"air-proxy.com" is one of the sites included in the proxy URL list (even before the update). Are you making use of it? I'd need to look into the Sonicwall thing; but from what I understand Sonicwall does 100% of it's web filtering using databases, such as URL lists; though I believe that Sonicwall recently moved to a model where the database is hosted by them instead of on the Firewall to reduce load on the appliance. On Thu, Jun 30, 2011 at 4:28 PM, Eric R. Warren <[log in to unmask]> wrote: > It's sites like http://www.air-proxy.com that are causing issues for the > schools that I work at; sites that don't require browser configuration of > any kind. If you block one, the kids will find another one. It's just a > Google search away. > > Kyle's idea is excellent, and has been implemented in the content filtering > module built into Sonicwall firewalls. Just check off "Proxy/Avoidance > Websites" and the device loads a big list of known proxies and starts > blocking them. If you want to allow one, just whitelist it. > > Eric > > -----Original Message----- > From: Joebox User [mailto:[log in to unmask]] On Behalf Of Ray Soucy > Sent: Thursday, June 30, 2011 4:09 PM > To: [log in to unmask] > Subject: Re: proxy list setting for mecguard > > Are HTTP proxies (e.g. ones that require browser configuration) a > common problem for you? Have you verified that they're using port 80 > and that MecGuard doesn't break them already? If it's not on port 80, > then you might need to look at blocking traffic using Firewall rules. > > Secondly, you reference a proxy allow list; can you provide an example > of a legitimate proxy? I can't think of one off the top of my head in > a K12 context. > > L7 filtering has proven to not be accurate enough for production use > and our recommendation is to disable it on the Joebox. It makes use > the the "L7-Filter" kernel module for Linux which does regex pattern > matching on packet payload, but lacks intelligence to determine packet > progression and thus can quickly lead to a lot of false positives (one > example is that many of the L7 filters on the Joebox will block time > updates to time.apple.com). > > The focus, for now at least, is to make sure that MecGuard is > providing a reasonable level of filtering in comparison to other > solutions. Feedback from some would seem to indicate that MecGuard is > currently falling short; and that is something I'm very interested in > and want to have resolved before school starts up again. > > On Thu, Jun 30, 2011 at 3:47 PM, Kyle Green <[log in to unmask]> wrote: >> Not everything everything--I'm looking for whitelist/blacklist filtering > for >> /proxies alone/ to be added. >> In this scenario, every time JoeBox processes an outbound HTTP request (as >> determined by L7 filtering), it looks to see if the request is to a >> whitelisted proxy. If it is, it's allowed to proceed to the destination. >> If not, the JoeBox checks to see if it's to a previously auto-blacklisted >> open proxy. If it is, the connection attempt is blocked. >> If it's not, it's allowed to continue to the final test, which is the >> JoeBox checks to see if the connection attempt is to an open proxy (which > it >> can do by trying to use it as one). If it is an open proxy, the > connection >> attempt is blocked and the host:port is written to the auto-blacklisted > open >> proxy list (with an expiration date of 1d or so). >> If it's not an open proxy, the connection attempt proceeds to its >> destination. It's kinda convoluted written out, but I can probably scare > up >> a flowchart or something if it still doesn't make sense. >> This wouldn't solve all of them (e.g., the sites that just work as web > apps >> so kids can look at Facebook as you said), but it would probably cut down > on >> P2P-over-HTTP-proxy traffic in a way that I don't think L7 filtering alone >> will do. >> >> On Thursday, June 30, 2011 at 3:15 PM, Ray Soucy wrote: >> >> I'm not exactly clear on what you're asking. >> >> Are you suggesting that we block everything by default and only use >> allow lists to permit access? >> >> You can effectively do this by placing a "." on a line by itself in >> your global block list, then creating entries for the sites you want >> to allow in your allow list. >> >> But coming up with a list of allowed sites would be a pretty big >> challenge unless you want to be really restrictive. >> >> Any usable commercial list for this sort of thing would likely be too >> big to produce reasonable performance as well, which is likely why I'm >> not aware of any that exist. >> >> Most proxy sites used today are just web applications; each being >> different; there isn't really a way to determine if it's an open proxy >> or a proxy site without some AI that doesn't exist yet. >> >> On a side note, the ".xxx" adult content domain has been approved. As >> a result, you might want to stick ".xxx" in your global block list. >> >> On Thu, Jun 30, 2011 at 2:00 PM, Kyle Green <[log in to unmask]> wrote: >> >> It'd be nice if the JoeBox to be configured such that we can whitelist >> acceptable proxies (for legitimate uses of squid or dansguardian or >> whatever), and then it checks every further HTTP request to see if >> it's an open proxy (and caches the result for a day or so). >> >> Can that get put on the feature wish list? It just seems to me that >> relying on set blacklists for this is going to result in us >> perpetually being three steps behind. >> >> Thanks. >> >> On Jun 30, 2011, at 1:49 PM, Ray Soucy <[log in to unmask]> wrote: >> >> Seth, >> >> I contacted MecNet to see if they could look at additional sources for >> their URL lists, and they have made an update. I've applied the >> update on your Joebox (the rest of users will get the update >> overnight). >> >> Do you notice any change? Or is it still letting most through? >> >> On Thu, Jun 30, 2011 at 7:47 AM, Seth Thompson <[log in to unmask]> wrote: >> >> I have this enabled and the majority of proxies are still available. >> Seth >> >> On Mon, Jun 27, 2011 at 2:14 PM, Ray Soucy <[log in to unmask]> wrote: >> >> "Sites with proxies to bypass filters" would be the MECguard category. >> Have you tried enabling this for your group filter lists? I'm not >> sure how comprehensive the list is... >> >> On Mon, Jun 27, 2011 at 1:48 PM, Ed Bourdeau >> <[log in to unmask]> wrote: >> >> Overall I am very happy with the JoeBox/MecGuard setup. My number 1 >> input >> for future change is that you add a Proxy settings option to MecGuard. >> By >> this I mean a more automated method to block proxies. If you could >> check a >> box, and have your choice of black lists that you could subscribe to >> this >> would make the filtering much more manageable. Right now this is my #1 >> hole. >> >> Thanks,,Ed >> >> >> >> Ed Bourdeau >> >> Director of Technology >> >> Erskine Academy >> >> Tel. 1-207-445-2962-ext 125 >> >> >> >> -- >> Ray Soucy >> >> Epic Communications Specialist >> >> Phone: +1 (207) 561-3526 >> >> Networkmaine, a Unit of the University of Maine System >> http://www.networkmaine.net/ >> >> >> >> -- >> Seth H. Thompson >> Technology Director >> Regional School Unit No. 5 >> 207-865-4706 x232 >> >> >> >> -- >> Ray Soucy >> >> Epic Communications Specialist >> >> Phone: +1 (207) 561-3526 >> >> Networkmaine, a Unit of the University of Maine System >> http://www.networkmaine.net/ >> >> >> >> -- >> Ray Soucy >> >> Epic Communications Specialist >> >> Phone: +1 (207) 561-3526 >> >> Networkmaine, a Unit of the University of Maine System >> http://www.networkmaine.net/ >> >> > > > > -- > Ray Soucy > > Epic Communications Specialist > > Phone: +1 (207) 561-3526 > > Networkmaine, a Unit of the University of Maine System > http://www.networkmaine.net/ > -- Ray Soucy Epic Communications Specialist Phone: +1 (207) 561-3526 Networkmaine, a Unit of the University of Maine System http://www.networkmaine.net/