Proxy sites now using 443

[steele_uk]

Not sure if this is a new thing or not - i did a search and couldn't see a mention of it. Students are now using proxy sites that bypass our ISA server and any of counties restrictions because they are being set to use port 443. It took me a couple of days to work out what was going on in the logs. We have massive amounts of sites with a :443 ending. They can't simply be blocked by domain name as the name seems to be virtually random. It doesnt seem to link anyway if you try and click it.

Here is an example of whats in our logs

c-24-17-137-27.hsd1.wa.comcast.net:443

Any idea's how to get round it?

Blocking port 443?

Cheers

[webman]

You could do, but blocking port 443 outbound would also block all secure HTTP connections (https://.......).

[Midget]

Block all 443 and then whitelist as required?

[Geoff]

I concure, that'd be the only way to do it. You can't filter on content on https. As it's encrypted.

[ICTNUT]

This is exactly how we do it in ISA 2004 Block all port 443 traffic and then get staff to request whitelist sites.

Student has no need for access to 443 really, the only ones that I found did need it was our sixth form and access to the UCAS site.

[steele_uk]

The blocking :443 and then whitelist by agreement seems like the way forward.

Do i prepare myself for a lot of abuse from staff that can access their bank details, or more importantly can't buy their DVD's from Play.com?
:x

[Midget]

yes. and then you tell them that it is a security thing and they should not be using the school computers for private affaires

[Geoff]

Infact, that really should be in your staff AUP anyway.

[mrforgetful]

You can set ISA to unpack all the HTTPS traffic to inspect it can't you? It can then either send it unencrypted through school or repack it up after inspection.

[tom_newton]

You can man-in-the-middle SSL traffic, yes, but I don't recommend it. It's actually illegal in some countries, and rightly so - it is a gross invasion of privacy, and a security risk.

The "HTTPS" whitelist appears to be the way forward for most users.

[mrforgetful]

On the Microsoft ISA Course it is pushed as a err how do you phrase it, Security Anti-Risk for the exact reasons it would be helpful here - that otherwise anyone could be wrapping anything up in SSL, virus's etc and you'd have no idea.

[steele_uk]

Infact, that really should be in your staff AUP anyway.

I know. Another Reason the ICT-Co-ordinator should not be responsible for the AUP (imho)

[andy]

I concure, that'd be the only way to do it. You can filter on content on https. As it's encrypted.

Not wanting to be a pedant (or a pendant as GD would say). I gather that is a typo and that you do indeed mean can't filter on content?

Cheers,



Andy

[Geoff]

indeed I did andy.

[mrforgetful]

The argument that was put to the Headmaster at this school was that if the Teachers were expected not to be able to do the odd personal thing online during their free periods or whatever, then they weren't going to do any work at home in their personal time either.