Re: Blocking Proxy/HTTP Tunneliing servers

[Graham Toal <gtoal () UTPA EDU>]

> They'll try to work
> around the OS by using Knoppix or TRB, so disable booting
> from external and removable media. They'll try to enable
> booting from their CD or iPod, so set a BIOS password and put
> a lock on the case. Et cetera. Just don't underestimate their
> abilities if you have really determined students

Yup!

Don't forget blocking physical access to the ethernet jacks
if they bring in their own handhelds.  And hopefully you don't
have unauthenticated wireless.

And re an earlier thread, they might install vmware player
and set up a virtual machine that uses a different MAC, again
bypassing your controls.  Another place where locking down
the switch ports to a single MAC is worth considering.

802.1x is probably the way to go.

By the way no-one has mentioned yet that content filtering
on SSL web pages doesn't work and never will, unless you break
your security completely and have each client trust a private
certificate which is also used by the proxy.  The only fallback
you have there is IP blocking of known proxies.

I agree with an earlier sentiment that it's better to handle
this by only implementing cursory controls at the technology
level but strongly enforced controls at the policy level.  Does
need good detection to catch them though, so you still have
half of the same problems.

G