Re: Blocking Proxy/HTTP Tunneliing servers

["David P. Allen" <allendp () PLU EDU>]

I can say that after deploying the N2H2 solution a couple of times in
the last few years it also works pretty well. I'm involved in a
triennial event involving a high school youth gathering with about
45,000 attendees split in two groups over 2 week long sessions. We
deploy upwards of 600+ systems in a major convention center used by a
variety of attendees for everything from general e-mail/web access to
event specific tasks. The N2H2 folks have been nice enough to "loan" us
the use of their solution for this that last two times (2003 & 2000).
While the kids didn't have a lot of time to try getting around it we
generally found the system handled this onslaught quite well.

We are preparing for our next event now and I'll be reviewing our
options with N2H2/Bess (now called SmartFilter) & others over the next
couple of months so this is helpful for me as well.

John Nunnally wrote:
> Hi Justin
> To do centralized filtering – which is really the only way to go - you are
> probably going to have to spend some money.  The commercial solution that
> really does a good job is Websense. (www.websense.com). We use it at
> Harding.
>
> There is an appliance sold by “8e6” (www.8e6.com), but I have no experience
> with it.
>
> Another product called N2H2 is sold by Secure Computing
> (www.securecomputing.com).  It has been used by the state of Arkansas to do
> some filtering for their k-12 clients and others.  They actually sell two
> products.  The K-12 version is called “Bess” and the more extensive product
> is called “Sentian”.  That’s about all I know.
>
> Cyberpatrol has a centralized solution as well but their database filtered
> only about 70% of the objectionable sites when we used it about 5 years
> back.  They may have improved.
>
> Software solutions like Websense require an interaction with a firewall to
> implement their filtering.  We use Cisco Pix with Websense.
>
> For K-12, there are also products out there that work the opposite of
> filters.  They provide a database of sites that have been researched and
> OK'ed for use and block everything else.  I don't have any experience with
> these products but it sounds like a good idea for some applications.
>
> John Nunnally
> Harding University
>
>
> ________________________________________
> From: Justin Dover [mailto:dover () HARPETHHALL ORG]
> Sent: Monday, February 06, 2006 11:57 AM
> To: SECURITY () LISTSERV EDUCAUSE EDU
> Subject: Re: [SECURITY] Blocking Proxy/HTTP Tunneliing servers
>
> The EDUCAUSE Security Discussion Group Listserv
> <SECURITY () LISTSERV EDUCAUSE EDU> on Monday, February 06, 2006 at 11:53 AM
> -0600 wrote:
> You know all the usual suspects - cybersitter,
> cyber patrol, surfwatch, netnanny etc...
>
> I think these are all clients that must be installed on each user's machine.
>  I am looking for a global solution that installs at the perimeter of the
> network.  A few ideas of course are proxy servers/content filtering services
> like Websense.  I do agree with maintaining my own list of "bad" ips is a
> losing battle.
>
> Justin Dover
> Harpeth Hall School
> 615-346-0082


--
David P. Allen
Asst. Dir., Network & Communication Systems
Pacific Lutheran University

{ (253) 535-7524          | "...one of the main causes of the fall of  }
{ allendp () PLU edu         |  Rome was that, lacking zero, they had no  }
{ www.plu.edu/~allendp    |  way to indicate successful termination of }
{                         |  their C programs."         --Robert Firth }