+ Post New Thread
Results 1 to 7 of 7
Windows Thread, Help Plugging A Security Hole in Technical; Hi, hopefully someone can help me here. I am quite a new (and inexperienced) techie, just taken on a new ...
  1. #1

    Join Date
    Nov 2007
    Posts
    19
    Thank Post
    1
    Thanked 0 Times in 0 Posts
    Rep Power
    0

    Help Plugging A Security Hole

    Hi, hopefully someone can help me here.

    I am quite a new (and inexperienced) techie, just taken on a new job in a private school.

    We have an ISA server installed, but direct internet access is still possible if the proxy settings aren't configured in a browser.

    Obviously the proxy settings are turned on through group policy, but if a student plugs their own laptop into the system they can access the internet directly, or if they user an alternative browser they can get around the ISA.

    How do I plug this security hole and stop direct internet access?

    Also I suspect that a couple of apps need direct access, such as we use online backup here from the main server, as well as SIMS might need it... Will this be a problem?

    Cheers for any help.

  2. #2
    andyrite's Avatar
    Join Date
    Apr 2007
    Posts
    432
    Thank Post
    7
    Thanked 95 Times in 76 Posts
    Rep Power
    43

    Re: Help Plugging A Security Hole

    Sounds like the clients are getting a default gateway with dhcp.
    Depending on your setup this might not be needed.

  3. #3
    StewartKnight's Avatar
    Join Date
    Jun 2005
    Posts
    1,587
    Thank Post
    2
    Thanked 27 Times in 21 Posts
    Rep Power
    31

    Re: Help Plugging A Security Hole

    How about setting up a vlan, with only authenticated MAC address being allowed access to the system?

  4. #4

    localzuk's Avatar
    Join Date
    Dec 2006
    Location
    Minehead
    Posts
    18,522
    Thank Post
    527
    Thanked 2,642 Times in 2,046 Posts
    Blog Entries
    24
    Rep Power
    924

    Re: Help Plugging A Security Hole

    I would say having your edge router block all traffic on internet ports except if it originates via your ISA server.

    Another way would be to stick a second network card in your ISA server, have one on your network and one plugged in to your edge router. This would mean that no route would be allowed by default to the outside world unless it was allowed by your ISA box.

  5. #5

    dhicks's Avatar
    Join Date
    Aug 2005
    Location
    Knightsbridge
    Posts
    5,772
    Thank Post
    1,308
    Thanked 804 Times in 698 Posts
    Rep Power
    246

    Re: Help Plugging A Security Hole

    > I am quite a new (and inexperienced) techie, just taken on a new job
    > in a private school.

    Hey, snap!

    > How do I plug this security hole and stop direct internet access?

    Use a transparent proxy between your Internet connection and the rest of the school. Use a dedicated machine with two ethernet connections, forcing every packet to be filtered, then there's simply no physical way of getting network traffic to the Internet without passing through the proxy first.

    We have no money spare, so I had to configure a DansGaurdian / Squid / SquidGuard machine myself. This was a bit fiddly, but okay when you get the hang of it (and dead cheap - a Dell SC440 is perfect for the job and costs under £500). The best just-plug-it-in-and-it-works solution I've seen is SmoothWall. I spoke to Tom Newton (regular on this site) at BETT last year and his level of technical knowledge is excellent - I get the impression that if you email or phone with a problem SmoothWall will actually be able to fix it, rather than simply passing you around a bunch of marketoids. It might be worth attending BETT this year to have a look at firewall products.

    --
    David Hicks

  6. #6


    tom_newton's Avatar
    Join Date
    Sep 2006
    Location
    Leeds
    Posts
    4,507
    Thank Post
    871
    Thanked 862 Times in 681 Posts
    Rep Power
    199

    Re: Help Plugging A Security Hole

    David,

    Thanks for the vote of confidence - if you're at BETT this year, do drop by for a smoothie You're right though we only have one marketroid, and she's tame!!

    Luke,
    A transparent proxy is a viable solution to this problem, although bloocking all web traffic at the edge router, and then creating an "allow" rule for your proxy would definitely work. You might want to create a few other rules for unproxied systems such as servers - this course of action can (initially) have some side effects, so its worth applying with caution!

    Tom

  7. #7
    ArchersIT's Avatar
    Join Date
    Nov 2006
    Location
    Bedfordshire
    Posts
    114
    Thank Post
    14
    Thanked 24 Times in 20 Posts
    Rep Power
    21

    Re: Help Plugging A Security Hole

    Quote Originally Posted by luketheduck
    Hi, hopefully someone can help me here.

    I am quite a new (and inexperienced) techie, just taken on a new job in a private school.

    We have an ISA server installed, but direct internet access is still possible if the proxy settings aren't configured in a browser.

    <snip>

    Cheers for any help.
    Hi there,

    I had a similar problem here when I first came - we realised when a student was spatted using firefox to get to a banned site.

    There was a setting in ISA that had been misconfigured (well kind of). It had been set to allow staff to pass through to the staff LEA proxy - but it allowed anyone to bypass it. This was under ISA 2000 - so your options may vary. For us it was in Extensions/Application Filters/HTTP Redirector Filter. This was set to send the requests out to the requested web server. Changing this back to Redirect to Local Web Proxy sorted it - but of course made the staff go through the ISA filter and onto the student proxy as well.

    Hope this helps

    Jonathan



SHARE:
+ Post New Thread

Similar Threads

  1. Replies: 10
    Last Post: 29th March 2006, 03:52 PM

Thread Information

Users Browsing this Thread

There are currently 1 users browsing this thread. (0 members and 1 guests)

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •