Stan Trevena, IT director for Modesto City Schools, penned The Internet Filtering Battlefield and describes the constant struggle to keep student and faculty behavior inline with the acceptable use policy. This is important to keep students safe and to keep the district out of legal trouble.
It is a great article that explains exactly how users have been bypassing filters over the years. I wanted to disagree on the part about encrypted proxies however:
Encryption brings us to the frontline of today’s war on circumvention. Encrypted proxies have been a hard target to hit. Because encryption involves keys and algorithms, there’s nowhere near enough processing power in an Internet filtering server to decrypt secure communications between client and server on the fly. It’s also unreasonable to block all HTTPS traffic on a district’s network because many transactions that are part of the daily business of running a school are conducted through such secure sites.
There is enough processing power to proxy SSL sessions. Blue Coat, Secure Computing and Palo Alto all do it. (Palo Alto does it fastest.) It can be a pain though. Some of the vendors make it easier to manage than others by maintaining your list of certificates for you and letting you control which types of sites you proxy for, e.g. you can ignore banking and shopping traffic but proxy other SSL traffic. If you deem the risk large enough to warrant the hassle of pushing your own cert to the browsers and pointing them to the proxy, then there is ample processing power to do this.
What I think is more effective than URL filtering is just straight monitoring of all internet use (not just the blocked sites) and reporting on activity by username to hold users accountable. Stan mentions this at the end of the article. Most filters offer the type of reporting that HR departments require. I also recommend Vericept to schools that want to augment their filter and increase their visibility into user behavior.
2 responses so far ↓
1 Christofer Hoff // May 28, 2008 at 10:11 pm
Jon:
I’m wondering about your last paragraph.
What if you’re not just interested in “accountability” but also protecting against malicious drive-by client-side attacks?
Monitoring is important, but how do you reconcile AUP violations against legitimate sites doing illegitimate things if compromised?
Were you suggesting that monitoring can replace filtering?
Also, how did you establish that Palo Alto does MITM/SSL proxy the fastest?
Thanks,
Hoff
2 Jon Robinson // May 29, 2008 at 7:51 am
Hi Chris, When I say I think monitoring works better than filtering, I’m talking about getting users to comply with the AUP and to start behaving well on the network. I don’t think anyone should ditch the filter. I just think they should be realistic about what it does. They all have holes in them and you can get a better picture of AUP violations with better monitoring.
You bring up an excellent point with the malicious code subject. That is probably the main reason to filter right now. Look at all sites for dangerous code rather than just looking at the URL from an AUP point of view. The malicious code risk is way low on the radar of schools in my experience. Many of the filters they use are not equipped to deal effectively with that risk. What I said was mainly targeted at schools (my main customers) that rely on their filter to do something that monitoring can do better in my experience. It’s mainly psychological: a video camera that lets you know you are being watched vs a fence that needs to be jumped over.
About the palo alto thing…that is totally based on hearsay from all three companies and totally qualitative based on my experience. I could be totally wrong. Fine, I’ll go do some homework and find out the right answer.
Leave a Comment