Web Security Box Thing

[philbot500]

Hi all

Think I'm looking for a magic box that will make my admin life simple. I'm looking for a solution that will sit at the gateway and block use access to anonymous proxies and scan pages for any kind of malware. This is probablt two problems.

1. Is there a way using squid or something to look at pages and decide in real time whether it as an anonomous proxy or not? these things seem quite clever at disguisig themselves these days and you'd need an army and more to blacklist sites.

2. Is there anything out there to look at a site and see if it has an iframe or the like that points to a bad place and tries to download an exe or dmg? Is this sort of thing legal?

Whilst I love the whole Jericho Forum thing I still believe that there is a place for defence in depth. I don't want the hips on 30 PC'S to block something if I can block it once at the gateway or at least before it gets to the end user.

Here is the crux of the thing. I work with several schools and I see this as do you want your kids to be able to learn things and get good jobs because they can learn stuff or go and rob your grandmother's pension because their computers were down and they ended up stupid?

How can you tell these kids that if they do ssl to a proxy then go to Facebook that some bad guy probably has their password now?

One last thing. Would it be unethical to man in the middle any ssl connection that these users make to ensure nothing nasty is happening? It must be trivial to use someting like ssl strip to do this and just install the certificate fom my box on the end machines.

over and out,

Philbot500

[Sparda]

The only device I am aware of that does this is the astaro security gateway (heavily advertised on TWiT as I'm sure most of us are aware).

[barry99705]

The only device I am aware of that does this is the astaro security gateway (heavily advertised on TWiT as I'm sure most of us are aware).

Advertised where?

[Sparda]

Variuse Leo Lapote shows

[VaKo]

First thing to do is to consult with the people who run the schools, and possibly there lawyers. You need to have a written policy which discusses legitimate uses of the network, and illegitimate uses. This needs to be agreed to by the school, and made available for the students to review. If you opt to install IT polices unilaterally then there is a chance it will come back to you.

Secondly, unless these are tiny schools, your not going to be able to do anything yourself in real time, you will need to use block lists that are updated automatically. Your not going to be able to block everything, by accepting this you can be more productive.

As for what to use, I would suggest using SmoothWall's Network Guardian or more specifically School Guardian, as it is Becta ready. You don't want to be the person blocking anything yourself, you want to off-load that to someone else, because if its your block list, and somebody manages to download Harry Potter slash fiction then you get the blame, if its a 3rd party they are responsible.

http://download.smoothwall.net/pdf/brochur.../65034-S-A4.pdf

Its either a software appliance or a box you can buy and plug in to the network.

Lastly, don't wiretap the kids (unless its a monitor port connected to SNORT), it opens a whole kettle of fish you don't want to open. If they get there facebook password stolen after using some proxy with a .ru name, this isn't your problem. Having there password stolen will make them learn faster than any number of boring lectures from the IT guy about SSL and cryptography.