Students own laptops
We have let our students bring there own laptops into school and we have set them up to use the wireless network for Internet Access (filtered) and access to there home folders.
This has not been a problem till recently when they found the ultrasurf which we cannont block. I can stop it on our domain computers but not on there laptops. Just now wondering what you guys do about this issue??
As we are a fee paying school just stopping them connecting is not a good idea my only real thought is to capture the packets and ban the offenders word will soon get around that we can find them. ( or my other plan is to cut off their fingers so they cant type)
Sensible suggestions now very welcome
This software worked straight through RM's filtering here. Very scary.
Looking at the technology behind it, blocking it might be a tall order. Have you contacted your ISP to see what they are doing about it?
You might be able to chuck a transparent Linux box in between the local network and the LEA that filters out that app by its layer 4 characteristics:
PF: Packet Filtering
You may also be able to use your router if it is a higher spec cisco beast as some of them can do higher layer filtering.
Your only other option would be to find some software that can perform TCP RST attacks on identified traffic like comcast does to bittorrent
There's no real way to pre-empt this sort of behavior, without spending masses of time finding a solution (ours being Network Access Control). You can only digest logs and than disable offending users accounts.
Yourfreedom and Ultrasurf are both anti-censorship, even if it harms children in schools.
Think I'll have to look into finding a block for this.
Stop DHCP from passing the Default Gateway out to clients. Jobs a goodun.
The above method works with just about any proxy bypassing method; Tor, Firefox portable, etc
block outgoing on port 9666?
Tried blocking it by port by the URL it calls when connecting http://ultra1/ultra.htm. But its far cleverer than hat and changes ports and URLs.Its a very clever bit of software made to get round the Chinese government restrictions and the government haven't been able to stop it yet.
I doubt you will be able to block it. Some students where using it on our WAN websense detected it uses over 15, 000 ip addresses and it makes a tunnel using port 443. The only way would be to block port 443 but then they can’t use https.
Personally i would kick them off the WIFI, it seems the only viable option
It *is* possible to block ultrasurf.
Currently, we have to enforce fairly draconian rules to do so with our filter platform, although new features being released next month will allow us to block ultrasurf with minimal impact on other services.
Edit: sparky: your method is harsh, but makes for a very secure network. As long as all traffic is proxied you don't really need a gateway. Confuses the hell out of most malware.
Yep, and its a PITA on occasion when you need to enter the default gateway in order to register some software, Sibelius for example. But if you are that bothered you could always make a logon/logoff script to add and remove it for admins.
Originally Posted by tom_newton
The above is a very small price to pay for the benifit of the kids not even trying to use software to bypass the proxy, or "hack" the network as i have taken away their main reason to be "hacking".
We had this problem with the gateway when students using firefox portable. We removed the gateway from dhcp scope, teacher needed the gateway for some software so we just created seperate reservations for teacher laptops, and added the gateway manually. Takes a bit more time but least you know who can access what.
Taking the gateway out stops the laptops connecting to any other vlan
so they get no access to anyother resource on other vlans. So yes it does stop ultrasurf but might as well change the security key on accesspoint so only teachers can use wireless. Back to the drawing board.
You could still do this by removing the default gateway from your core routers routing table, the one that routes between your VLANS. This would still allow all of your internal traffic to be routed properly but any address that was not internal to your network would be unreachable directly. To get access to these addresses you would need to go through the proxy server. The proxy should ideally be the only computer with direct access to the external link so that it can act as a gatekeeper.
Originally Posted by imiddleton25