MarcHelfand
asked on
website blocking issue - for my high school lab
hi, its magic marc here.
got a situation about blocking websites:
we have a sonicwall 170 model firewall, with the content filter enabled.
the students are using 'proxy servers' to get to websites we've blocked on the sonicwall, i.e. myspace.com
and im on top of blocking them as well, however one of them is as follows and i cannot seem to block it.
https://hidebehind.net/
ive tried to enter the actual word hidebehind.net in the 'keyword blocking' section of the sonicwall, and that deosnt work properly.
also, ive attempted to block 'deny' the https services from outbound being allowed, but then the teachers and staff could not log into their emaiul accounts online for the school email systems, not the hotmail, gmail, ewtc.. as they use https protocol services...?
ideas?
how can i use the hosts or lmhosts to simply send the browser to a blank page or something
thnaks
marc
so, my questions
got a situation about blocking websites:
we have a sonicwall 170 model firewall, with the content filter enabled.
the students are using 'proxy servers' to get to websites we've blocked on the sonicwall, i.e. myspace.com
and im on top of blocking them as well, however one of them is as follows and i cannot seem to block it.
https://hidebehind.net/
ive tried to enter the actual word hidebehind.net in the 'keyword blocking' section of the sonicwall, and that deosnt work properly.
also, ive attempted to block 'deny' the https services from outbound being allowed, but then the teachers and staff could not log into their emaiul accounts online for the school email systems, not the hotmail, gmail, ewtc.. as they use https protocol services...?
ideas?
how can i use the hosts or lmhosts to simply send the browser to a blank page or something
thnaks
marc
so, my questions
just deny all outbount traffic to these two IP addresses 64.72.123.156, 64.72.125.239
You could also modify the HOSTS file. Point the URL to a bogus address such as 127.0.0.1 (Home).
You could also modify IE locally to block the offending web site or others.
http://support.microsoft.com/default.aspx?scid=kb;EN-US;q267930
David
You could also modify IE locally to block the offending web site or others.
http://support.microsoft.com/default.aspx?scid=kb;EN-US;q267930
David
ASKER
hi, thanks for the ip address', however the systems still goto the website. i entered bot h the ip address and the https://ip address for the forbidden domains list.
if i type in the ip addfress into the addres bar, the browser wont go to it. but when we type https://hidebehind.net
then it still goes there
thanks
marc
if i type in the ip addfress into the addres bar, the browser wont go to it. but when we type https://hidebehind.net
then it still goes there
thanks
marc
Want my suggestion...
Get some old some what decent pII 1.2 ghz or better machine, install IPCOP + Dans guardian and once you block a site that way, there isn't a-lot they can do to get around it. It's easy, it work's and it's slick as snot.. Just put it behind your sonic wall it will work great!
I let my 5 year old surf the web UNattended most of the time because it works THAT well.
Joshua
Get some old some what decent pII 1.2 ghz or better machine, install IPCOP + Dans guardian and once you block a site that way, there isn't a-lot they can do to get around it. It's easy, it work's and it's slick as snot.. Just put it behind your sonic wall it will work great!
I let my 5 year old surf the web UNattended most of the time because it works THAT well.
Joshua
Just for the record, I mean to type piii not pii..
Petelong is correct.
however, I think you misunderstood him. He didn't mean to block the IP address as a keyword or domain....he means add a deny RULE to either the firewall or outermost router.
You could use the HOSTS file, but they might figure that one out.
I really don't understand why just adding www.hidebehind.net didn't work for you though...I would think that should work, just adding that as a banned domain....unless you didn't put the www.* in the blocking rule.
however, I think you misunderstood him. He didn't mean to block the IP address as a keyword or domain....he means add a deny RULE to either the firewall or outermost router.
You could use the HOSTS file, but they might figure that one out.
I really don't understand why just adding www.hidebehind.net didn't work for you though...I would think that should work, just adding that as a banned domain....unless you didn't put the www.* in the blocking rule.
I could be wrong, but couldn't you put an entry into the dns server pointing to a different IP.
ASKER
hi, thanks all.
ill try a few of these tomorrow morniing, or actuall monday morning
ill add the ip to the deny list.
when you add to the restricted domains, it adds the http, but not the https: for some reason it doesnt work.
id like to try that dans guardian, what is that?
ill update on tuesday or so
magically
marc
ill try a few of these tomorrow morniing, or actuall monday morning
ill add the ip to the deny list.
when you add to the restricted domains, it adds the http, but not the https: for some reason it doesnt work.
id like to try that dans guardian, what is that?
ill update on tuesday or so
magically
marc
The sonicwall is only capturing port 80/http traffic...
What we do is the following:
If you are providing an internal DNS (likely on your Windows 2003 Domain Controller), create a new zone called hidebehind.net. Do NOT create any sub records.
Any normal PC using your network will fail to connect to servers in hidebehind.net. You can also use Active Directory to lock down the PC's so the students can't use their own DNS servers to avoid your block.
You can also enter the IP numbers for hidebehind.net in your sonicwall as a "blocked" host... but remember that the IP numbers change... so what is blocked today will become unblocked tomorrow.
Good luck!
-aj
What we do is the following:
If you are providing an internal DNS (likely on your Windows 2003 Domain Controller), create a new zone called hidebehind.net. Do NOT create any sub records.
Any normal PC using your network will fail to connect to servers in hidebehind.net. You can also use Active Directory to lock down the PC's so the students can't use their own DNS servers to avoid your block.
You can also enter the IP numbers for hidebehind.net in your sonicwall as a "blocked" host... but remember that the IP numbers change... so what is blocked today will become unblocked tomorrow.
Good luck!
-aj
as soon as you block this site they will find another.
the only two solution that will work long term is either a white list, or policy backed up by butt kicking.
a white list:
make a list of site you want to give acces to. everything else is blocked.
rather than a blocked list that needs adding to every day.
be warned that letting access to google can let them access google cache of sites you block.
policy:
make it well knowen that some kinds of site are not to be accessed for the network.
wait for a few days till you catch someone, make an example of them for the world to see.
to stop people getting to site you dont want them getting to is a masive job. i have steped around every black list i have every seen. there are many tricks to bypass a filter. there are few ways to avoid a butt kicking admin :-)
remember that the only secure computer is one that is not connected to the Internet, thats why i use Telecom ADSL :-)
the only two solution that will work long term is either a white list, or policy backed up by butt kicking.
a white list:
make a list of site you want to give acces to. everything else is blocked.
rather than a blocked list that needs adding to every day.
be warned that letting access to google can let them access google cache of sites you block.
policy:
make it well knowen that some kinds of site are not to be accessed for the network.
wait for a few days till you catch someone, make an example of them for the world to see.
to stop people getting to site you dont want them getting to is a masive job. i have steped around every black list i have every seen. there are many tricks to bypass a filter. there are few ways to avoid a butt kicking admin :-)
remember that the only secure computer is one that is not connected to the Internet, thats why i use Telecom ADSL :-)
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Use dansguradian, I am telling you nothing I have found compares.
Also, why aren't your students segmented away from the teachers? Giving the students access to the same things as teachers isn't something I would do.
http://dansguardian.org/
http://ipcop.org/
Joshua
Also, why aren't your students segmented away from the teachers? Giving the students access to the same things as teachers isn't something I would do.
http://dansguardian.org/
http://ipcop.org/
Joshua
The problem with IPCOP and Dan's Guardian is that you still have to keep track of the IP addresses and Sites you want to block. Twice the work. The admin will not only have to spend their day trying to track what web sites and content to block but also what proxy servers the students are using and add them to the Black List. Another thing Dan’s Guardian can't work if it can't see the content, Proxy servers render Dan useless by encrypting traffic with SSL.
The simple solution is to block all ports except for port 80 on the student network. Then using the content filter already present in Sonicwall or implementing Dan's Guardian becomes more effective because the admin only has to track the content they want filtered since it will all be open text.
As a practice create a combination of URL and Keyword filters. The Keyword filters should be broad and don't worry about blocking legit sites, it's easier to add a legit site to a White List than it is to track unwanted sites. Also the implications of a student getting to an unwanted site on the school network are far more damaging.
***NOTE: While this solution is not foolproof it does make securing and managing security easier.
-Cloz
The simple solution is to block all ports except for port 80 on the student network. Then using the content filter already present in Sonicwall or implementing Dan's Guardian becomes more effective because the admin only has to track the content they want filtered since it will all be open text.
As a practice create a combination of URL and Keyword filters. The Keyword filters should be broad and don't worry about blocking legit sites, it's easier to add a legit site to a White List than it is to track unwanted sites. Also the implications of a student getting to an unwanted site on the school network are far more damaging.
***NOTE: While this solution is not foolproof it does make securing and managing security easier.
-Cloz
Dans guardian will block an ssl encrypted site if it's listed in the block list. However, if it's a new unblocked proxy of course it will allow that encrypted traffic though. However, I would segment the teachers from the students and block all websites ACCEPT those that I allow.. This way you simply do not have to worry about it.
Joshua
Joshua
I just briefly went through the responses here and from what i can tell noone has suggested that a product like bluecost which categorises web sites dynamically, in this way you could block all access to sites that are anonymous proxies, and socks proxies and so on.
the policies that can be implemented using this product can restrict access based on a variety of factors and can be done as an inline proxy in conjunction with the existing solution in place. the webfiltering capabilities are very good and frequently updated. with a relatively low cost.
the policies that can be implemented using this product can restrict access based on a variety of factors and can be done as an inline proxy in conjunction with the existing solution in place. the webfiltering capabilities are very good and frequently updated. with a relatively low cost.
Hi, how many users are you speaking of?
Websense is a content filtering tool & service, with very easy deployment and you can spend around of 30 bucks a year. It's deployed in 2 or 3 hours, and is updated several times a day.
Policies are far easy to define and mantain.
www.websense.com
regards
GoofytoUy
Websense is a content filtering tool & service, with very easy deployment and you can spend around of 30 bucks a year. It's deployed in 2 or 3 hours, and is updated several times a day.
Policies are far easy to define and mantain.
www.websense.com
regards
GoofytoUy
Websense is very complicated, but very powerful. I would recomoend it only if you have time to deploy it and maintain it. It is very good at managing traffic on all ports as opposed to just web traffic. You will need a dedicated PC for this solution. We use the enterprise version and is extremely powerful.
See this at least...
http://www.websense.com/SupportPortal/SystemRequirements.aspx
See this at least...
http://www.websense.com/SupportPortal/SystemRequirements.aspx
Another good idea is to use some high configurable proxy, lets say Apache in proxy mode. Set one before and one after your SonicWall or DansGuardian filter.
Then you simply forward all 80 and 443 traffic to your apapche proxy. The apache proxy listening on the forwarded port for 443 rewrites the url from https to http, and then it supply a certificate (a wildcard root certificate). Then that proxy adds the header something like xwasSSL=true to the request.
The apache proxy that listen on the forwarded port for 80 simply pass the traffic along, but adds xwasSSL=false.
The last apache proxy that your Dansguardian, sonicWall or another proxy are forwarding to, simply checks if the xwasSSL was true or false. If it was true, rewrite the url to https, else rewrite to http.
I have attached a code snippet.
This is apache configuration, and lets say your Dansguardian is on the same machine (127.0.0.1) and listening on port 8181.
Your dansguardian or the last proxy in chain MUST have its parentproxy set to 127.0.0.1:8445 if its running on the same machine, or <ip of apache server>:8445 if its running on a another machine.
The SSLCertificateFile should point to a certificate with a CN of *, signed by the private key for the certificate at SSLCertificateChainFile. The SSLCertificateKeyFile should point to the SSLCertificateFile's private key. Make it unencrypted. The SSLCertificateChainFile should point to a self-signed root certificate.
The cacert.crt needs to be installed into ALL clients, else they will get a nasty warning each time they visit a SSL site.
Here is the 2 firewall rules you need to add too:
/sbin/iptables -t nat -A PREROUTING -p tcp -i ! eth3 --dport 443 -j REDIRECT --to-port 8443
/sbin/iptables -t nat -A PREROUTING -p tcp -i ! eth3 --dport 80 -j REDIRECT --to-port 8444
the eth3 should be the internet facing interface.
Ill attach a picture on how it look when it block viral content on a SSL enabled site.
Then you simply forward all 80 and 443 traffic to your apapche proxy. The apache proxy listening on the forwarded port for 443 rewrites the url from https to http, and then it supply a certificate (a wildcard root certificate). Then that proxy adds the header something like xwasSSL=true to the request.
The apache proxy that listen on the forwarded port for 80 simply pass the traffic along, but adds xwasSSL=false.
The last apache proxy that your Dansguardian, sonicWall or another proxy are forwarding to, simply checks if the xwasSSL was true or false. If it was true, rewrite the url to https, else rewrite to http.
I have attached a code snippet.
This is apache configuration, and lets say your Dansguardian is on the same machine (127.0.0.1) and listening on port 8181.
Your dansguardian or the last proxy in chain MUST have its parentproxy set to 127.0.0.1:8445 if its running on the same machine, or <ip of apache server>:8445 if its running on a another machine.
The SSLCertificateFile should point to a certificate with a CN of *, signed by the private key for the certificate at SSLCertificateChainFile. The SSLCertificateKeyFile should point to the SSLCertificateFile's private key. Make it unencrypted. The SSLCertificateChainFile should point to a self-signed root certificate.
The cacert.crt needs to be installed into ALL clients, else they will get a nasty warning each time they visit a SSL site.
Here is the 2 firewall rules you need to add too:
/sbin/iptables -t nat -A PREROUTING -p tcp -i ! eth3 --dport 443 -j REDIRECT --to-port 8443
/sbin/iptables -t nat -A PREROUTING -p tcp -i ! eth3 --dport 80 -j REDIRECT --to-port 8444
the eth3 should be the internet facing interface.
Ill attach a picture on how it look when it block viral content on a SSL enabled site.
Listen 8443
Listen 8444
Listen 8445
<VirtualHost _default_:8443>
RewriteEngine on
KeepAlive On
<Directory />
Options ExecCGI
</Directory>
RewriteCond %{REQUEST_METHOD} !^(GET|POST)
RewriteRule .* - [F]
DocumentRoot /arpmessages
ServerAdmin root@localhost
ErrorLog /var/log/httpd/error_log
TransferLog /var/log/httpd/access_log
SSLEngine on
SSLProtocol all -SSLv2
SSLCipherSuite ALL:!ADH:!EXPORT56:!eNULL:!SSLv2:RC4+RSA:+HIGH:+MEDIUM:+LOW:+EXP
SSLCertificateFile /etc/httpd/server.crt
SSLCertificateKeyFile /etc/httpd/server.key
SSLCertificateChainFile /etc/httpd/cacert.crt
SetEnv HOME /home/nobody
ProxyRemote * http://127.0.0.1:8181
ProxyPreserveHost Off
RequestHeader unset xwasSSL
RequestHeader set xwasSSL true
Header unset Via
Header unset X-Cache
Header unset Vary
RewriteRule ^(.*)$ http://%{HTTP_HOST}$1
</VirtualHost>
<VirtualHost _default_:8444>
RewriteEngine on
<Directory />
Options ExecCGI
</Directory>
RewriteCond %{REQUEST_METHOD} !^(GET|POST)
RewriteRule .* - [F]
DocumentRoot /arpmessages
ServerAdmin root@localhost
ErrorLog /var/log/httpd/error_log
TransferLog /var/log/httpd/access_log
KeepAlive On
ProxyRemote * http://127.0.0.1:8181
ProxyPreserveHost Off
RequestHeader unset xwasSSL
RequestHeader set xwasSSL false
Header unset Via
Header unset X-Cache
Header unset Vary
RewriteRule ^(.*)$ http://%{HTTP_HOST}$1
</VirtualHost>
<VirtualHost _default_:8445>
ProxyRequests on
KeepAlive On
SSLProxyEngine on
ProxyVia block
ProxyPreserveHost Off
DocumentRoot /home/httpd/html
ServerAdmin root@localhost
ErrorLog /var/log/httpd/error_log
TransferLog /var/log/httpd/access_log
ProxyMaxForwards -1
SetOutputFilter INFLATE
<Proxy *>
RequestHeader unset Via
RequestHeader unset X-Forwarded-For
RequestHeader unset xwasSSL
RewriteEngine On
RewriteCond %{HTTP:xwasSSL} ^true$
RewriteRule ^proxy:http://(.*)$ proxy:https://$1
RewriteCond %{HTTP:xwasSSL} ^false$
RewriteRule ^proxy:http://(.*)$ proxy:http://$1
RewriteCond %{REQUEST_METHOD} !^(GET|POST)
RewriteRule .* - [F]
</Proxy>
</VirtualHost>
certblock.PNG