School Content Filtering - System Testing
In most schools, computers with Internet access should have a content filtering system installed from a center for analyzing Internet resources . I got myself a copy to test the system.
The system is arranged quite simply: when loading a page, it is checked whether the page is in the list of "bad" sites, if not, access is allowed. If the site is in the database, the user sees This:
I installed the filter on a virtual machine based on Windows XP SP3. There were no problems during installation, the installer himself picked up the file lying next to the license and suggested using it.
After installation, an icon with a funnel image appeared in the tray. I open the "Management Console":
More screenshots, clickable:
Honestly, I expected much more, there are practically no settings.
At the same time, there are functions without settings — for example, a filter by “terms” - words that are not compatible with the educational process in the query are replaced with hyphens. The list cannot be changed in any way, nor can this filter be disabled.
I was even more upset when, in the blocking mode of sites that are not in the database, even Google and Yandex were blocked. It turns out that I have no choice how to filter sites - usually I could choose between the constant addition of a white list, but guaranteed security and the addition of a black list, but with guaranteed openness of good sites.
I started the test, not really expecting a good result.
The system shows fairly average results. Porn and sex dating are blocked almost completely. Of trackers and music sites, only TPB and zaycev.net are blocked. Satanists and proxies are blocked every other time.
Here I found a rather serious vulnerability - https is not filtered at all, and there is no port blocking. It seems that you can not do without additional software.
It is unlikely that at least someone who did not get access to classmates and VKontakte would not begin to try to break the filter. I think the best defense is an attack :). I was offered several options for hacking the filter - from a regular proxy to hacking an administrator password.
Idea : Start traffic through a proxy.
Performance : Does not work, the filter continues to filter.
Idea : Opera turbo uses its own algorithm to compress pages. Maybe the filter will skip?
Performance : The filter doesn’t care. Moreover, to install Opera, you need administrator rights.
Idea : Close access to the filter on the Internet.
Performance : There is a daw in the filter that will block the site if the filter servers are unavailable.
Idea : Change the administrator password, log in and disable the filter.
Performance : Should work.
Protection : Since it is necessary to boot from another medium, it is easy to protect. It is necessary to put the hard drive as the first boot device, disable boot from floppy disks, flash drives and disks, set a password on the BIOS.
Idea : Find the settings file, change the settings so that the filter turns off.
Performance : I could not find the settings. In the folder where the filter is installed, there is a DB folder, the files in it are saved by something tricky, you cannot rename it when the filter is running - it swears at lack of access.
Idea : Find a web proxy and watch the Internet through it.
Efficiency : It works, but the forms continue to be filtered. Google issuance is no longer filtered.
Protection : Hope that all proxies are cut by the filter. If a student installs a proxy on his hosting, there’s nothing to be done, just block the site after it is used. With a regular study of the logs, it allows you to ruin a student on hosting and domains.
I did not test the VPN, but such a system should not work either.
So, I found several security issues. Everything, except one (it, by the way, is caused by another), is simple enough to correct.
Problems with https are fixed by installing a firewall, and preventing programs from breaking on all ports except 80 (HTTP) and 53 (DNS). You can only allow access to the system, filter, and browser. Be sure to prevent the user from changing the settings.
Problems with resetting the password are solved by the BIOS settings - only boot from the hard drive, do not let the user into the settings.
The problem with web proxies, unfortunately, cannot be fixed by simple means.
A fairly average level of a system that can be made to filter sites quite well with firewall tools. Without a firewall, it’s better not to use it. There would be a different policy for evaluating sites (Put all sites in the system) and https filtering - it would be even better.
PS I want to transfer to "Education 2.0", but not enough karma. Thanks!
How it works?
The system is arranged quite simply: when loading a page, it is checked whether the page is in the list of "bad" sites, if not, access is allowed. If the site is in the database, the user sees This:
Install
I installed the filter on a virtual machine based on Windows XP SP3. There were no problems during installation, the installer himself picked up the file lying next to the license and suggested using it.
Customize
After installation, an icon with a funnel image appeared in the tray. I open the "Management Console":
More screenshots, clickable:
Honestly, I expected much more, there are practically no settings.
At the same time, there are functions without settings — for example, a filter by “terms” - words that are not compatible with the educational process in the query are replaced with hyphens. The list cannot be changed in any way, nor can this filter be disabled.
I was even more upset when, in the blocking mode of sites that are not in the database, even Google and Yandex were blocked. It turns out that I have no choice how to filter sites - usually I could choose between the constant addition of a white list, but guaranteed security and the addition of a black list, but with guaranteed openness of good sites.
I started the test, not really expecting a good result.
Check
The system shows fairly average results. Porn and sex dating are blocked almost completely. Of trackers and music sites, only TPB and zaycev.net are blocked. Satanists and proxies are blocked every other time.
Here I found a rather serious vulnerability - https is not filtered at all, and there is no port blocking. It seems that you can not do without additional software.
Hack
It is unlikely that at least someone who did not get access to classmates and VKontakte would not begin to try to break the filter. I think the best defense is an attack :). I was offered several options for hacking the filter - from a regular proxy to hacking an administrator password.
Proxies
Idea : Start traffic through a proxy.
Performance : Does not work, the filter continues to filter.
Opera turbo
Idea : Opera turbo uses its own algorithm to compress pages. Maybe the filter will skip?
Performance : The filter doesn’t care. Moreover, to install Opera, you need administrator rights.
Deny access to the service
Idea : Close access to the filter on the Internet.
Performance : There is a daw in the filter that will block the site if the filter servers are unavailable.
Password cracking
Idea : Change the administrator password, log in and disable the filter.
Performance : Should work.
Protection : Since it is necessary to boot from another medium, it is easy to protect. It is necessary to put the hard drive as the first boot device, disable boot from floppy disks, flash drives and disks, set a password on the BIOS.
Change the settings in the file
Idea : Find the settings file, change the settings so that the filter turns off.
Performance : I could not find the settings. In the folder where the filter is installed, there is a DB folder, the files in it are saved by something tricky, you cannot rename it when the filter is running - it swears at lack of access.
Web proxy
Idea : Find a web proxy and watch the Internet through it.
Efficiency : It works, but the forms continue to be filtered. Google issuance is no longer filtered.
Protection : Hope that all proxies are cut by the filter. If a student installs a proxy on his hosting, there’s nothing to be done, just block the site after it is used. With a regular study of the logs, it allows you to ruin a student on hosting and domains.
I did not test the VPN, but such a system should not work either.
Protect
So, I found several security issues. Everything, except one (it, by the way, is caused by another), is simple enough to correct.
Problems with https are fixed by installing a firewall, and preventing programs from breaking on all ports except 80 (HTTP) and 53 (DNS). You can only allow access to the system, filter, and browser. Be sure to prevent the user from changing the settings.
Problems with resetting the password are solved by the BIOS settings - only boot from the hard drive, do not let the user into the settings.
The problem with web proxies, unfortunately, cannot be fixed by simple means.
Summarize
A fairly average level of a system that can be made to filter sites quite well with firewall tools. Without a firewall, it’s better not to use it. There would be a different policy for evaluating sites (Put all sites in the system) and https filtering - it would be even better.