Well the whole "internal" network is of course using legitimate SSL sites via a web browser.

But there are those that are using SSL to tunnel back to another internet computer (generally the one they have at their parents place.) This tunnel then transports any protocol they wish. This effectively bypasses any security policy or firewalls we have put in place.

You could find the DNS black lists of dynamically assigned ip addresses, and block outbound tcp traffic to port 443 for them.

You probably should look at websense or n2h2, as I believe they can help filter destination URLs, even for ssl sites.

The problem with your security policy is that it sounds like students have admin access on end user workstations.

Hi,

It all depends on the policy. Without purchasing a third party web control application, you may simply setup a proxy and allow only port 80 traffic out from the firewall.

I've thought long and hard about proxying. It makes perfect sense for HTTP (80)

But I was under the impression that you cannot proxy HTTPS (ssl, port 443). So by blocking that port you effectively eliminate any legitimate secure site.

So I still don't see anyway to prevent this.

As far as admin access on the machines, its a university campus so they all bring their own machines.

Hi,

Perhaps you have no other choices but to purchase Websense.

I haven't used it, but squid (open source proxy) claims ssl proxying support - it cannot see into the ssl connections, but does forward them. If you could cook up a way for squid to deny ssl traffic to dynamically assigned ip addresses (there are dns lists of these out there), that might work.

Thanks. That could work. At least it would stop the casual "I'll just setup an SSL or SSH tunnel to bypass the firewall" user.

I'll have to look into the ability to proxy HTTPS. I thought you couldn't because it breaks the validity of source/destination.

Thanks again. I know I'm not the only one who faces this challenge.