Best way to block Proxy Avoidance sites

[ESCMitch]

I work for a County Office of Education and have a proxy server that is used for the entire county but we have a problem with individual districts in that kids in the class room are going to proxy circumventor sites or hosting their own and bypassing our proxy. Users are required to go through our proxy for web browsing to work so we can block these sites once we find out about them. I am looking to be preventative and not reactive.

My question is that at the school sites that we need to stop students from accessing proxy avoidance sites and want to restrict web browsing, what is the best way to do that? I want to try and avoid my techs that manage these sites from micromanaging and I don’t want to have conflicts with my existing proxy server. Any suggestions or ideas are welcome. Thanks.


Nick Mitchell
MCSE, MCSA, CCNA

 

[sleipnir214]

I am in exactly the same boat as you.

I am in the IT department for a parish [I'm in Louisiana...think "county"] public school system, and I have fought a long battle with the Little Darlings over proxy sites.

Our general solution was to install and maintain a content filter. The content filter vendor maintains a large database of content categories and updates those categories every day. Although we have to tweak blocked content daily, it doesn't take up all that much time.

The trick that really cracked down on proxy servers was to disallow all content that was not on the content filter database -- that's the quickest way to kill proxy servers the students set up at home.



Want the best answers? Ask the best questions! TANSTAAFL!

 

[Grenage]

If the proxy server is being bypassed, is it not possible to reject any outbound traffic at the gateway when the source is not the proxy server?


Carlsberg don't run I.T departments, but if they did they'd probably be more fun.

 

[ESCMitch]

That is true...and that is how I have it set now.

The problem is that they are using our proxy filter to get to homemade circumventor sites so the IP is still our IP and our filtering program doesn’t have a category for these site because they are to no relevance to them.


Nick Mitchell
MCSE, MCSA, CCNA

 

[sleipnir214]

What is your content filter's default policy for unknown sites? If it's "pass", you'll never come close to closing all of them.

On my school system's network, it was only after setting the defaul policy to "fail" that I began to get traction against the anonymous relay sites. Relay sites appear on the internet like mushrooms.



Want the best answers? Ask the best questions! TANSTAAFL!

 

[Glenn9999]

Yeah I think there was actually an article about this on MSN somewhere recently...

They can just set up proxies on their home PCs...

About all you can do is block all traffic to servers in the same county/town/etc as you.

 

[anthonymeluso]

I work for a mid size school in NJ and use ISA Server 2004. I currently don't use content filtering software. Instead I just scan through the reports the server generates each day. The sites that get the most volume will appear on top. I just scan through this list every day. It takes about 10 min tops. If I find something inappropriate, it gets blocked.

However they too are now using proxy websites to get to blocked sites. What I'm currently doing right now is just searching for the word "proxy" in a 24 hour period and blocking those sites. Its tedious at first, but now I have around 500 of the most popular proxy sites blocked.

Some psychology plays into this too. One day the kid has access to the proxy site, the next day he doesn't. They get discouraged and know that Big Brother is always watching.