The enemy within:
Stop students from bypassing your defenses
The threat of the web
The web has replaced email as the primary entry point for malware into a network, with a brand new infected webpage discovered approximately every 4.5 seconds1. The majority of these are legitimate sites – government agencies, Google, MySpace, Facebook, the Cambridge Dictionary, BusinessWeek, and many more have all fallen victim to hackers. Clicking on such pages poses a multitude of risks to networks, including the loss of confidential information, virus and spyware infection and botnet recruitment.
Schools in the front line
K-12 schools are particularly at risk from web-delivered malware – and it is often introduced by the very people they need to protect: students. Not only are many children extremely technically skilled, but they have ample opportunity to work unobserved in internet-connected computer labs and libraries, which are used by hundreds of different students every day.
Unlike corporate environments, where adult users have jobs, salaries and reputations to worry about, K-12 students often don’t know or don’t care about the consequences of their actions to the school network. Bypassing network controls to access restricted websites is usually just considered an entertaining challenge, or a way to burnish an anti-establishment image. However, in addition to ensuring their own network security, schools are held responsible by parents and state and federal laws – such as the Children’s Internet Protection Act (CIPA) – with protecting young, impressionable minds from web predators and harmful content. One example of a student bypassing a school’s web filters involved an eighth grader in Texas who downloaded pornography during a study group2.
Bypassing web filters
Students across North America are increasingly turning to anonymizing proxies to bypass their school’s web filters to view pornography or access banned social networking sites. Anonymizing proxies are widespread, with several hundred new proxies published daily. Easy to access and difficult for traditional security software to detect, anonymizing proxies are web sites that trick an organization’s web filter into thinking the user is browsing legitimate content. The user visits the anonymizing site first and enters their intended URL, and the proxy then opens a portal to the student’s desired destination. Traditional web filters only identify the anonymizing proxy URL, not the destination URL, and as such often allow the request. In some cases, the student simply configures his or her web browser to point automatically to the anonymizing proxy, ensuring that all web activity is hidden.
K-12 schools are particularly at risk from web-delivered malware – and it is often introduced by the very people they need to protect: students.
Aside from disguising banned content, anonymizing proxies change constantly, with scores of new ones appearing daily. K-12 school IT administrators spend hours each week tracking down and blocking anonymizing proxies, significantly affecting resources and overheads.
Many web sites also offer daily updated lists of anonymizing proxies. A quick Google search will produce hundreds of anonymizing proxy sites. There are even video instructions on YouTube that show students how to construct one. It is also not difficult for computer savvy students to set up their own anonymizing proxies at home, using one of the many free utilities available online.
Defeating anonymizing proxies
There are a number of ways that schools can complement their existing web filtering technology to identify and block anonymizing proxies:
Reputation detection services••
Real-time proxy detection••
User education••
Reputation detection services
Reputation detection services constantly track publicly known anonymizing proxy sites and the forums3 that exchange their details. They are then able to update a school’s web filters – ideally every 15 minutes or faster – to ensure that the web gateway security solution stays ahead of the student grapevine. Reducing the amount of time an anonymizing proxy is available to a student provides a major inconvenience to their ability to track and use such services.
Real-time proxy detection
Some anonymizing proxies are kept a closely guarded secret, or built at home for the exclusive use of one person. Because their details are not shared they are immune to reputation detection services and must be tracked in real time.
Real-time detection monitors and analyzes all web requests and responses for signs that traffic is being routed through an anonymizing proxy. If one is detected, the request can be blocked. Signs that a student is using an anonymizing proxy include URL strings hidden within other URLs, and partially encrypted URLs. Real-time detection relies on strong decryption capabilities, as many proxies use encryption to hide their actions.
Anonymizing proxies are widespread, with several hundred new proxies published daily.
User education
User education is always a central pillar of enforcing a web acceptable use policy (AUP), and many schools require students and their parents to formally sign their acceptance of such policies and ensure that they are aware of the consequences of violating them. AUPs should always contain a clause forbidding the use of anonymizing proxies, and state that controls are in place to monitor and detect their use. Formal AUPs do deter many students from trying to get around the rules, particularly if that information is part of a memo sent to parents.
Many schools also run internet safety classes as part of their computer curriculum, which can be utilized to explain more fully the dangers of anonymizing proxies and the thinking behind the AUP.
Summary
Anonymizing proxies allow students to bypass their school’s web filters to access inappropriate and blocked content. Their large and ever-changing numbers and ease-of-use make them difficult to block, and schools can find themselves legally liable if minors are accessing pornography and other sites from within the network. However, reputation and real-time detection will identify and block anonymizing proxies, and user education will ensure that students and parents are aware of the risks in bypassing web filters.