Kids bypassing firewall via web proxy sites

According to Google, which covers about 10% of the web, there are more then 1.1 billion websites out there. Even taking into account that interests and publicity are not equally distributed, how likely is it that your content filter will tell anything valuable about the website a client wants to visit? If you're doing blacklisting, you'll miss about everything. If you're doing whitelisting, you'll block way too much.

Or proxy-like behaviour:

Funny thing is that people are getting benefit from it, for it's intended purpose, even if people like you continuously claim they don't.

Recently I had one client filtering for "AdId=" (case insensitive) and wondering why why couldn't access some forums

. And that's still harmless in comparison to the one filtering for "https?:\\/\\/\\w*ad\\w*\\/".

A better point it that's is practically inefficient. Virus scanning isn't secure either, but it's pretty efficient if done correctly and gives a good host-based IDS.

Of course, virus scanning and detecting tunneling are comparable. Both cannot detect unknown technics, and both can detect known ways dependably.

But there is a key difference for both things: many viruses are spreading in the wild. Exactly those viruses are very likely to be detected, and it is very likely that they're added to virus databases soon.

With tunneling it is just like with viruses, which are not widespread - no-one has it in the database, so no-one will detect it usually.

Yours, VB.

Counterpoint: Many efficient tunneling techniques are known and most tunneling applications used by the clients have been found via Google. However, even knowing how the tunneling is done, for most methods you cannot differ the tunnel from normal operations.

Is

$somehexgarbage a simple website access or a constant data transfer?

Sunnyvale, CA. Steve Franzese, Vice President of Worldwide Marketing of Sonicwall, Inc. announced, that Sonicwall just hired complete India for reading and categorizing web-pages.

"We just had no other choice", Franzese told this newspaper in an exclusive interview last Tuesday. "To manage a complete categorization of billions of web-pages you need enough employees. And those web-pages are even changing daily!" he added. Being asked, how Sonicwall will react on the continuing growth of the Internet, he added: "Following the Homeland Security Act, of course the Internet growth violates Federal Law now. If the US Army cannot stop this in a conceivable time span, we will heighten and hire the Chinese, too."

SCNR, VB.

What detains me from hacking a simple tunneling just now myself?

Good point. If you don't know, you cannot prevent tunneling.

Yours, VB.

OKay, how is this...

I have 1200 students, and 300 computers, and ONE of me...

Ill use robots as much as I possibly can.

It's still simple to protect them - block everything, only allow access to sites they really need access to. Kids don't need access to myspace or cnn or other locations when at school, and they certainly don't need access to personal email or IM apps.

Triffid wrote: Security is hard work because, to be effective, you

You're right and that's where leadership skills come in to play. Dealing with pre-adults or children, however, takes a special kind of blend of skills and it's unlikely even with those skills you're going to get 100% participation in implementing the solution.

Hopefully not IT support.

You are right, and I do at least block all ports except needed ones... but I use DHCP, so theoretically, my computer's IP address change....

Incorrect.

Correct.

Correct.

Incorrect.

That's one of the reasons usenet survived against the lame web forums (other than exchanging binaries), the free support that you find from unselfish people that are willing to help and not expect anything in return.

Unlike you, there others out there willing to help.

You are the proof of that theory. You seem to be confused about what is usenet.

Before you give lectures to others of what is usenet, I suggest that you understand if first.

Which is true from a security point of view. Whether you use these filters or not is up to you, but since skillful/determined people will get around them they are not security measures.

Which is, of course, plain wrong.

[...]

To my understanding that's the point Volker is trying to make, though he tends to be a little too brief in his comments. Educate your users. Do not try to confine them with technical measures instead of educating them.

cu

59cobalt

You already lost. Give up and enjoy yourself.

cu

59cobalt

DHCP can be a threat to your network - at the very least you should have reservations for every node in the network so that there are no free leases available.

If you are in a management position, then setup a fixed IP for your node.

As for blocking all ports, that's great, but you don't allow exceptions by IP in a DHCP environment, you allow exceptions by authenticating with the firewall from any location and then creating a rule that allows that authenticated user/group the access specified.

Please explain how/why it's wrong?

And in the real world, in every country, that method fails in every case. People are people, they are not bots, they will do human things - hell, look at priests molesting kids, and you want to trust the employees will stop abusing services are work?

If you really believe that, then you have no future in the I.T. World.

His problem is easily resolved with technology, it's done all the time, and it works.