Help In-line Proxy

[`mongoose]

Hi Guys

has anyone had any experience using Squid to block/filter in-line proxy usage?

I'm currently running websense here which was very successful in blocking unsuitable sites until every fecker started including in-line proxy on their sites meaning I've got to block things like i-google or watch students just brute force right through websense and surf what they like, where they like.

I don't really want to throw more money at this as the cheapest websense solution starts at over £10k + vat and I personally don't think it's worth it if there's good solid open source solutions to hand.

M

 

[TdC]

this any help mate? I haven't used Squid in a million years

Web site blocking techniques

 

[`mongoose]

Not really.

I have no issue with blocking sites or stuff like that. Websense handles all of our blocking requests and does a great job doing it.

The problem is this....

If I were to say visit igoogle and say click the proxy gadget, I would then be able to visit any website that I choose under the https protocol. Https will pass more or less straight through websense as it lacks the ability to decrypt the packet and will "see" the connection as being to say - google.com which is very difficult for me to block.

We've managed to hide these holes for a while (since discovering them) but now it's pretry common knowledge and students are just using anonomising sites or legitimate sites with proxy/translation tools to just encrypt their traffic right through the filter.

I've heard that some people block the proxying with squid but have no idea how they're doing this. Websense of course have in their full suite of products an application that will help us do it but as I said in these conditions i'm not sure I should be blowing £10-20k to block these sites even if there isn't a way of doing it with squid or a.n.other cheaper alternative than websense

M

 

[Scouse]

School students or Uni stoodents?

 

[Chilly]

find the IPs of the proxies and blackhole them. obviously once they've got an https tunnel up you're totally powerless unless you want to start playing MITM with SSL - which is probably illegal.

 

[`mongoose]

One of the things I'm toying with is just blocking https on student computers... that would prevent them logging into anything https related ..

clumsy but effective

M

 

[Bob007]

hehe was about to start this with "short of blanket blocking HTTPS...." sadly its a losing battle short of implementing a SSL full content filter.

Have you had a look at (or do you use) ufbdGuard for squid. Its a SSL certificate filtering method. Its prob not the best solution but if you can use it on students only and warn them its in use (covering any legal issues and stuff) it might be an option.

http://www.urlfilterdb.com/files/downloads/ReferenceManual.pdf

Intresting read that. Might be what your after.

Good Luck, you might need it

 

[`mongoose]

oh christ if I have to go anywhere near linux I'll need alot more than Luck!

Thanks for that - I'll download the manual and have a read.

Cheers

M

 

[Chilly]

One of the things I'm toying with is just blocking https on student computers... that would prevent them logging into anything https related ..

clumsy but effective

M

not cool imo. you're discourage people from browsing securely, they wont be able to access online banking or pretty much any other useful personal online service. even logon pages are often https (googles certainly are).

 

[`mongoose]

not cool imo. you're discourage people from browsing securely, they wont be able to access online banking or pretty much any other useful personal online service. even logon pages are often https (googles certainly are).

It most certainly isn't cool but then they're not coming here to surf the internet all day. They're also currently (ab)using the rights that they get that allow them to do all this good stuff to waste their time in facebook or https tunnelling stuff so they can download illegal content.

Personally I find the idea of web filtering abhorrent but we have a duty of care to students here even if it means protecting them from themselves. We also have to protect ourselves from the consequences of people using our networks to obtain items illegally.

This is a massive issue for any college/school because it's common knowledge now for people who wish to surf completely unfettered. Over 60% of our internet traffic is https. We're not talking, oh it's only a few scallywags, there's alot of students and possibly staff doing this and the majority of them are not doing it for academic purposes.

M

 

[GReaper]

Over 60% of our internet traffic is https.

My one immediate thought from a non-filtering point of view would be to immediately traffic shape this back down to something which you'd consider a reasonable amount. Chances are the average user who isn't evading your filters is going to have a relatively low amount of traffic going over HTTPS. This could be a quick win in making persistent SSL usage painful if you can implement it properly.

 

[Chilly]

yeah, rate limiting https to 20k/sec would be alright. ine for https websites but pisspoor for crypto filesharing

 

[phlash]

I'd agree with the rate limiting approach too - you have a perfectly good argument regarding fair use for everyone. Anything else is either going to be bypassed pretty quickly (TOR anyone?) or overly limiting on valid usage.