JOEBOX-L Archives

Joebox User

JOEBOX-L@LISTS.MAINE.EDU

Options: Use Forum View

Use Monospaced Font
Show Text Part by Default
Show All Mail Headers

Message: [<< First] [< Prev] [Next >] [Last >>]
Topic: [<< First] [< Prev] [Next >] [Last >>]
Author: [<< First] [< Prev] [Next >] [Last >>]

Print Reply
Subject:
From:
"Eric R. Warren" <[log in to unmask]>
Reply To:
Joebox User <[log in to unmask]>
Date:
Thu, 30 Jun 2011 16:28:31 -0400
Content-Type:
text/plain
Parts/Attachments:
text/plain (213 lines)
It's sites like http://www.air-proxy.com that are causing issues for the
schools that I work at; sites that don't require browser configuration of
any kind.  If you block one, the kids will find another one.  It's just a
Google search away.

Kyle's idea is excellent, and has been implemented in the content filtering
module built into Sonicwall firewalls.  Just check off "Proxy/Avoidance
Websites" and the device loads a big list of known proxies and starts
blocking them.  If you want to allow one, just whitelist it.

Eric

-----Original Message-----
From: Joebox User [mailto:[log in to unmask]] On Behalf Of Ray Soucy
Sent: Thursday, June 30, 2011 4:09 PM
To: [log in to unmask]
Subject: Re: proxy list setting for mecguard

Are HTTP proxies (e.g. ones that require browser configuration) a
common problem for you?  Have you verified that they're using port 80
and that MecGuard doesn't break them already?  If it's not on port 80,
then you might need to look at blocking traffic using Firewall rules.

Secondly, you reference a proxy allow list; can you provide an example
of a legitimate proxy? I can't think of one off the top of my head in
a K12 context.

L7 filtering has proven to not be accurate enough for production use
and our recommendation is to disable it on the Joebox.  It makes use
the the "L7-Filter" kernel module for Linux which does regex pattern
matching on packet payload, but lacks intelligence to determine packet
progression and thus can quickly lead to a lot of false positives (one
example is that many of the L7 filters on the Joebox will block time
updates to time.apple.com).

The focus, for now at least, is to make sure that MecGuard is
providing a reasonable level of filtering in comparison to other
solutions.  Feedback from some would seem to indicate that MecGuard is
currently falling short; and that is something I'm very interested in
and want to have resolved before school starts up again.

On Thu, Jun 30, 2011 at 3:47 PM, Kyle Green <[log in to unmask]> wrote:
> Not everything everything--I'm looking for whitelist/blacklist filtering
for
> /proxies alone/ to be added.
> In this scenario, every time JoeBox processes an outbound HTTP request (as
> determined by L7 filtering), it looks to see if the request is to a
> whitelisted proxy.  If it is, it's allowed to proceed to the destination.
> If not, the JoeBox checks to see if it's to a previously auto-blacklisted
> open proxy.  If it is, the connection attempt is blocked.
> If it's not, it's allowed to continue to the final test, which is the
> JoeBox checks to see if the connection attempt is to an open proxy (which
it
> can do by trying to use it as one).  If it is an open proxy, the
connection
> attempt is blocked and the host:port is written to the auto-blacklisted
open
> proxy list (with an expiration date of 1d or so).
> If it's not an open proxy, the connection attempt proceeds to its
> destination.  It's kinda convoluted written out, but I can probably scare
up
> a flowchart or something if it still doesn't make sense.
> This wouldn't solve all of them (e.g., the sites that just work as web
apps
> so kids can look at Facebook as you said), but it would probably cut down
on
> P2P-over-HTTP-proxy traffic in a way that I don't think L7 filtering alone
> will do.
>
> On Thursday, June 30, 2011 at 3:15 PM, Ray Soucy wrote:
>
> I'm not exactly clear on what you're asking.
>
> Are you suggesting that we block everything by default and only use
> allow lists to permit access?
>
> You can effectively do this by placing a "." on a line by itself in
> your global block list, then creating entries for the sites you want
> to allow in your allow list.
>
> But coming up with a list of allowed sites would be a pretty big
> challenge unless you want to be really restrictive.
>
> Any usable commercial list for this sort of thing would likely be too
> big to produce reasonable performance as well, which is likely why I'm
> not aware of any that exist.
>
> Most proxy sites used today are just web applications; each being
> different; there isn't really a way to determine if it's an open proxy
> or a proxy site without some AI that doesn't exist yet.
>
> On a side note, the ".xxx" adult content domain has been approved. As
> a result, you might want to stick ".xxx" in your global block list.
>
> On Thu, Jun 30, 2011 at 2:00 PM, Kyle Green <[log in to unmask]> wrote:
>
> It'd be nice if the JoeBox to be configured such that we can whitelist
> acceptable proxies (for legitimate uses of squid or dansguardian or
> whatever), and then it checks every further HTTP request to see if
> it's an open proxy (and caches the result for a day or so).
>
> Can that get put on the feature wish list? It just seems to me that
> relying on set blacklists for this is going to result in us
> perpetually being three steps behind.
>
> Thanks.
>
> On Jun 30, 2011, at 1:49 PM, Ray Soucy <[log in to unmask]> wrote:
>
> Seth,
>
> I contacted MecNet to see if they could look at additional sources for
> their URL lists, and they have made an update.  I've applied the
> update on your Joebox (the rest of users will get the update
> overnight).
>
> Do you notice any change?  Or is it still letting most through?
>
> On Thu, Jun 30, 2011 at 7:47 AM, Seth Thompson <[log in to unmask]> wrote:
>
> I have this enabled and the majority of proxies are still available.
> Seth
>
> On Mon, Jun 27, 2011 at 2:14 PM, Ray Soucy <[log in to unmask]> wrote:
>
> "Sites with proxies to bypass filters" would be the MECguard category.
>  Have you tried enabling this for your group filter lists?  I'm not
> sure how comprehensive the list is...
>
> On Mon, Jun 27, 2011 at 1:48 PM, Ed Bourdeau
> <[log in to unmask]> wrote:
>
> Overall I am very happy with the JoeBox/MecGuard  setup.  My number 1
> input
> for future change is that you add a Proxy settings option to MecGuard.
> By
> this I mean a more automated method to block proxies.  If you could
> check a
> box, and have your choice of black lists that you could subscribe to
> this
> would make the filtering much more manageable.  Right now this is my #1
> hole.
>
> Thanks,,Ed
>
>
>
> Ed Bourdeau
>
> Director of Technology
>
> Erskine Academy
>
> Tel. 1-207-445-2962-ext 125
>
>
>
> --
> Ray Soucy
>
> Epic Communications Specialist
>
> Phone: +1 (207) 561-3526
>
> Networkmaine, a Unit of the University of Maine System
> http://www.networkmaine.net/
>
>
>
> --
> Seth H. Thompson
> Technology Director
> Regional School Unit No. 5
> 207-865-4706 x232
>
>
>
> --
> Ray Soucy
>
> Epic Communications Specialist
>
> Phone: +1 (207) 561-3526
>
> Networkmaine, a Unit of the University of Maine System
> http://www.networkmaine.net/
>
>
>
> --
> Ray Soucy
>
> Epic Communications Specialist
>
> Phone: +1 (207) 561-3526
>
> Networkmaine, a Unit of the University of Maine System
> http://www.networkmaine.net/
>
>



-- 
Ray Soucy

Epic Communications Specialist

Phone: +1 (207) 561-3526

Networkmaine, a Unit of the University of Maine System
http://www.networkmaine.net/

ATOM RSS1 RSS2