"air-proxy.com" is one of the sites included in the proxy URL list
(even before the update). Are you making use of it?
I'd need to look into the Sonicwall thing; but from what I understand
Sonicwall does 100% of it's web filtering using databases, such as URL
lists; though I believe that Sonicwall recently moved to a model where
the database is hosted by them instead of on the Firewall to reduce
load on the appliance.
On Thu, Jun 30, 2011 at 4:28 PM, Eric R. Warren <[log in to unmask]> wrote:
> It's sites like http://www.air-proxy.com that are causing issues for the
> schools that I work at; sites that don't require browser configuration of
> any kind. If you block one, the kids will find another one. It's just a
> Google search away.
>
> Kyle's idea is excellent, and has been implemented in the content filtering
> module built into Sonicwall firewalls. Just check off "Proxy/Avoidance
> Websites" and the device loads a big list of known proxies and starts
> blocking them. If you want to allow one, just whitelist it.
>
> Eric
>
> -----Original Message-----
> From: Joebox User [mailto:[log in to unmask]] On Behalf Of Ray Soucy
> Sent: Thursday, June 30, 2011 4:09 PM
> To: [log in to unmask]
> Subject: Re: proxy list setting for mecguard
>
> Are HTTP proxies (e.g. ones that require browser configuration) a
> common problem for you? Have you verified that they're using port 80
> and that MecGuard doesn't break them already? If it's not on port 80,
> then you might need to look at blocking traffic using Firewall rules.
>
> Secondly, you reference a proxy allow list; can you provide an example
> of a legitimate proxy? I can't think of one off the top of my head in
> a K12 context.
>
> L7 filtering has proven to not be accurate enough for production use
> and our recommendation is to disable it on the Joebox. It makes use
> the the "L7-Filter" kernel module for Linux which does regex pattern
> matching on packet payload, but lacks intelligence to determine packet
> progression and thus can quickly lead to a lot of false positives (one
> example is that many of the L7 filters on the Joebox will block time
> updates to time.apple.com).
>
> The focus, for now at least, is to make sure that MecGuard is
> providing a reasonable level of filtering in comparison to other
> solutions. Feedback from some would seem to indicate that MecGuard is
> currently falling short; and that is something I'm very interested in
> and want to have resolved before school starts up again.
>
> On Thu, Jun 30, 2011 at 3:47 PM, Kyle Green <[log in to unmask]> wrote:
>> Not everything everything--I'm looking for whitelist/blacklist filtering
> for
>> /proxies alone/ to be added.
>> In this scenario, every time JoeBox processes an outbound HTTP request (as
>> determined by L7 filtering), it looks to see if the request is to a
>> whitelisted proxy. If it is, it's allowed to proceed to the destination.
>> If not, the JoeBox checks to see if it's to a previously auto-blacklisted
>> open proxy. If it is, the connection attempt is blocked.
>> If it's not, it's allowed to continue to the final test, which is the
>> JoeBox checks to see if the connection attempt is to an open proxy (which
> it
>> can do by trying to use it as one). If it is an open proxy, the
> connection
>> attempt is blocked and the host:port is written to the auto-blacklisted
> open
>> proxy list (with an expiration date of 1d or so).
>> If it's not an open proxy, the connection attempt proceeds to its
>> destination. It's kinda convoluted written out, but I can probably scare
> up
>> a flowchart or something if it still doesn't make sense.
>> This wouldn't solve all of them (e.g., the sites that just work as web
> apps
>> so kids can look at Facebook as you said), but it would probably cut down
> on
>> P2P-over-HTTP-proxy traffic in a way that I don't think L7 filtering alone
>> will do.
>>
>> On Thursday, June 30, 2011 at 3:15 PM, Ray Soucy wrote:
>>
>> I'm not exactly clear on what you're asking.
>>
>> Are you suggesting that we block everything by default and only use
>> allow lists to permit access?
>>
>> You can effectively do this by placing a "." on a line by itself in
>> your global block list, then creating entries for the sites you want
>> to allow in your allow list.
>>
>> But coming up with a list of allowed sites would be a pretty big
>> challenge unless you want to be really restrictive.
>>
>> Any usable commercial list for this sort of thing would likely be too
>> big to produce reasonable performance as well, which is likely why I'm
>> not aware of any that exist.
>>
>> Most proxy sites used today are just web applications; each being
>> different; there isn't really a way to determine if it's an open proxy
>> or a proxy site without some AI that doesn't exist yet.
>>
>> On a side note, the ".xxx" adult content domain has been approved. As
>> a result, you might want to stick ".xxx" in your global block list.
>>
>> On Thu, Jun 30, 2011 at 2:00 PM, Kyle Green <[log in to unmask]> wrote:
>>
>> It'd be nice if the JoeBox to be configured such that we can whitelist
>> acceptable proxies (for legitimate uses of squid or dansguardian or
>> whatever), and then it checks every further HTTP request to see if
>> it's an open proxy (and caches the result for a day or so).
>>
>> Can that get put on the feature wish list? It just seems to me that
>> relying on set blacklists for this is going to result in us
>> perpetually being three steps behind.
>>
>> Thanks.
>>
>> On Jun 30, 2011, at 1:49 PM, Ray Soucy <[log in to unmask]> wrote:
>>
>> Seth,
>>
>> I contacted MecNet to see if they could look at additional sources for
>> their URL lists, and they have made an update. I've applied the
>> update on your Joebox (the rest of users will get the update
>> overnight).
>>
>> Do you notice any change? Or is it still letting most through?
>>
>> On Thu, Jun 30, 2011 at 7:47 AM, Seth Thompson <[log in to unmask]> wrote:
>>
>> I have this enabled and the majority of proxies are still available.
>> Seth
>>
>> On Mon, Jun 27, 2011 at 2:14 PM, Ray Soucy <[log in to unmask]> wrote:
>>
>> "Sites with proxies to bypass filters" would be the MECguard category.
>> Have you tried enabling this for your group filter lists? I'm not
>> sure how comprehensive the list is...
>>
>> On Mon, Jun 27, 2011 at 1:48 PM, Ed Bourdeau
>> <[log in to unmask]> wrote:
>>
>> Overall I am very happy with the JoeBox/MecGuard setup. My number 1
>> input
>> for future change is that you add a Proxy settings option to MecGuard.
>> By
>> this I mean a more automated method to block proxies. If you could
>> check a
>> box, and have your choice of black lists that you could subscribe to
>> this
>> would make the filtering much more manageable. Right now this is my #1
>> hole.
>>
>> Thanks,,Ed
>>
>>
>>
>> Ed Bourdeau
>>
>> Director of Technology
>>
>> Erskine Academy
>>
>> Tel. 1-207-445-2962-ext 125
>>
>>
>>
>> --
>> Ray Soucy
>>
>> Epic Communications Specialist
>>
>> Phone: +1 (207) 561-3526
>>
>> Networkmaine, a Unit of the University of Maine System
>> http://www.networkmaine.net/
>>
>>
>>
>> --
>> Seth H. Thompson
>> Technology Director
>> Regional School Unit No. 5
>> 207-865-4706 x232
>>
>>
>>
>> --
>> Ray Soucy
>>
>> Epic Communications Specialist
>>
>> Phone: +1 (207) 561-3526
>>
>> Networkmaine, a Unit of the University of Maine System
>> http://www.networkmaine.net/
>>
>>
>>
>> --
>> Ray Soucy
>>
>> Epic Communications Specialist
>>
>> Phone: +1 (207) 561-3526
>>
>> Networkmaine, a Unit of the University of Maine System
>> http://www.networkmaine.net/
>>
>>
>
>
>
> --
> Ray Soucy
>
> Epic Communications Specialist
>
> Phone: +1 (207) 561-3526
>
> Networkmaine, a Unit of the University of Maine System
> http://www.networkmaine.net/
>
--
Ray Soucy
Epic Communications Specialist
Phone: +1 (207) 561-3526
Networkmaine, a Unit of the University of Maine System
http://www.networkmaine.net/
|
