Anonymous Proxies, Spam and Email Archiving Simplified and Explained

These are my notes from the presentation “Anonymous Proxies, Spam and Email Archiving Simplified and Explained” by Anders Johnsson of CIPAFilter at the Oklahoma Technology Association (OTA) on 11 February 2009. MY REFLECTIONS AND COMMENTS ARE IN ALL CAPS. KEEP IN MIND CIPAFILTER IS A COMMERCIAL VENDOR, AND THIS IS THEIR SESSION. I AM RECORDING THIS SESSION WITH ANDERS’ PERMISSION AND MAY SHARE IT LATER AS A PODCAST HERE. [ADDENDUM: SINCE THIS WAS LARGELY A VENDOR ADVERTISEMENT SESSION, I AM NOT GOING TO PODCAST THIS. THERE WAS SOME GOOD CONTENT HERE, BUT THIS WAS REALLY NOT ABOUT CIPA, THIS IS ABOUT NETWORK MANAGEMENT.]

Our CIPAFilter product incorporates functionality which addresses the issues I am going to discuss in this presentation.

ANDERS IS NOW GIVING A COMMERCIAL FOR CIPAFILTER. I WONDER IF HE REALIZES THE PEOPLE SITTING IN THE AUDIENCE RIGHT NOW DID NOT COME TO HEAR A VENDOR AD / COMMERCIAL. WE ARE HERE TO LEARN ABOUT THE ISSUES, NOT BE A CAPTIVE AUDIENCE FOR AN ADVERTISEMENT. THAT IS A ROLE PROPERLY REGULATED TO THE VENDOR HALL, NOT A CONCURRENT SESSION LIKE THIS ONE. HOPEFULLY THE ADVERTISING WILL STOP SOON.

SOMEONE’S CELL PHONE IS PLAYING “CELEBRATION BY KOOL AND THE GANG.”

I WILL BE CUTTING OUT THIS ADVERTISEMENT PORTION OF THE RECORDING IF I END UP SHARING THIS AT ALL AS A PODCAST.

Our pornography filter uses a very small database
– sites that are image only are included
– other sites are filtered based on an alogrithm using the context of use (we allow through sites that use “breast” with other words like “chicken” and “cancer”)

DO I REALLY WANT TO BLOG THIS SESSION?

We can deep-inspect pages that other filters couldn’t block out
– we are running into problems with teachers who want to blog, but when you open up blogs you can link to one that is filth

Proxies are the big problem now
– school districts have filters they are paying big bucks for, and kids are using the next day’s proxies to get around them
– now kids are masking them
– there are a lot of money to be made from anonymous proxy servers
– they make lots of ad revenue
– they start to notice they are not getting the hits they used to, that

you will then see mathhomework1.com, mathhomework2.com – proxy server URLs changing

INTERESTING THAT THE PRESENTER IS NOT EVEN TALKING ABOUT CIPA. HE HAS JUMPED IMMEDIATELY FROM GIVING AN AD FOR HIS PRODUCT, TO TALKING ABOUT MICROMANGING FILTERING OF CONTENT

someone with CIPAfilter developed a fingerprint system to ID students who are circumventing filters to get to YouTube, MySpace, and Facebook
– our system then adds a page that matches our criteria to your blacklist
– then nobody can use those websites to anywhere, play games, do anything

At the end of the day we upload those lists from all the CIPAfilter customers we have
– a kid in South Carolina can find a proxy site, the CIPAfilter blocks it locally, then the next morning your CIPAfilter in your building is blocking that site
– we had some bugs in this initially
– we added about 15,000 anonymous proxy servers in the first week we started doing this [SHARING THESE BLOCKED SITES]

we discovered we had caught and discovered most of the major proxy sites
– we think students were just giving up, stopping looking for the proxies
– we add 40-50 anonymous proxy sites to our list each day
– when we have a https site, that doesn’t mean we don’t have sites without nonsecure versions
– to address this we take a new approach, instead of trying to break that encryption [FOR DEEP PACKET INSPECTION] we put students and teachers on different filtering
– you can do differentiated content filtering

we allow teachers to have https access
– can still block a good collection of https sites

rest of the sites, we just shut them down for students (for anonymous secure proxies)
– we have found in most schools, students just need 4 or 5 https websites when they are at school, to do online testing and things like that

we’ve also had kids bringing in their own thumbdrives with firefox, using
– we can lock that down as a firewall, so the kids can’t use another proxy besides CIPAfilter

audience question: does it also do transparent, so people don’t have to do logins
– yes it will

For us to be able to block secure proxy sites, we have to be setup as a proxy site
– you have to lock down each of your browsers to have locked proxy settings
– we have a client you can push out to do that

when someone makes a secure request to another site, that creates a tunnel which goes thorugh all your networking equipment
– so then your filter just sees jargon
– this is the reason we have to act as a proxy server
– that is the proper and best way to deal with secure websites

audience question about setting up DNS forwarding
– his answer: “I am not a tech”

SO THIS MEANS HE IS JUST A SALESMAN FOR CIPAFILTER. NICE.

the way CIPAfilter sets up categories
– we don’t haev 50 or 60 categories
– most of those are corporate categories
– most schools don’t use those, blocking sports sites, CNN, other news sites
– we have gotten rid of those categories, we market our product just to schools
– we have about 12 categories
– we don’t subcategorize sites much, so we just have “shopping” as a category

You can maintain your own global whitelists and blacklists

Some of your teachers are complaining because they are being treated as kids on the network
– with CIPAfilter you can do differentiated filtering

THE PRESENTER HAS SAID NOTHING ABOUT WHAT IS REQUIRED BY THE ACTUAL CIPA LAW. THE ACTUAL CIPA LAW REQUIRES THAT PORNOGRAPHIC IMAGES BE BLOCKED, BUT IT DOES NOT REQUIRE ANY OF WHAT HE IS TALKING ABOUT HERE, LIKE BLOCKING ALL SHOPPING SITES. THIS IS NOT EVEN BEING ADDRESSED IN THIS SESSION. THIS SESSION WAS VERY MISLEADING AND SHOULD HAVE BEEN TITLED, “COME SEE AN ADVERTISEMENT FOR CIPAFILTER.”

CIPAfilter can now also permit bandwidth control
– throttle traffic by protocol and IP address or subnet
– provide Quality of Service for important traffic
– manage upload and download
– advanced traffic shaping rules included

my question to him: do all your routers have to support QoS for this
– he said no

Complete Virus Protection
– blocks viruses at gateway as primary defense
– real-time software client for all workstations
– scans all traffic automatically
– extremely cost-effective

Our virus solution does not have a disinfect functionality
– our scanning works for Windows systems and Linux, not on Macs (Macs don’t have virus problems)

Anti-Spam System
– targets operating methods of spammers
– no management
– no over blocking (false positives)
– no spam

Greylisting
– idea that spammers operate in a different way from legitimate
– we designed a mail filter that uses greylisting concepts
– is compatible with any mail server

We look for SPF records, reverse MX records
– also record other things that make that message unique

mail is not instant-protocol
– it has to go through its processes to be delivered to the end user

so we delay the receiving of that message to make sure all 5 criteria in our database matches, and if not we bounce it out
– 90% of legitimate spam does not get through our system

there are legitimate and illegitimate spammers
– hacked accounts, hacked IP addresses, using software

E-mail archiving
– this is a big one
– lots of school districts are now deciding this is what we need to do
– archives all mail including attachments
– we did this because some school districts ran into problems and needed this
– easy, fast searches and custom queries included with support
– keep emails for years without worry expensive storage requirements

Some schools are archiving for 3 years, some for 5 years, 7 years
– I talked to the head of Iowa schools and he told all his folks they didn’t need to do it [ARCHIVE EMAIL]
– In Texas someone told schools they just need to do it for 1 year

APPARENTLY THE PRESENTER IS NOT FAMILIAR WITH THE RULES OF E-DISCOVERY
– someone in the audience said they had emailed Eric H and asked him, and he doesn’t know

CLEARLY WE NEED SOME CLEARER GUIDELINES FOR SCHOOLS ON THIS ISSUE. THIS SESSION WAS MARKETED AS A PRESENTATION WHICH WOULD CLARIFY ISSUES SPECIFIC TO EMAIL ARCHIVING REQUIREMENTS. THAT IS NOT BEING PROVIDED HERE, THIS IS BASICALLY JUST A VENDOR AD.

I hope you all didn’t come to this session looking for answers on this from me, I don’t know [IN REFERENCE TO EMAIL ARCHIVING]
– It appears that you need to have a policy and enforce it

CIPAfilter has two 250 GB hard drives
– we can back up to a server of your choice, then burn to DVD, or whatever you want

my question does this work with webmail like yahoo mail or gmail?
– his answer: this only works with your own hosted mailserver

Have a solution with third party for Novell email archiving
– all email servers except Novell support journaling
– so in those cases, you enable journaling to send a copy of the mail to an external source (CIPAfilter in this case)
– for Novell clients, this third party program stops all users from deleting mail from their deleted items folder until it has been backed up
– you just buy that from the third party client, it is $3.50 per mail account

We are an advanced router and firewall
– secure yet very easy to manage
– stateful firewall with NAT support and routing protocols
– block chat, P2P, audio/video, proxy servers

my question: will you address CIPA rules
– all CIPA requires is to block pornography
– it is really a broad spectrum of what you are required
– some schools have used built-in IE browser security settings to try and block objectionable content
– now you have to block MySpace

THAT IS NOT TRUE. THERE IS NO CIPA REQUIREMENT TO BLOCK MYSPACE OR OTHER SOCIAL NETWORKING SITES.

My question: can you generate website visit reports for individual users by userid, IP, or MAC address, and then integrate that report into your student information systems in a 1:1 environment so parents can see all the places their child’s laptop has gone?

Reporting system now can create a PDF file for individual
– can go to a user activity tab, search for their userid or IP, and then see everything
– has a TV guide view, and a spreadsheet view

I THINK SYSTEMS LIKE THIS ARE THE FUTURE, OR NEED TO BE THE FUTURE, FOR CONTENT FILTERING. THIS WOULD BE KEY FOR CREATING PERCEPTIONS OF ACCOUNTABILITY, IN ALL COMPUTING ENVIRONMENTS BUT ESPECIALLY IN 1:1 ENVIRONMENTS. I DO NOT THINK THERE ARE ANY PRODUCTS, VENDOR OR OPEN SOURCE, WHICH CAN DO THIS NOW. SCHOOLS NEED THAT KIND OF FUNCTIONALITY, SO PARENTS CAN LOG INTO POWERSCHOOL VIA THE WEB INTERFACE AND IN ADDITION TO VIEWING THEIR CHILD’S GRADES AND ATTENDANCE, SEE THEIR DIGITAL FOOTPRINTS ON THE SCHOOL NETWORK.

Technorati Tags:
cipa, network, filtering, block, filter, ota09, oklahoma, technology, school, proxy, proxies, cipafilter