuration script to properly configure proxy settings on client browsers using WPAD.  The auto-discovery for this is hinted by DNS, and requires that you create a "wpad" host record for the domain you're providing hosts through DHCP.  Some browser configuration is still required, but it's a mater of checking a box, rather than typing settings in, with the use of WPAD.
>
>
>
>
> Management:
>
> The SSL filter uses the same URL lists configured on the Joebox for normal HTTP.  Only entries that are hostname only will be matched.
> For example: "facebook.com" will match, while "facebook.com/" will not.  The pre-defined category lists are already formated such that hostnames are used for the majority of entries.
>
> SSL makes use of the same override system as HTTP, and is managed in the same way.
>
> The hostname accessed "e.g. facebook.com" will be logged as SSL requests in the MECguard log.
>
>
>
>
> Background:
>
> When a user attempts to access an SSL website, the computer connects to the IP address of the remote server, negotiates an encrypted session, then sends the request, including the requested URL, as an encrypted message.
>
> Because the request is encrypted, there is no way to reliably determine the hostname of the destination website before the certificate is exchanged.
>
> Attempts to intercept the traffic transparently (as we do with normal HTTP traffic) thus result in the browser rejecting the SSL certificate and producing endless SSL error messages.  This isn't usable in a production environment.
>
> The only work-around for this involves installing a custom "root"
> certificate telling every browser to trust the Joebox without question.  This has the unfortunate consequence of introducing a significant attack vector as well as raising some ethical questions about viewing encrypted data (such as credit card numbers or personal records).  This is not the scope of the Joebox.
>
> Instead, we opted to move to a proxy-based SSL filter.  When a web browser is configured to use an SSL proxy server it provides the proxy server with the hostname of the website requested (not the full URL).
> The proxy server can then make a ALLOW or DENY decision based on the hostname, and choose to either permit the request or re-direct to a block page.  The proxy server in the model does not see unencrypted data; maintaining user privacy.
>
> Like the SSL certificate method, this method also requires some client configuration.
>
> There are other solutions for SSL available.  OpenDNS is a solution that re-writes domain names to point known sites that you wish blocked to a block server.
>
> The old Bess system maintained a database of "bad" IP addresses for SSL websites to block.  This database is proprietary and could not be used for the Joebox.  Bess has the limitation of only being able to block SSL by IP address but the advantage of being a transparent solution.  Unfortunately, Bess is not cost effective to scale to the levels of bandwidth now enjoyed by MSLN participants and is being retired this year.
>
> The MECguard SSL filter in the upcoming release is the official and recommended SSL filter for this year.
>
>
>
>
> --
> Ray Soucy
>
> Epic Communications Specialist
>
> Phone: +1 (207) 561-3526
>
> Networkmaine, a Unit of the University of Maine System http://www.networkmaine.net/
>



-- 
Ray Soucy

Epic Communications Specialist

Phone: +1 (207) 561-3526

Networkmaine, a Unit of the University of Maine System
http://www.networkmaine.net/

ATOM RSS1 RSS2