+ Post New Thread
Page 1 of 2 12 LastLast
Results 1 to 15 of 17
Wireless Networks Thread, Students own laptops in Technical; We have let our students bring there own laptops into school and we have set them up to use the ...
  1. #1

    Join Date
    May 2008
    Location
    York
    Posts
    515
    Thank Post
    22
    Thanked 49 Times in 46 Posts
    Rep Power
    24

    Students own laptops

    We have let our students bring there own laptops into school and we have set them up to use the wireless network for Internet Access (filtered) and access to there home folders.
    This has not been a problem till recently when they found the ultrasurf which we cannont block. I can stop it on our domain computers but not on there laptops. Just now wondering what you guys do about this issue??
    As we are a fee paying school just stopping them connecting is not a good idea my only real thought is to capture the packets and ban the offenders word will soon get around that we can find them. ( or my other plan is to cut off their fingers so they cant type)


    Sensible suggestions now very welcome

  2. #2
    ICT_GUY's Avatar
    Join Date
    Feb 2007
    Location
    Weymouth
    Posts
    2,266
    Thank Post
    656
    Thanked 283 Times in 204 Posts
    Rep Power
    104
    This software worked straight through RM's filtering here. Very scary.

  3. #3
    ICT_GUY's Avatar
    Join Date
    Feb 2007
    Location
    Weymouth
    Posts
    2,266
    Thank Post
    656
    Thanked 283 Times in 204 Posts
    Rep Power
    104
    Looking at the technology behind it, blocking it might be a tall order. Have you contacted your ISP to see what they are doing about it?

  4. #4

    SYNACK's Avatar
    Join Date
    Oct 2007
    Posts
    11,225
    Thank Post
    875
    Thanked 2,717 Times in 2,302 Posts
    Blog Entries
    11
    Rep Power
    780
    You might be able to chuck a transparent Linux box in between the local network and the LEA that filters out that app by its layer 4 characteristics:

    PF: Packet Filtering

    You may also be able to use your router if it is a higher spec cisco beast as some of them can do higher layer filtering.

    Your only other option would be to find some software that can perform TCP RST attacks on identified traffic like comcast does to bittorrent
    Last edited by SYNACK; 19th June 2008 at 12:01 PM.

  5. #5
    ahuxham's Avatar
    Join Date
    Apr 2008
    Posts
    1,122
    Thank Post
    76
    Thanked 138 Times in 109 Posts
    Rep Power
    31
    There's no real way to pre-empt this sort of behavior, without spending masses of time finding a solution (ours being Network Access Control). You can only digest logs and than disable offending users accounts.

    Yourfreedom and Ultrasurf are both anti-censorship, even if it harms children in schools.

  6. #6
    wesleyw's Avatar
    Join Date
    Dec 2005
    Location
    Kingswinford
    Posts
    2,208
    Thank Post
    225
    Thanked 50 Times in 44 Posts
    Blog Entries
    1
    Rep Power
    30
    Think I'll have to look into finding a block for this.

    Wes
    Last edited by wesleyw; 19th June 2008 at 12:25 PM.

  7. #7


    Join Date
    Oct 2006
    Posts
    3,413
    Thank Post
    184
    Thanked 356 Times in 285 Posts
    Rep Power
    149
    Stop DHCP from passing the Default Gateway out to clients. Jobs a goodun.


    The above method works with just about any proxy bypassing method; Tor, Firefox portable, etc
    Last edited by j17sparky; 19th June 2008 at 12:48 PM.

  8. #8

    RabbieBurns's Avatar
    Join Date
    Apr 2008
    Location
    Sydney
    Posts
    5,527
    Thank Post
    1,339
    Thanked 470 Times in 307 Posts
    Blog Entries
    6
    Rep Power
    200
    block outgoing on port 9666?

  9. #9

    Join Date
    May 2008
    Location
    York
    Posts
    515
    Thank Post
    22
    Thanked 49 Times in 46 Posts
    Rep Power
    24

    blocked

    Tried blocking it by port by the URL it calls when connecting http://ultra1/ultra.htm. But its far cleverer than hat and changes ports and URLs.Its a very clever bit of software made to get round the Chinese government restrictions and the government haven't been able to stop it yet.

  10. #10

    FN-GM's Avatar
    Join Date
    Jun 2007
    Location
    UK
    Posts
    16,054
    Thank Post
    888
    Thanked 1,729 Times in 1,492 Posts
    Blog Entries
    12
    Rep Power
    454
    I doubt you will be able to block it. Some students where using it on our WAN websense detected it uses over 15, 000 ip addresses and it makes a tunnel using port 443. The only way would be to block port 443 but then they can’t use https.

    Personally i would kick them off the WIFI, it seems the only viable option

  11. #11


    tom_newton's Avatar
    Join Date
    Sep 2006
    Location
    Leeds
    Posts
    4,475
    Thank Post
    866
    Thanked 850 Times in 672 Posts
    Rep Power
    196
    It *is* possible to block ultrasurf.
    Currently, we have to enforce fairly draconian rules to do so with our filter platform, although new features being released next month will allow us to block ultrasurf with minimal impact on other services.

    Edit: sparky: your method is harsh, but makes for a very secure network. As long as all traffic is proxied you don't really need a gateway. Confuses the hell out of most malware.

  12. #12


    Join Date
    Oct 2006
    Posts
    3,413
    Thank Post
    184
    Thanked 356 Times in 285 Posts
    Rep Power
    149
    Quote Originally Posted by tom_newton View Post
    Edit: sparky: your method is harsh, but makes for a very secure network. As long as all traffic is proxied you don't really need a gateway. Confuses the hell out of most malware.
    Yep, and its a PITA on occasion when you need to enter the default gateway in order to register some software, Sibelius for example. But if you are that bothered you could always make a logon/logoff script to add and remove it for admins.

    The above is a very small price to pay for the benifit of the kids not even trying to use software to bypass the proxy, or "hack" the network as i have taken away their main reason to be "hacking".

  13. #13
    tomscaper's Avatar
    Join Date
    Jul 2006
    Posts
    814
    Thank Post
    118
    Thanked 29 Times in 15 Posts
    Rep Power
    22
    We had this problem with the gateway when students using firefox portable. We removed the gateway from dhcp scope, teacher needed the gateway for some software so we just created seperate reservations for teacher laptops, and added the gateway manually. Takes a bit more time but least you know who can access what.

  14. #14

    Join Date
    May 2008
    Location
    York
    Posts
    515
    Thank Post
    22
    Thanked 49 Times in 46 Posts
    Rep Power
    24

    dhcp

    Taking the gateway out stops the laptops connecting to any other vlan
    so they get no access to anyother resource on other vlans. So yes it does stop ultrasurf but might as well change the security key on accesspoint so only teachers can use wireless. Back to the drawing board.

  15. #15

    SYNACK's Avatar
    Join Date
    Oct 2007
    Posts
    11,225
    Thank Post
    875
    Thanked 2,717 Times in 2,302 Posts
    Blog Entries
    11
    Rep Power
    780
    Quote Originally Posted by imiddleton25 View Post
    Taking the gateway out stops the laptops connecting to any other vlan
    so they get no access to anyother resource on other vlans. So yes it does stop ultrasurf but might as well change the security key on accesspoint so only teachers can use wireless. Back to the drawing board.
    You could still do this by removing the default gateway from your core routers routing table, the one that routes between your VLANS. This would still allow all of your internal traffic to be routed properly but any address that was not internal to your network would be unreachable directly. To get access to these addresses you would need to go through the proxy server. The proxy should ideally be the only computer with direct access to the external link so that it can act as a gatekeeper.
    Last edited by SYNACK; 20th June 2008 at 09:58 AM.

SHARE:
+ Post New Thread
Page 1 of 2 12 LastLast

Similar Threads

  1. Best laptops for students to take home
    By microcosm in forum Hardware
    Replies: 21
    Last Post: 9th May 2008, 09:24 AM
  2. DHCP on students laptops
    By Sean in forum Wireless Networks
    Replies: 8
    Last Post: 29th June 2006, 10:32 PM
  3. Replies: 32
    Last Post: 25th July 2005, 07:17 AM

Thread Information

Users Browsing this Thread

There are currently 1 users browsing this thread. (0 members and 1 guests)

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •