To block or not to block

© The Association of Independent Schools of NSW

To block or not to block5 IT Managers share their experiences


Knox Grammar SchoolMike Israel – IT Manager


Network Topology


Internal Network

Cisco Switches and Access Points

Using VLAN’s

Originally no wireless security

Wireless WPA-TKIP with PEAP authentication. When machine is joined to domain it is issued with a certificate to join the network


Bandwidth Control

Packeteer

Provides bandwidth control

Can monitor and control how bandwidth is being used eg. iTunes downloads, max total 5Mbps, any one connection <256kbps

Can designate slices of bandwidth to particular ports protocols

Can block programs and protocols eg, encrypted tunnelling over port 80


ACL’s on core router to block student access to servers

Using ACL’s

Access Control Lists enable the control of certain VLAN’s to specified servers/addresses/ports/services


Spam and Anti-virus

Spam is detected, marked as spam and delivered to Junk mail folder via Exchange.

ClamAV does initial filtering of malware.

Trend Micro performs second pass on incoming mail.

Symantec Client used on client machines

Spam Assassin, Clam

AV (free)

Symantec Client Updates

Trend Micro


Filtering - ContentKeeper

Can block all unmanaged sites to students which takes care of proxy bypass. Also blocks keyword searches on popular search engines, block protocols (backup to Packeteer)

Firewall prevents access to certain IP address ranges on certain ports


ContentKeeper Filtering Groups

Users default to general profile with filtering based on student needs

Staff identified through their login (LDAP) to more open filtering

Pages can be blocked/coached/time of day. All unmanaged sites blocked for students


Web Access Policy

Technology Usage Policy published in school diary and condition to login. Also Year 7 sign when they take delivery of their school laptop

MySpace and Youtube blocked, Facebook OK

Streaming media is limited so as not to clog Internet access


Mike Israel Knox Grammar School

7 Woodville Ave Wahroonga

Phone (02) 9473 9773 Fax (02) 9473 9759

Email [email protected]

Contact Details


Danebank Anglican School for GirlsJohn Tuffs – IT Director


Network History

< 2005 Microsoft ISA Firewall + DCHP/DNSwith no E-mail filtering

2005 – 2008 ISONet HTTP & SMTP filteringISA Firewall + DCHP/DNS

2008 Cisco ASA Firewall + SONAR filteringWindows server for DHCP/DNS


Danebank Network Layout


Internal Network

HP Procurve Switches

1 Management VLAN for Procurve Manager

1 VLAN for the rest

Wireless Access Points using only WEP & MAC security (ie no security)


Antivirus / SPAM / Web Filtering

Symantec System Centre and local clients for AV

SPAM handled by Sonar Appliance – not using challenge option

Filtering handled by Sonar Appliance

(Initial install and support provided by Accucom)


Sonar Filtering Groups

IT Staff

General Staff / Teachers

Senior School (7-12)

Junior School (K-6)

Lunch Filter (7-12)


Custom Block Message


Web Access Policy

Internet Acceptable Use policy signed by students

All social networking is blocked

Youtube is blocked to students – teachers can show videos

Streaming media is blocked due to bandwidth constraints


John Tuffs

IT Director

80-98 Park Rd Hurstville NSW 2220

Phone (02) 9580 1415 Fax (02) 9579 3450


Contact Details


Security WorkshopSCEGGS Darlinghurst


Topology Overview


ISOnet topology


SCEGGS’ Topology


ISOnet: Intrusion Detection

Two layers of Intrusion Prevention using

McAfee IntruShield and TippingPoint.

Both are set to blocking mode for all medium to high threats.

There have been 13,777,987 Exploits blocked…This week!

There have been 1,830,537 policy Violations blocked…This week!


ISOnet: Denial of Service

Peakflow DDoS technology from Arbor Networks.

There have been 1,830,537 policy Violations blocked…This week!

Up to 60% of traffic bound for schools is blocked by ISONet as it is unsolicited. Schools only pay for what they use.


ISOnet: Spam/Av

ISOnet uses a cluster of McAfee and IronPort AV/Spam/Content filter appliances.

Filters based on policies set by individual school

Actions taken by the filter is specified as part of the policy determined by the school

For staff – messages sent to spam@sceggs. This mailbox is searchable by staff through a proxy arrangement.

For students spam messages are dropped


ISONet Policies Real-time blackhole list (RBL) checking – Identifies whether the IP address is

an open relay or spam organisation.

IP Reputation checking – Identifies whether an IP address has been known to send exploits, worms, trojans or sites known to be hacked.

Anti-spoofing verifications – Determines if sender is attempting to forge as an internal address.

All scanning modules listed in the attached document (AV checks, spam checks, content-filtering checks, anti-phishing checks, file filtering, etc.)

Integrity Analysis – Examine header, layout and organisation of the message.

Spam scoring - Positive and negative scoring of emails based on known spam traits.

Bayesian Learning - Custom created spam signatures based on feedback system – false-positive and false-negative verification.

Blacklists and whitelists – customer based trusted and untrusted email senders.


From Outside: SCEGGS Policy

Email Setting Status Severity Configuration Detail (Action)

Anti-spam Enabled MediumWhen spam identified: Refuse original data and return a rejection codeForward the original email to [email protected]

Anti-virus Enabled HighWhen identified: Attempt to cleanIf cleaning fails replace content with an HTML alert and quarantine the original email

Anti-Phishing EnabledWhen identified:Forward the original email to [email protected]

Compliancy Disabled -

Corrupt Content EnabledWhen corrupt content detected: Replace the content with an HTML alert

Encrypted Content EnabledWhen encrypted content detected: Allow through

File Filtering Disabled -

HTML Settings Disabled -

Mail Settings Disabled -

Mail Size Filtering Disabled -When the message is larger than 10240 kilobytes:Refuse the original data and return a rejection codeDeliver a notification email to the sender

Protected Content Enabled -When protected content is detected: Allow through

Enabled -When a denial of service protection limit is exceeded: Replace the content with an HTML alert

Enabled -When signed content is detected: Allow changes to break signed email

Enabled -When content identified: Allow through










Ian Ralph

IT Manager – SCEGGS Darlinghurst

215 Forbes St Darlinghurst NSW 2010

Phone (02) 99332 1133 Fax (02) 9332 1858

Web sceggs.nsw.edu.au


Contact Details


Arndell Anglican College Network Security Overview


VLAN’s

Low Level VLAN Map


What’s Great About VLAN’s

Allows use of ACL’s

Segments Broadcast Traffic

More Devices


How Does it Translate Into a Physical Layout?


Content Filtering at Arndell

Blacklists - Various Categories Updated Regularly

Scanning of log’s regularly

Students summoned to explain actions

Culture has changed now that students know they will be caught if they do the wrong thing

Internet traffic is forced to content filter dependent on VLAN assignment


Spam and Anti - Virus

Sophos Anti - Virus used across the network

Sophos plug - in for mail server

Spam filtered using Spam Assassin

Blacklist lookups like SORBS


Rohan Smith

Coordinator IT Services

Arndell Anglican College

118 Wolseley Road Oakville NSW 2765

Phone: +61 2 4572 3633 Fax: +61 2 4573 3849

Website: http://www.arndell.nsw.edu.au

Email: [email protected]

Contact Details


The King’s SchoolMichael Eggenhuizen


The School

The King’s School – Some Statistics:

Anglican Church School Established in 1832 (176 years) 300 acres in North Parramatta K-12 Boys School with 1450 Students 400 Boarders Multiple Residences on Property


Internet Bandwidth

Internet Connection Bandwidth:

2005 – 2.5Mb ADSL/ISDN 2006 – 10Mb Ethernet 2007 – 20Mb Ethernet 2008 – 50Mb Ethernet 2009 – 100Mb Ethernet ISP – The Somerville Group


Internet Access

All Staff and Students have Access to:

YouTube, MySpace, FaceBook, ... Hotmail, Yahoo Mail, Gmail, ... MSN Messenger, ... Most if not all Web 2.0 Technologies Changes to filtering (lead by ICT Services) provide staff and students with a real and relatively unrestricted learning experience


Internet & Email Filtering


Network Box

Weekly Email Activity (Incoming Average)

Spam (95.5%) - 485,647 Virus (1.5%) - 7,608 Delivered (3%) - 15,615 Total (100%) - 508,870


Network Box

Weekly Internet Activity (Average)

URL's Visited - 13,254,949 URL's Blocked due to Virus Activity - 71 URL's Blocked due to Policy Rules - 3,326 Threat Signature Updates - 843 Internet Download (GB) – 398 Monthly Internet Download (TB) – 1.6


Michael Eggenhuizen

Director ICT

PO Box 1 Parramatta NSW 2124

Phone (02) 9683 8650 Fax (02) 9683 8565

www.kings.edu.au

[email protected]

Contact Details

Documents

To block or not to block