I would also like to point out that since I finally have the JoeBox filtering... Both encrypted and non-encrypted working perfectly.. I would be very disgruntled if I had to switch to a different method.  :)

Sent from my iPhone

On Jan 26, 2012, at 4:08 PM, David Consalvi <[log in to unmask]> wrote:

I am at Shead High School and have pretty good luck with the SSL filtering. I have to individually touch each computer running the MLTI image in order to auto detect proxies for Safari; however, users can set it themselves with Firefox.

A request that I believe is fairly simple but which would make things very handy is the inclusion of a sorting feature at the tops of pages with lists. For example, the DHCP Static IP page. I use static IPs to limit our connectivity of non-authorized devices. In essence, users must register their device with the tech department to receive a valid IP. This has been a simple but effective method for us since we have such small numbers of systems. It is however a nuisance to find a system or IP since the lists do not sort in any order other than last in - last out.

Thank you
David Consalvi

On Jan 26, 2012, at 1:57 PM, Ray Soucy wrote:

Hi All,

I apologize in advance for the length.  

This isn't urgent so please take some time to read it and provide feedback over the next few weeks.

As we work with MECnet on the next release of the Joebox (targeted to be ready for the fall) one of the things we're focus on is SSL filtering for MECguard.  We haven't see much adoption of the proxy-based method for SSL filtering, so we're looking into the problems with that and how to make it better.

MECnet has provided us with a (rough) proof of concept transparent SSL filter.  

With this model, the Joebox generates a custom root certificate authority, which it then uses to sign generated SSL certificates on-demand for SSL requests.  This allows the Joebox to make the SSL request, decrypt the page, check the requested URL (which is normally encrypted), scan the content, and make a filtering determination the same way MECguard does for non-SSL requests today.  

This means that filtering of specific URLs, not just domains, as well as page content becomes possible.

Upside:

  • MECguard configuration is normalized between HTTP and HTTPS; blocking something like "www.facebook.com/login.php" will successfully block both types of requests.
  • Log would show full URL for HTTPS requests (e.g. "https://www.facebook.com/login.php?id=banana" rather than "facebook.com" or an IP address).
  • MECguard would be able to scan page content, not just the URL, allowing RTF (keyword content scanning) to work.
  • Antivirus (if included, still in testing) would be able to check SSL content.
  • Doesn't affect browsing for laptops when off network (as having proxy servers configured can sometimes do).
Downside:
  • For users not to get certificate errors in their browser, they would need to install the root CA generated by the Joebox.  Otherwise every request will generate an error.
  • Privacy concerns with the Joebox busting open encryption for SSL requests; would need to notify users that it is happening somehow (note that this process is contained in a single process which decrypts, scans, and encrypts; there is no way for a system administrator to actually see or log the unencrypted content).

Question:

Is the requirement of having to install a custom root CA a show stopper?  If so, for what reasons (too much work to deploy; privacy or ethical concerns; etc)

If you don't think you could deploy custom root CA's in your environment, would using OpenDNS instead of MECguard be an acceptable alternative?

The current thinking is that for those who need higher visibility and control than OpenDNS provides, the requirement of installing a custom root CA in the browser is worth while.  Note that the SSL filtering will work without installing the root CA, it will just generate an SSL error for each website (but only for the first request; same behavior as websites that use self-signed certificates).

Based on feedback over this year, SSL filtering, an improved log viewer, and firewall stability are currently at the top of our list for changes to the Joebox for the fall.  Your feedback on these topics is very helpful to us.

--
Ray Soucy

Epic Communications Specialist

Phone: +1 (207) 561-3526

Networkmaine, a Unit of the University of Maine System
http://www.networkmaine.net/