+ Post New Thread
Results 1 to 11 of 11
Internet Related/Filtering/Firewall Thread, https filtering in Technical; My school runs an ISA server for our gateway with a huge list of sites to filter that I've compiled ...
  1. #1
    atamakosi's Avatar
    Join Date
    Jun 2011
    Posts
    110
    Thank Post
    7
    Thanked 11 Times in 9 Posts
    Rep Power
    14

    https filtering

    My school runs an ISA server for our gateway with a huge list of sites to filter that I've compiled and a second layer of filtering through a MoE approved content filter (tunnel our web traffic from our ISP to them). BUT because we allow https for student's to check email, etc. they are able to use the secure option for accessing sites like facebook, twitter, blah blah blah. It's gotten so bad that I'm actually willing to part from my pittance of a budget to take care of this issue. I'd rather find a free solution if I can though.

    So the question is, what do you use and how effective is it at selectively blocking the non-approved content from the internet?

    for those that suggest just blocking the port for https, I've incorporated google apps accounts into our school learning environment and students receive updates regarding their online Moodle classes this way and communicate directly with teachers. So blocking that isn't in the cards.

    I've seen smoothwall advertised here and checked out their site. However, I've not got all the details on that (like cost, difference between the Express and Corporate, and does it need its own box or VM?) anyone have experience with that product in terms of our issues?

    cheers guys/gals

  2. #2

    FN-GM's Avatar
    Join Date
    Jun 2007
    Location
    UK
    Posts
    16,050
    Thank Post
    888
    Thanked 1,728 Times in 1,491 Posts
    Blog Entries
    12
    Rep Power
    453
    Could block all https traffic on the ISA but allow selected site through? So its a whitelist on https not a total ban.

  3. #3
    atamakosi's Avatar
    Join Date
    Jun 2011
    Posts
    110
    Thank Post
    7
    Thanked 11 Times in 9 Posts
    Rep Power
    14
    didn't consider this approach. will this work with isa 2006? it seems to be fairly 'blind' when it comes to https traffic.

  4. #4

    twin--turbo's Avatar
    Join Date
    Jun 2012
    Location
    Carlisle
    Posts
    2,334
    Thank Post
    1
    Thanked 381 Times in 340 Posts
    Rep Power
    150
    I am a bit confused?

    Just block the URL for facebook, and any other sites you have trouble with. This is usualy the most basic function of any web filtering package ( squid(guard), Dans, smooth, etc...)

  5. #5

    Join Date
    Apr 2012
    Location
    Leeds
    Posts
    302
    Thank Post
    0
    Thanked 67 Times in 53 Posts
    Rep Power
    36
    If you're looking for a firewall I'd suggest looking at a member of the Internet Watch Foundation. I believe NEN guidelines says schools should use a filtering service that subscribes to this list.

    See Members | Internet Watch Foundation (IWF)

    Vendors you could use are Fortinet, Smoothwall, Sonicwall, websense, lightspeed etc

  6. #6

    FN-GM's Avatar
    Join Date
    Jun 2007
    Location
    UK
    Posts
    16,050
    Thank Post
    888
    Thanked 1,728 Times in 1,491 Posts
    Blog Entries
    12
    Rep Power
    453
    Quote Originally Posted by atamakosi View Post
    didn't consider this approach. will this work with isa 2006? it seems to be fairly 'blind' when it comes to https traffic.
    Yep can be done

  7. #7
    Galway's Avatar
    Join Date
    Jun 2007
    Location
    West Yorkshire
    Posts
    1,360
    Thank Post
    9
    Thanked 307 Times in 216 Posts
    Rep Power
    100
    If you need more budget ... fire up google images using https, turn off safe search and experiment a little while SMT browse their safeguarding policy.

  8. #8


    tom_newton's Avatar
    Join Date
    Sep 2006
    Location
    Leeds
    Posts
    4,475
    Thank Post
    866
    Thanked 850 Times in 672 Posts
    Rep Power
    196
    You can do per-domain blocking in HTTPS if your clients are using a "traditional proxy", with most products. Smoothwall would add to that with support for transparent proxy (client caveat: no XP!) and full interception (block by URL, contnet) in either case.

    Smoothwall info...
    * Yes you can put it on VM (VMware please!), or your own box, or a smoothwall appliance
    * Yes you need the commercial edition, Express is firewall only, no filtering

  9. #9
    chazzy2501's Avatar
    Join Date
    Jan 2008
    Location
    South West
    Posts
    1,800
    Thank Post
    215
    Thanked 264 Times in 214 Posts
    Rep Power
    67
    I'd like to know how to do this, I'm running ISA2006 and I can only see away of blocking all HTTPs or Allowing it all. The http filter says it'll handle only http traffic.

  10. #10
    atamakosi's Avatar
    Join Date
    Jun 2011
    Posts
    110
    Thank Post
    7
    Thanked 11 Times in 9 Posts
    Rep Power
    14
    i spent some time trying to configure a whitelist for students for https but it doesn't do it very cleanly. It seems to load only part of the approved https sites, ignoring things like the CSS and graphics. basically just a bunch of text in div formats. ugh.

    so looks like isa is still not smart enough to handle https in anything but allowed or blocked format. Are there any other suggestions to try?

    cheers

  11. #11
    grant_girdwood's Avatar
    Join Date
    Jun 2012
    Location
    Bloxx HQ
    Posts
    54
    Thank Post
    2
    Thanked 11 Times in 10 Posts
    Rep Power
    6
    Quote Originally Posted by atamakosi View Post
    i spent some time trying to configure a whitelist for students for https but it doesn't do it very cleanly. It seems to load only part of the approved https sites, ignoring things like the CSS and graphics. basically just a bunch of text in div formats. ugh.

    so looks like isa is still not smart enough to handle https in anything but allowed or blocked format. Are there any other suggestions to try?

    cheers
    If you are taking a whitelist approach to allowing HTTPS sites then you will need to allow all other domains that are used to build the content of the page, for example youtube.com is really just a placeholder, all media content is served from ytimg.com - using this example if you wanted to allow https://www.youtube.com then you would need to whitelist youtube.com and ytimg.com on your ISA server...this will get messy and there are easier approaches to take.

    The best approach would be to invest in a web filter that is capable of filtering HTTPS traffic - you can still use the ISA server as an upstream proxy if you were to invest in a web filter.

    If you opt to stick to the ISA server running whitelists then you can use browser developer tools to find out the domains that are being used on HTTPS sites (You can access developer tools in IE by pressing F12)

    Cheers,
    Grant

  12. Thanks to grant_girdwood from:

    tom_newton (2nd August 2012)

SHARE:
+ Post New Thread

Similar Threads

  1. Proxy Filtering HTTP
    By cpjitservices in forum Wireless Networks
    Replies: 4
    Last Post: 27th August 2010, 10:13 PM
  2. P2P Traffic Filter
    By Peter in forum Wireless Networks
    Replies: 1
    Last Post: 8th January 2006, 11:34 PM
  3. Google images completely filtered in Lancs?
    By ChrisH in forum General Chat
    Replies: 12
    Last Post: 22nd November 2005, 09:01 AM
  4. Getting HTTP traffic from a IP alias (i think)
    By tarquel in forum Wireless Networks
    Replies: 6
    Last Post: 14th November 2005, 07:31 PM
  5. http://www.iloveim.com
    By Rozzer in forum Windows
    Replies: 7
    Last Post: 20th September 2005, 12:45 PM

Thread Information

Users Browsing this Thread

There are currently 1 users browsing this thread. (0 members and 1 guests)

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •