We are a small highschool that just started using a proxy server to restrict websites. Previously, we used DNS but Chromebooks make it way too easy to bypass the DNS settings given by DHCP. Now, we have Squidguard running on an Edgerouter Lite that is working flawlessly, minus the whole bypass part. The proxy settings are enforced administratively, so a user can’t just turn it off. Instead, the students have discovered certain apps change the proxy settings or they can get on proxy websites and access whatever they want. Is there a way, short of blocking every site we find and denying the install of every app and extension we find, that can only filter the internet for students and leave the staff open to whatever they want? (I think a VLAN setup may be what I’m looking for, but I don’t even know where to begin.)
Edit: Ok, I’m really behind on thanking all of you for your help. Basically what we have are students on their own subnet (The same subnet also doubles as DHCP). And the teachers are on two different subnets (Which are all static IPs). We want to leave the teachers unfiltered and with a direct connection to the internet. Students need to be filtered through a proxy server or OpenDNS or both. It looks like setting up VLANs is our best bet right now to accomplish what we need.
Thank you all for your help. I think that we’ll be able to get this all figured out, and if not, I’ll be back with even more questions. Thank you all again.
This reminds of a situation years and years ago. Basically a manager of a customer facing team was getting fed up at his employees screwing around when they should be helping customers. Said manager literally gave me a list of 200+ URLs to block. I went ahead and did it, because why not?
Fast forward 1 week later, said manager then provided me with 7 or 8 proxy sites that needed to be blocked. Blocking the URLs did not deter the behavior, the employees just found ways around it.
So what worked? I walked over HR, told them about the situation. I got the OK to send a company wide email saying “We can see who is logged into the computer, we can see what websites they go to, we can see what time they went to them and we know if they are finding ways around blocks. Any employee caught going to a proxy site will be immediately terminated. Any employee viewing porn will be immediately terminated. Going to personal websites when on shift will result in disciplinary action, up to and including termination.”
Configure your proxy to be runned in transparent mode. This way it doesnt matter if the client have a proxy configured or not, as long as they use your network the traffic will pass your proxy and your ruleset will be enforced.
Next thing is to verify your ruleset for example allowing google-translate will make it possible for the client to visit other sites through google-translate (since the client speaks to the google-translate servers and not the actual site being visited through google-translate).
First off if you’re going to filter by DNS you should block all client DNS traffic except to the DNS servers you want used. This will avoid the “bypas the DNS settings” problem because DNS won’t work if they change the server. I don’t recommend NATing DNS as others have suggested since that will limit you to a single DNS server.
If you want to do proxy-based filtering then the same applies in terms of either creating a transparent proxy or locking down network access to only the proxy server. The problem with a transparent proxy server is HTTPS filtering which is still a lot of work to do correctly and not something that your EdgeRouter will do at all. So if you have the option to force client configuration then I’d say stick with configuring a proxy server on the client. This will at least allow you to filter HTTPS by the requested hostname.
To be honest if you have more than a handful of clients I don’t recommend running the web proxy service on the EdgeRouter at all. The box is simply not designed for that and it will introduce major performance issues.
In terms of filtering teachers and students differently:
You should have teachers and students using separate networks (VLANs). Managed switches are cheap now (especially now with the EdgeSwitch) so there’s no excuse to not have VLANs on your network.
Alternatively you can create multiple proxy servers (one for students and one for teachers) if you don’t have a reliable way of controlling what IP students vs. teachers will get (yuck).
Your best bet would be to create a student VLAN and a teacher VLAN. NAT each network to a different IP address and point clients to OpenDNS. On OpenDNS you can set the filter by source IP so that the student NAT IP get’s the strict policy and the teacher NAT IP is relatively open (but still filters malware etc).
That said today’s students aren’t dumb. They will find a way around almost anything you put in place in terms of filtering usually trying these steps:
DNS filtering? Use Google Public DNS
DNS blocked or transparent proxy? Use a VPN service or a proxy website that isn’t blocked.
VPN service ports blocked? Use a VPN that runs on TCP 443.
If you really want to lock stuff down then your best bet is to:
Use a proxy server (e.g. Squid) that’s configured on the client (e.g. not transparent)
Maintain an internal DNS server as well.
Don’t NAT the private network / filter all traffic so the proxy is the only option for external connectivity.
This will restrict any application that isn’t HTTP, HTTPS, or FTP and using your proxy server. The proxy server will also break VPN applications that try to use the HTTPS port (TCP 443) hoping to sneak through.
For the best experience you should configure the proxy server on client systems but to have something a little more automatic you can also use some proxy discovery and auto-configuration methods supported by most clients. This generally involves using WPAD by creating a wpad.domain.com DNS entry that points to a web server hosting a Proxy Auto-Configuration or PAC script at the URL http://wpad.domain.com/wpad.dat. The domain.com you use should be the search-domain handed out by your DHCP server and the wpad.dat file should be a PAC script pointing to the proxy server. This works fairly well but does have the problem of sometimes being “sticky” once learned even if a client changes network (sometimes requiring a reboot to clear). It would be nice if DHCP proxy configuration were more widely supported but it’s not so DNS discovery is your best bet.
Of course going this route is pretty much full lock-down mode and also means you’ll be breaking any application that isn’t normal HTTP, HTTPS, or DNS. You’ll want to host an NTP server to point clients to so their time stays in sync. So if you have application requirements like Google Hangouts or Skype etc. then those would be broken which would likely be a problem in a modern classroom.
I still say just go with DNS filtering and lock down TCP and UDP port 53 (DNS) to only valid servers.
OpenDNS with DNAT to force all dns through it, no matter what the client specifies. Configure policies online accordingly
Squid as a transparent proxy for your web traffic. Configure allowed content accordingly.
Firewall rules! If you upgrade to the latest firmware, 1.8, you can use traffic analysis to disallow certain traffic types - eg maybe drop everything except web traffic to stop VPN, SSH tunneling etc.
Note that if they wrap stuff inside SSL you’re probably still screwed but you’ve locked down most common ways of bypassing.
from my experience, its best to hard-force the traffic to your proxy via ACLs and VLANs. simply put: a deny any any on the VLAN ACL and forcing the specific VLAN tagged traffic though the proxy. that way you should be able to achieve your goal, without going for DPI and other resource-intense applications
You may be able to get away with requiring authentication against the proxy, controlling who gets what filtered that way. This may help there: Proxy Authentication | Squid Web Cache wiki
If all traffic passes through the proxy to get to the outside world, you can filter all outbound traffic that doesn’t come from its source IP.
Move squid guard to its own box and set a default route to the internet on the proxy box. Remove default route from the network. Only way to get out is via the proxy.
or they can get on proxy websites and access whatever they want
You can come close to blocking 90% of these with a high dollar content filter, however you’ll never get all of them. The only way to get 100% is to move to whitelist only.
I wondered if that was possible, but wouldn’t that filter ALL devices including staff? That’s our biggest problem right now, I know there’s ways to enforce network wide, but we would like teachers to be able to get on whatever they want.
This will restrict any application that isn’t HTTP, HTTPS, or FTP and using your proxy server. The proxy server will also break VPN applications that try to use the HTTPS port (TCP 443) hoping to sneak through.
But yeah, in short, unless you are willing to invest time & money for IPS/similar solution, motivated individuals will find a way to get through your blocks. OP should try to seek non-technical solution to their problem.
I don’t recommend NATing DNS as others have suggested since that will limit you to a single DNS server.
Edge Router is trivially configured as a DNS forwarder, so for DNS DNATing you simply use OpenDNS as the upstream providers (plural) and then DNAT all DNS traffic not destined to the internal dnsmasq listen-address to that address. This fixes any issues due to having only a single DNS server and is what I do myself as recommended over on the UBNT forums. The dnsmasq listen-address is obviously that which is handed out via DHCP as standard. The use of ‘only DNAT traffic not already destined for dnsmasq’ allows you to get a feel for how much traffic is circumventing your DNS servers (intentionally or otherwise) as you can check the DNAT counters.
Also, the EdgeOS DPI is really quite accurate and all-encompassing wrt to DPI for traffic analysis and filtering. In the present firmware, 1.8.0, it can and will catch a lot of the more common circumvention techniques by using the out-of-the-box application category ‘Bypass Proxies and tunnels’ (which matches VPNs etc) in a firewall rule. In a great number of cases it catches not just the protocol but also the provider, smart stuff in a device of it’s price. It is very easy to add additional items to a custom category should you find other resources you wish to block which aren’t in the standard categories as delivered.
I think that the little ERL can probably do a little more than one may credit it with if one can be bothered having a little play.
Much of your other advice is spot on, but I’m not sure how Chromebooks would use WPAD though or local proxy etc.
At the point when both technical and management solutions to the problem have failed, and an employee continues to view porn at work, they need to go. That seems like the kind of thing that you should be fired for.