On Thursday, June 30, 2011 at 4:08 PM, Ray Soucy wrote:
Are HTTP proxies (e.g. ones that require browser configuration) a
common problem for you? Have you verified that they're using port 80
and that MecGuard doesn't break them already? If it's not on port 80,
then you might need to look at blocking traffic using Firewall rules.
Secondly, you reference a proxy allow list; can you provide an example
of a legitimate proxy? I can't think of one off the top of my head in
a K12 context.
L7 filtering has proven to not be accurate enough for production use
and our recommendation is to disable it on the Joebox. It makes use
the the "L7-Filter" kernel module for Linux which does regex pattern
matching on packet payload, but lacks intelligence to determine packet
progression and thus can quickly lead to a lot of false positives (one
example is that many of the L7 filters on the Joebox will block time
updates to time.apple.com).
The focus, for now at least, is to make sure that MecGuard is
providing a reasonable level of filtering in comparison to other
solutions. Feedback from some would seem to indicate that MecGuard is
currently falling short; and that is something I'm very interested in
and want to have resolved before school starts up again.