My school runs an ISA server for our gateway with a huge list of sites to filter that I've compiled and a second layer of filtering through a MoE approved content filter (tunnel our web traffic from our ISP to them). BUT because we allow https for student's to check email, etc. they are able to use the secure option for accessing sites like facebook, twitter, blah blah blah. It's gotten so bad that I'm actually willing to part from my pittance of a budget to take care of this issue. I'd rather find a free solution if I can though.
So the question is, what do you use and how effective is it at selectively blocking the non-approved content from the internet?
for those that suggest just blocking the port for https, I've incorporated google apps accounts into our school learning environment and students receive updates regarding their online Moodle classes this way and communicate directly with teachers. So blocking that isn't in the cards.
I've seen smoothwall advertised here and checked out their site. However, I've not got all the details on that (like cost, difference between the Express and Corporate, and does it need its own box or VM?) anyone have experience with that product in terms of our issues?
Could block all https traffic on the ISA but allow selected site through? So its a whitelist on https not a total ban.
didn't consider this approach. will this work with isa 2006? it seems to be fairly 'blind' when it comes to https traffic.
I am a bit confused?
Just block the URL for facebook, and any other sites you have trouble with. This is usualy the most basic function of any web filtering package ( squid(guard), Dans, smooth, etc...)
If you're looking for a firewall I'd suggest looking at a member of the Internet Watch Foundation. I believe NEN guidelines says schools should use a filtering service that subscribes to this list.
See Members | Internet Watch Foundation (IWF)
Vendors you could use are Fortinet, Smoothwall, Sonicwall, websense, lightspeed etc
Yep can be done :)
Originally Posted by atamakosi
If you need more budget ... fire up google images using https, turn off safe search and experiment a little while SMT browse their safeguarding policy.
You can do per-domain blocking in HTTPS if your clients are using a "traditional proxy", with most products. Smoothwall would add to that with support for transparent proxy (client caveat: no XP!) and full interception (block by URL, contnet) in either case.
* Yes you can put it on VM (VMware please!), or your own box, or a smoothwall appliance
* Yes you need the commercial edition, Express is firewall only, no filtering
I'd like to know how to do this, I'm running ISA2006 and I can only see away of blocking all HTTPs or Allowing it all. The http filter says it'll handle only http traffic.
i spent some time trying to configure a whitelist for students for https but it doesn't do it very cleanly. It seems to load only part of the approved https sites, ignoring things like the CSS and graphics. basically just a bunch of text in div formats. ugh.
so looks like isa is still not smart enough to handle https in anything but allowed or blocked format. Are there any other suggestions to try?
If you are taking a whitelist approach to allowing HTTPS sites then you will need to allow all other domains that are used to build the content of the page, for example youtube.com is really just a placeholder, all media content is served from ytimg.com - using this example if you wanted to allow https://www.youtube.com then you would need to whitelist youtube.com and ytimg.com on your ISA server...this will get messy and there are easier approaches to take.
Originally Posted by atamakosi
The best approach would be to invest in a web filter that is capable of filtering HTTPS traffic - you can still use the ISA server as an upstream proxy if you were to invest in a web filter.
If you opt to stick to the ISA server running whitelists then you can use browser developer tools to find out the domains that are being used on HTTPS sites (You can access developer tools in IE by pressing F12)