Web filtering just got harder
The school system I work for uses a web filter to block certain content because not everyone needs to “read the articles” at Playboy.com. The filter they use works very well but, like all web filters, it does block a legitamite site occasionally. The filter works by checking the URL against it’s database of approved/unapproved sites and then taking the appropriate action. If the URL is not listed, you automatically get denied access for a few minutes because the web filtering software is analyzing the site (checking content, links, etc.).
Lately, I’ve noticed several teachers and students installing Firefox on the school computers. I didn’t think that was a bad thing considering the security issues with IE and the network engineers/managers agreed. Unfortunately, this may be a problem. While looking for new Firefox extensions, I came across an extension that could give someone a shortcut to the chink in the web filtering armor. The extension is called vBrowseIt (located under Privacy & Security”).
This extension allows you to right-click a link and use TheVirtualBrowser.com to browse web sites. For those of you that may not know (like I didn’t), this site allows you to use a “virtual browser” inside your browser in order to anonymously browse web sites. All request for a web site are made on the host server and then displayed from the hosting server instead of the requested site. Like the extension description says:
Browse any page with the Virtualbrowser, a free online proxy created to get past school blockers and internet filters.
This site has a legitimate use, because it can protect your privacy, but with legitamite use comes illegitimate use. This site would allow the students and teachers to bypass our filters and connect to content they should not be viewing at school. The content being blocked is not just sexual content but that is the main reason. We don’t need kids trading porn pics on the school network. That makes for a very hostile work environment for the majority of women and others that are offended by this kind of content.
I’ll have to put in a request to have TheVirtualBrowser.com blocked so that this issue won’t cause any problems. I don’t think anyone at the schools have been using it but you never know. It’s not just a Firefox thing either. The site can be used through any browser. The vBrowseIt extension just allows FF users to right-click a link and browse to that site through TheVirtualBrowser.com. Anyone could create their own HTML files locally, fill them with links to blocked sites, open the HTML file in FF and then right-click the links in order to hit the sites the TheVirtualBrowser.
I never really looked into sites like that because
- I’ve never been in charge of web filtering &
- I’ve never really cared to try and get around a web filter
The kids these days find out about this stuff very quickly so it’s hard to stay ahead of the game sometimes. I know, some people will think I’m being a prude but that’s not the point. The point is that school computers are there so the kids can use them to further their education. If they want to look at pornography, they can do it at home (like the rest of us have to). If any of you know of other sites that allow this kind of web filter bypass, please let me know. It makes me look good to the bosses when I help them keep the network safe. 
19.Mar.05 
Technology
You can leave a response, or trackback from your own site.
6 Responses to “Web filtering just got harder”
Leave a Reply
- wyckedone.net
F/OSS
Free Antivirus
Free Firewall
Free Utilities
Links
Tech Articles
Tech Boards
This site runs on
You’re right about that – staying ahead of the game is tough. Our organisation gave up on it and just moved to good old personal responsibility. If you break the rules – you loose your job. Now that’s a system you can administer, no service packs, patches or upgrades.
The downside is if all you have is this kind of filtering anyone who knew they could would be able to specify any public proxy server in their internet settings and then they would be able to visit any blocked sites. This is the same method as Vbrowser except that vbrowser is a web-based proxy.
The only way yo tie down internet access and for little moolah ($) is to implement a proxy server based on Linux. That way the school would have complete control. Then you would restrict access to the web from only that server. The proxy would in addition speed up regularly accessed sites + it can give additional access controls at the cost of time to implement/learn how to configure it. Could be a nice little project if it floats your boat!
See http://www.squid-cache.org/ for more info.
The web filter is not based on a proxy server. It can’t be bypassed by putting a public proxy into the browser settings. The web filter is an actual appliance that sits between the school network and the Internet.
The Vbrowser was a concern because it served the pages instead of the requested web server. The Vbrowser site, in essence, cached the requested site and then served it and that would try to trick the web filter. Fortunately, the Vbrowser site is blocked by the web filter.
So how does the web filter know if you are using a proxy? Does it specifically check for that? Or is DNS controlled in some way?
All traffic (HTTP, HTTPS, FTP, IRC, etc) passes through the web filtering appliance. Even if you try to use a public proxy, your request is going to go through the web filter before it gets outside the network and onto the Internet. This makes it so that any and all web communications are checked.
The reason why I said the above about using public proxies is that I worked with a company that had a similar set-up as you describe. The filtering however was provided by a plugin to a watchguard firewall. The implementation meant you could specify a public proxy in the browser settings and the filtering would only see the IP address of the proxy server. That way you could get around any filtering performed by this particular filter. Also filtering purely by IP addresses rather than by domains was a massive limitation in this case.
To get round this the better way of doing it would have been to add a squid or ISA server to the network and only allow connections to the internet from this server as I mentioned above.
Cheers,
Stuart.