Preventing Proxy Abuse in Schools

Technology White Paper
Shadow Sur! ng - Preventing Proxy Abuse
in Schools
What are Anonymous Proxies? Circumventors, shadow sur! ng, anonymizers, proxy avoidance - call them what you will, anonymous proxies have been with us for about as long as we've been ! ltering the web.
What they provide is simple - online anonymity. This may be a lifeline for political dissidents in countries where censorship is a problem but it is also a major problem for educational establishments and organizations who need to safely control and monitor their users' web access.
In basic terms, anonymous proxies are simply proxy servers - they pass users' web requests onto other servers on the Internet. They help students to sidestep school security by allowing them to browse secretly through them - and view banned online content within them - without disclosing the URLs they visit to ! ltering products.
Why is Proxy Abuse a Problem? There are now millions of proxies in existence with miscreants changing URLs and developing new ones far faster than security vendors can hope to block them.
The proliferation of proxies is already well beyond the control of URL based ! ltering products and although keyword-based ! lters will catch sites with 'proxy' in the title, most have legitimate-sounding names like examstudies.com.
It only takes one proxy to put a gaping hole in your network security. Using a web ! ltering solution that doesn't block proxies is the equivalent of putting a big bolt on your front door but leaving the back door wide open.
How do students know/! nd out about As with most things, the ! rst port of call is the web. Try entering "unblock myspace" proxies? into Google - the results run to hundreds of thousands of sites, all o" ering the same thing - anonymous browsing. Technology White Paper
Preventing Proxy Abuse in Schools
'Backdoor' URLs are passed quickly from student to student with some proxy sites even o" ering to send daily updates on the newest and hottest proxy sites via email or text message.
There are also plenty of step by step videos on YouTube showing students how they can use proxy tools to bypass school ! lters. These are the very skills that we don't want our children to learn in school - digital lockpicking and worldwide web breaking and entering.
Di" erent types of proxy and how to Web-based Proxiesdefend against them: Web-based proxies work entirely through a web browser and use server-side soft-ware such as CGIProxy, Glype, PHProxy and other custom scripts. All students need do to use these sites to surf anonymously is enter the web addresses they wish to browse to in the box provided (usually on the home page).
URL or keyword-based ! lters may block some of these but the only way to reliably prevent access is to employ an intelligent ! lter that is capable of detecting - and accurately blocking the characteristic signatures or patterns of proxies, as SmoothWall's School Guardian web ! lter does (see below diagrams).
Open ProxiesThese are HTTP or SOCKS proxy servers that are open and accessible via the Internet. Most require users to recon! gure their browser settings to use them and so can be easily blocked with simple ! rewall rules. These rules can also prevent the use of Firefox or other browsers via USB sticks and other portable data storage devices.
Secure/SSL Proxies
SSL proxies use HTTPS connections which allow users to secretly view illicit material (including media ! les) within a secure tunnel where content is encrypted. URLs visited via SSL proxies don't appear on logs and so IT sta" are often unaware of the extent of their problems with the secure variety of these proxy pests.
URL and keyword based ! lters are an utterly futile defense against SSL proxies. Even some so-called 'third-generation' ! lters aren't intelligent enough to provide proper protection. Some o" er the option of blanket blocks on all HTTPS tra# c - but this is far from practical since secure transactions often need to be made in the daily business of running a school. A whitelist of authorized HTTPS sites is a better option but will still result in over-blocking complaints, due to the sheer number of sites now using SSL encryption. To accurately defend against SSL proxies, ! lters need to be capable of inspecting and validating SSL certi! cates (few proxies have valid ones) and... [download for more]