Re: Kids bypassing firewall via web proxy sites




"Jazz" <jbraly@xxxxxxxxx> wrote in message
news:1142265920.030488.151160@xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
I work for a K - 12 school.

In my opinion, we have some very fair rules and regulations regaurding
internet and computer use.

We use a Sonicwall firewall, 3060, I subscribe to content fltering,
which I love. It keeps out all the horrible junk that kids may
accidently come across (Or purposely) and it covers our rear.

Due to recent events, and some within the school, I have been ordered
to block myspace.com.

I have several other sites faculty and staff have asked me to block
within the content filtering section of my sonicwall admin page.

However, some students got smart, and searched google for proxy and
anonymous. Thousands of results come up, allowing them to type in any
website they like (including myspace) and surf around on it, bypassing
my firewall.

There is an option in sonicwall that says "Restrict Web Features::" and
I checked "Access to HTTP Proxy Servers" But I am still able to get to
sites via these proxy sites that shoulf be blocked...

Any advice?

Thanks in advance!

Jazz,

THROW OUT your hardware appliance and go with
a software-based solution. Your problem is PROOF
that hardware firewalls are not as good as the type
of setup I use. You will need to put another PC
as your network server, running either Windows
98, ME, SE, NT, XP, 2003, ot Vista. Next,
you will need You will need a connection sharing
type program, I recommend AllegroSurf, becuase
it is a LOT more secure than the solution built
into Microsoft networks. Also, becuase of the way
it works, there is no POSSIBLE way to bypass
any proxy solution.

Next, you will to install a software firewalls on
your gatway machine, Kerio or Tiny are my
preferred solution for this.

Next, I would recommend geting a program like
CyBlock, which does network proxy and filtering
in one. CyBlock is mostly used in business but
it will run on any gateway machine running any
version of Windows, 2000 or later. This is
another reason you will need to have a software
firewall, such as Tiny, go use with CyBlock, becuase
of the security hole it has, that can only be closed
with a solution, such as Tiny, that can block by
application on the gateway machine. I find that
I have to tell Tiny or Kerio to restrict incoming
access to my network, and restrict outgoing
access to ports 80 and 443. CyBlock is good,
but a hardware appliance cannot close the
security hole that Wavecrest has not fixed yet,
or use another proxy solution to act as a front-
end. If you can still find it, the old freeware
version of WebWasher will do nicely, plus
you can add your own list of sites you want
to block, in addition to what CyBlock does.
On my network I currently run

AllegroSurf - Acts as network router
Tiny Personal Firewall - Network firewall
CyBlock - Internet filtering
WebWasher - acts as a front end to the CyBlock proxy

If you should require authorized staff to bypass
the filter, you will need a progam like ProxyPro,
with authentication, as an unfiltered proxy. I have
two proxies on my network, the filtered proxy,
and the unfiltered ProxyPro proxy, requiring
authentication.

In fact, with CyBlock, MySpace
is arleady in the filter list. Once you install
CyBlock, just select the category "Society And
Culture", and Myspace.com will be blocked.

Another problem is port 80. They are probably
using proxies on port 80, which are difficult to
block, without blocking all Web access.



Jerry



.



Relevant Pages

  • Re: NAT is not a mechanism for securing a network.. but.. HELP!
    ... tell you a NAT router is a firewall. ... > There is this one hot chick at a major American news network, ... >proxy, and come to a chat room where her and I have been chatting, she has ... >admins at the station she works for. ...
    (comp.security.firewalls)
  • RE: Netcat through Squid HTTP Proxy
    ... You have your network setup correctly. ... Now throw in proxy gateway AV and a IPS system if you have ... The HTTP requests can be sent via an HTTP ... >> the firewall. ...
    (Pen-Test)
  • voip on vmware guest os (win2000)
    ... I amusing a voip soft phone, a variaty of x-lite (mynetfone). ... Under the same network system (behind firewall without proxy), ...
    (Fedora)
  • Re: Proxy & Firewall Implementation
    ... could easily bypass your firewall to attack other systems. ... (if it's a small-mid size network, i would probably go for a packetfilter ... Subject: Proxy & Firewall Implementation ... why expose my services outside the network ...
    (Security-Basics)
  • Re: IPCop for Small-Business Network: Web Proxy Usage
    ... > ANY applications on a firewall other than the firewall. ... to handle the network, as long as you only allow the ... when I tried CyBlock. ... filtering program, ...
    (comp.security.firewalls)