Help Plugging A Security Hole

[luketheduck]

Hi, hopefully someone can help me here.

I am quite a new (and inexperienced) techie, just taken on a new job in a private school.

We have an ISA server installed, but direct internet access is still possible if the proxy settings aren't configured in a browser.

Obviously the proxy settings are turned on through group policy, but if a student plugs their own laptop into the system they can access the internet directly, or if they user an alternative browser they can get around the ISA.

How do I plug this security hole and stop direct internet access?

Also I suspect that a couple of apps need direct access, such as we use online backup here from the main server, as well as SIMS might need it... Will this be a problem?

Cheers for any help.

[andyrite]

Sounds like the clients are getting a default gateway with dhcp.
Depending on your setup this might not be needed.

[StewartKnight]

How about setting up a vlan, with only authenticated MAC address being allowed access to the system?

[localzuk]

I would say having your edge router block all traffic on internet ports except if it originates via your ISA server.

Another way would be to stick a second network card in your ISA server, have one on your network and one plugged in to your edge router. This would mean that no route would be allowed by default to the outside world unless it was allowed by your ISA box.

[dhicks]

> I am quite a new (and inexperienced) techie, just taken on a new job
> in a private school.

Hey, snap!

> How do I plug this security hole and stop direct internet access?

Use a transparent proxy between your Internet connection and the rest of the school. Use a dedicated machine with two ethernet connections, forcing every packet to be filtered, then there's simply no physical way of getting network traffic to the Internet without passing through the proxy first.

We have no money spare, so I had to configure a DansGaurdian / Squid / SquidGuard machine myself. This was a bit fiddly, but okay when you get the hang of it (and dead cheap - a Dell SC440 is perfect for the job and costs under £500). The best just-plug-it-in-and-it-works solution I've seen is SmoothWall. I spoke to Tom Newton (regular on this site) at BETT last year and his level of technical knowledge is excellent - I get the impression that if you email or phone with a problem SmoothWall will actually be able to fix it, rather than simply passing you around a bunch of marketoids. It might be worth attending BETT this year to have a look at firewall products.

--
David Hicks

[tom_newton]

David,

Thanks for the vote of confidence - if you're at BETT this year, do drop by for a smoothie You're right though we only have one marketroid, and she's tame!!

Luke,
A transparent proxy is a viable solution to this problem, although bloocking all web traffic at the edge router, and then creating an "allow" rule for your proxy would definitely work. You might want to create a few other rules for unproxied systems such as servers - this course of action can (initially) have some side effects, so its worth applying with caution!

Tom

[ArchersIT]

Hi, hopefully someone can help me here.

I am quite a new (and inexperienced) techie, just taken on a new job in a private school.

We have an ISA server installed, but direct internet access is still possible if the proxy settings aren't configured in a browser.

<snip>

Cheers for any help.

Hi there,

I had a similar problem here when I first came - we realised when a student was spatted using firefox to get to a banned site.

There was a setting in ISA that had been misconfigured (well kind of). It had been set to allow staff to pass through to the staff LEA proxy - but it allowed anyone to bypass it. This was under ISA 2000 - so your options may vary. For us it was in Extensions/Application Filters/HTTP Redirector Filter. This was set to send the requests out to the requested web server. Changing this back to Redirect to Local Web Proxy sorted it - but of course made the staff go through the ISA filter and onto the student proxy as well.

Hope this helps

Jonathan