Kids bypassing firewall via web proxy sites

When pr0n sites are viewed, then this is in your system log. Read your log. And make individual accounts for the kids. Tell them, that you're able to check what everybody was viewing. Tell them, that usually you're not doing this. And tell them, that if such things happen too often, then you will have a look on the logs and find out, who does. Show them, how it is done.

And don't forget the adults who are the tutors. It will not work without them.

Yours, VB.

Hm... you have achieved a certain level of entertainment, I must say, Mr. "No Spam" ;-)

Yours, VB.

If you are using a combination of various categories of blacklists,whitelists and greylists, not to mention content (file type) downloading, ad blocking, content rating, forced safesearch settings, keyword filtering, string filtering and content scoring (just the techniques I can recall off the top of my head, there's others) You get very good results, with a high degree of flexibility. e.g. block all executeable downloads except from windowsupdate or an internal WUS server/antivirus etc. Allow kids in youth centre to read yahoo mail (requires greylisting some banner ad strings) but not to visit the banner ad sources (usually adware) or download any attachments. Just an example of what you can do with a customisable solution.

Add to that useage policy, individual proxy logins are possible (probably fun to manage with 1200 kidiots) log review, supervision and education you have most things covered.

src="

Which is what would show up in the logs and could be reviewed. Every product needs to be tinkered with to maintain useability.

When a content violation is found a the screen changes to a yellow/red with " violation detected. The date, time, Ip address and username have been logged. Contact you administrator if you feel this is incorrect"

There are some false positives e.g. Some 'celebrity has breast cancer' story would set off the titty words filter.

No solution is perfect, and definitely none are perfect out of the box. The attitude and argument of "it won't be 100% effective 100% of the time" is rather sad. What do you think of the statement "Water isn't always clean therefore never drink water"? or "don;t use antirus as they won;t stop everything immediately"? Sensible?

I'd place more weight on your point of view if you actually tried it rather than saying "it's impossible and may not stop X" Giving up before you start is not an impressive tactic.

Or even better, if you think that proxy tunneling is hard/impossible to detect and counter, why don't try and come up with a countermeasure and add that to the body of knowledge?

Cheers, E.

Thank you, it was painful enough now to read your postings.

He doesn't believe in content filtering _exactly because_ he knows how the real world is like.

An 8 year old child will not know the difference between a spyware ad and a non-spyware ad.

If you're ever down this way I can show how well integrated filtering is 'not working' on a number of sites.

I think you are confusing the issue. Leythos' employees have no business need to access NYtimes.com and is therefore blocked. Teachers could be given access. If access to news is required (media, marketing, policy response) this can be done with no web access at all. Use a media monitor service which sends through results. There are a number of businesses that perform this service. Google on media monitor or custom media feeds for examples. Relevant and timely news can be delivered to an organisation whose policies prevent browsing news sites. There's always an answer to a problem unless you say "It's impossible" and give up. IT *exists* to serve the needs of business. Cheers, E.

I doubt that "Leythos" has employees. As I already stated, I think that "Leythos" is a k00k.

I didn't mean only nytimes.com. This was only an example.

Yours, VB.

No. You'll just waste a lot of CPU cycles and money on creating big harassments for your client that, in terms of security, falls down sooner than you think.

And the complexity is exactly the reason!

IE doesn't care for file types.

Hey, what about tunneling? There are a lot of services which allow websites to be posted via eMail.

Hm... you never really worked out that MIME thing? What about UUENCODE or other inline encodings? What about Kenny Code?

You don't need to tell what I could do. I could also do MAC address whitelisting, but this doesn't make it any good idea.

I wonder how long it will take you to find out that only the latter stuff actually does about the entire work.

src="

Such a log entry still won't tell you anything valuable.

And this is exactly why most big companies dumbed their IDS after about two weeks. Too much effort for too low results.

It won't be effective enough to just defend thinking about it, not yet the actual costs of implementation.

Actually it is, when taking correct conclusions.

Because it is not feasible to implement.

When I was in the Navy we had strict rules against using illegal drugs. This was enforced by random urinalysis. On average you would be tested maybe once a year, but I once went as long as three years without being tested. Even then, it was known that only a fraction of the samples collected were actually tested.

This was very effective coupled with strong education and uniform punishment for those that were caught.

Don't make the perfect the enemy of the good.

You've got to be kidding, content filtering, session filtering, white/black lists, all combined with the fact that you only permit access to sites that are required, and you've got a great solution.

Well, at least we feel the same about each other - since you're completely off your rocker and don't have any clue how to protect a network.

We're talking about kids here, not about soldiers.

Yes.

Yours, VB.

When I was in the Navy, we were tested every couple months, and we even had a NARC in the Squadron that only a few of us knew about....

It was amazing at how many people actually did illegal drugs and then tried everything to hide their actions...

We had one chap on the boat busted with 400 hits of acid, and we had been at sea for 4 months already....

Rules/policy/testing mean nothing to many people, hard physical restrictions can keep many of them in line and others from crossing the line completely.

Wrong.

Good night Wolfgang

Read again.

cu

In a perfect world, sure, having enough adults to monitorthe children at all times would be great. However, all those adults cost money, and many school systems don't have the extra money sitting around to staff 3 or 4 teachers/tutors to each computer lab/library continuously.

I do not believe he is capable of creating a secure network based on his statements. Nothing he's said gives me reason to believe that he can create a secure network.

And when the school system gets sued by some angry parents who will claim that the school did not do enough to prevent little Johnny from viewing pornography at school? What happens then?

If you go the route of "Anyone caught looking at myspace.com on school property will be expelled" that is just as draconian as VB claims a whitelist is.

It won't happen - the parents/kids, at least the ones in our schools, all sign a document stating that they know the rules, what they can/can't do, and the punishment for it. The school is no liable for anything the kids do on the network.

A white list doesn't remove the kid from the school, doesn't impact his ability to learn, doesn't expose him to danger on school time.