Topic: need to filter https...kids bypassing dansguardian! Help!

[David Trask]

an even easier method is to put the DG server at the "choke" point and do transparent proxy....no web browser settings needed....they're forced through....virtually bypass proof.

D

[Samer Pharaon]

Mike wrote:
>
> by removing the Connections TAB in the browser through W2000 Server their
> logon machine, just passing this on for anybody interested.

How did you do this?

Samer

[wallyrp]

Good Afternoon,

Has anyone come up with a solution to this? After reading this, this issue is serious. I used the url in the initial posting and was able to get right around Bess at our school. I considered Bess pretty airtight but acckkk, if they can install this program on their home computers then, it's a wide open door. Here's a link regarding this program and how to install it: http://www.peacefire.org/circumventor/simple-circumventor-instructions.html

Eventually, you would be blocking the whole internet to stop this in my opinion. Since it is on the secure layer, you wouldn't be able to block via a weighted phrase right? Isn't all the information over this layer encrypted? One suggestion my friend had was to block all https traffic during school hours when students are present. This would be a serious inconvenience to anyone attempting to use https in some administrative function.

[Johnboy]

You have to hand it to the kids - considering most of the people I work with are amazed when I "recover" files from their recycle bin our kids are *streets* ahead.

[elSpike]

<quote Patrick Hickey>
I would love to see some pre-built templates for using the not-intuitive interfaces of DansGuardian, for example. It may seem to be a niche issue, but I would argue a huge potential base of users exists who are looking for cookie cutter ways to filter content. This applies not only for children and porn, but for downloading movies and non-business related material. Sorry, it isn't that easy to work out.

Developers...think about the number of people who need this feature and who are not command line dwellers. The core functionality presumably is in place but the UI or some guidelines are not. Example templates would be awesome. </quote>

Try www.dungog.net

The have exactly what you are asking for. $49 cheep.

patrick

[wallyrp]

Good Morning,

I looked again at the dungog.net site for solutions to this issue. I downloaded the help file and looked for https. The solution provided is to use certification authorities. You can do this through dungog's package or use the Root Certification Authority (RCA) stuff in IE. This would only apply to folks running M$ stuff granted. In my situation, I will apply a Group Policy and restrict access to ssl sites through the RCA method. There is only one hitch to all of this while using this method, aging certificates. I have heard that the RCA folks won't recognize some of the aging cert's. This would present a problem with folks trying to get some valid sites with these aging cert's.

I'm beginning to think that for a small school, business, or home setup you would just block the entire https layer. If users needed to access certain https sites, use the exception list and add the url's that are needed. This would be a minor, in my humble opinion, maintenance hassle. For example, elementary students, K-6, wouldn't need to even look at a https site. High school students, 7-12, might need to access certain sites for contest information and/or other state educational resources.

Another solution would be just to install some type of network monitoring software and hammer the folks that have high traffic. After looking at the dansguardian log via SawMill, it shows the https request. Since I have users authenticating, I can apply filters and look for folks accessing these types of url's.

I'm going to be relying heavily on SawMill for information. I know it costs money but for $80 for 5 configurations, that's cheap. It also puts things in nice pie charts that principals and other beauracrats(?) like to look at. My opinion, on a tangent here, the principals need to look at the information, disseminate it and discipline accordingly. I'm tired, as an IT person, of handing out discipline or being put in a position that makes it look like I'm the one hammering the student. Now, back to the real world.

[Timwtaylor]

I heard about this exploit and did find that it gets right past the sonic wall.  I also tried a IP cop with Dans guardian.  Again straight through.  

As I was reading some on the site that is posted in the beginning of this thread I saw that this is not only a proxy that you can get to, it is a proxy you can install on your home computer and access it from anywhere.  This being the case you either have to block https allowing administrators either a time window to access state board of education sites that require it or access codes to bypass your firewall.  The alternative is block every IP address that a child has the aability to get to that could possibly have any of these proxy applications installed, IE every cable modem and DSL IP address.  This would include Jack's IP address as he sounds like someone that would install this and allow otheres to use his internet connection to bypass filters.  

In the sonic wall you can not block block https any way I have found yet as they use it to access the management port of the firewall.  I have a call in to find out what can be done in that reguard.  I hope to have a solution before school starts back up in August.

Tim Taylor

[wallyrp]

Good Afternoon,

After looking at this issue and reviewing my SawMill analysis I believe there may be a solution but I don't know where to begin.

SawMill doesn't report anything outside of the initial https://4.x./??? url. I did notice though after browsing around a bit that if there was a way to capture the full url that is in the address bar it could be filtered. I don't think this can be done because of the SSL.

Another way to attack this is to somehow import a RBL(?) type of list into DansGuardian. I notice that if I have a dyndns.org domain setup on my home server that AOL, and others, won't accept my email because my IP address is in some sort of list. It appears that someone out there has a list of the IP addresses that the broadband ISP's assign to their customers. This might be something to look at and that would hopefully provide a broom to wipe out the majority of folks that would use this method.

[wallyrp]

Good Afternoon,

Here's something of interest that I got from https://listman.redhat.com/archives/k12osn/2004-June/msg00185.html ::

Here's how. Transparently proxy TCP 80 and TCP 443; do this, and your firewall setup--firewalls include your proxy/ICF server, let's all remember--will always control the connection. This applies to any Web content filtering application that supports transparent proxying, be it DansGuardian, I-Gear (ick!), squidGuard, or whatever. That's how you can block outside servers running circumventor, because it is quite correct that the external circumventor server will need a consistent IP address, which will indeed show up in the logs (you do review your logs, right? ). Also have an internal DNS server in a split-DNS configuration, and configure your firewall such that only the internal DNS server can forward and receive requests to and from the external DNS server. Do this, and you'll stop circumventor...cold.

--TP

End Post

I'm not exactly sure if I totally understand how to setup the last part with regards to the DNS setup though.

[One of Many Students]

Hello Guys,

Im a highschool living in Canada, thank you for all the info on how to bypass Dansguardian..

Eventhough i agree with the fact that inetnert should be safe for kids and teens, I also belive that young people with the right instruction will never be led to do anything bad.

Preventing kids from using the internet is just a way to impose adult rules. Remember, you cant make us blind!

I am one of the students that promotes the dansguardian bypassing technic and I also have tons of free time to find out new ways to do it..

Sorry for being such a punk, but we get the page blocked even when we try using google and we type "Gilmore Girls".

Im always Around,
p0rt3r