Has anyone got this running on Hyper-V in their system? Thoughts, insights?
--
You received this message because you are subscribed to the Google Groups "Techies for schools" group.
To unsubscribe from this group and stop receiving emails from it, send an email to techies-for-sch...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.
Captive portal is the thing.
Wireless systems often do offer a captive portal; N4L’s user integration will do that too, as will Linewize, or pfSense.
Historically pfSense hasn’t played well with Hyper-V, but was fine under VMWare – the older versions were based on a FreeBSD that wasn’t very good with Hyper-V. I believe that the current versions (post-2.2) are using a more recent FreeBSD that behaves much better.
J,
Note:
If you are not the intended
recipient of this email, please contact the sender immediately by return email
or by telephone on +64 3 4718232. In this case please do not act in
reliance on this email or any attachments, and destroy all copies of them. The
views expressed in this email are those of the sender and not necessarily of
Decision1 IT Solutions Ltd.
P Please consider the environment before printing this e-mail
A captive portal is the usual answer to this.
Sitting at the gateway it requires users to sign into a web page in order to allow their device (essentially their IP) access to external resources. pfSense does this admirably (I believe it will even offer you different captive portals for different interfaces/VLANs now).
Transparent proxies are an entirely different can of worms with a whole new range of pitfalls.
Both N4L and Linewize have solutions that will do this for you, based on integration with some directory or other (both support AD) and allow things like site exceptions from authentication. They allow different categorisation based on source (user, or user-is-member-of-group, or IP) along with (presumably) logging where people have gone.
I’m not entirely sure how far along the release path N4Ls per-user captive-portal-esque system is, but there are sites using it fairly effectively.
Linewize is available fairly immediately, though there is a cost involved.
pfSense is available immediately, is free, but does take some setting up. If you’re leading into the term break it might be an opportune time to deploy it with some scope for experimentation – or I’m sure there are people here who can help (including me J)
J,
Essentially the system for wireless devices would be
- open wireless connection or one with a very simple password
A more secure system would be 802.1x.
- transparent proxy (pfSense) for the web browser
I wonder how much savings you make or performance improvements there will be using a proxy. We had our firewall, NAT and proxy on pfsense and it was struggling so now it only does firewall and NAT. Still only averaging 200Mbps during class time. Slower connections may benefit from a proxy if it doesn't slow down your pfsense too much.
- authenticating behind the proxy with a logon screen that authenticates them against their user account for Windows (using some system)
Linewize works great for this but will not prompt if your first site is SSL (as any reasonable non-man-in-the-middle attack server should). Perhaps N4L(actually Spark/CISCO) is using some dodgy mechanism to get around this and that is what is tripping iOS8 up? But maybe I'm wrong about that.
That does seem to be an integral part of their filtering-ssl system. Not really clear how practical that is in the world of BYOD.
I’m aware of at least one school that has said yes…
From: techies-f...@googlegroups.com [mailto:techies-f...@googlegroups.com]
On Behalf Of Mike Etheridge
Sent: Thursday, 2 April 2015 12:27 p.m.
To: techies-f...@googlegroups.com
Subject: Re: [techies-for-schools] pfSense
When our N4L router was put in, they wanted to stick a certificate on it which our hosts would trust - essentially allowing them to carry out man-in-the-middle attacks. We said no. Maybe others said yes?
What were you running pfSense on? Fundamentally pfSense’s proxy tends to be squid running on FreeBSD which isn’t inherently terrible. The squid process can be a complex one, though, as it processes cache-item-availability and the likes, and it can be quite IO heavy so is a bit more sensitive to specs than some other loads…
J,
From: techies-f...@googlegroups.com [mailto:techies-f...@googlegroups.com]
On Behalf Of Andrew Godfrey
Sent: Thursday, 2 April 2015 12:20 p.m.
To: techies-f...@googlegroups.com
Subject: Re: [techies-for-schools] pfSense
On 2 April 2015 at 11:11, Patrick Dunford <kahuk...@gmail.com> wrote:
--
You received this message because you are subscribed to the Google Groups "Techies for schools" group.
To unsubscribe from this group and stop receiving emails from it, send an email to
techies-for-sch...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.
What were you running pfSense on? Fundamentally pfSense’s proxy tends to be squid running on FreeBSD which isn’t inherently terrible. The squid process can be a complex one, though, as it processes cache-item-availability and the likes, and it can be quite IO heavy so is a bit more sensitive to specs than some other loads…
--
I’ll argue that. “Man in the middle” is a description of a technique, not an exploit title.
Putting something ‘in the middle’ that’s examining the traffic is an example of the “Man in the Middle” technique. That’s exactly what the Cisco system does. Secret or not.
J,
From: techies-f...@googlegroups.com [mailto:techies-f...@googlegroups.com]
On Behalf Of Tim Harper
Sent: Thursday, 2 April 2015 12:52 p.m.
To: techies-f...@googlegroups.com
Subject: Re: [techies-for-schools] pfSense
N4L and authentication: I'm trialling this with Cisco and it works really well.
On 2/04/2015, at 12:48 pm, Andrew Godfrey <godf...@burnside.school.nz> wrote:
On 2 April 2015 at 12:31, Julian Davison <Jul...@decision1.co.nz> wrote:What were you running pfSense on? Fundamentally pfSense’s proxy tends to be squid running on FreeBSD which isn’t inherently terrible. The squid process can be a complex one, though, as it processes cache-item-availability and the likes, and it can be quite IO heavy so is a bit more sensitive to specs than some other loads…
It's a fairly old ML110 with more memory than it first arrived with and several NICs added in as well. Squid is still running as some of our workstations haven't had their proxy settings removed but I've turned squidguard off as linewize has taken that job over. It's doing its job well at the moment so we'll leave it there for a little while longer.
<image.png>
_______________________________________Andrew Godfrey | Network Manager | Burnside High School | Christchurch | New Zealand
I’ll argue that. “Man in the middle” is a description of a technique, not an exploit title.
Just a quick note that Google no longer mine student GAFE account and usage data for advertising, which was a valid concern for some when using their services at schools. Pete Saturday, 4 April 2015 1:44 pm +1300 from Patrick Dunford <kahuk...@gmail.com>: |
Hi Tim,
Do you also filter staff access this way?
Why not trust N4L? Because we don't know anything about their staff or their hiring policies. Our staff have to be police vetted. No disrespect intended, just a fact.
Actually, Tim, I am serious. The Google mail example doesn't stack up. I can ( and do, off my phone) encrypt my mail because I actually don't trust Google. As a netadmin, I don't choose to subvert the intention of end to end secure connection that SSL is supposed to deliver. I won't train my users to agree to give away that security to a man in the middle.
This whole thing comes down to trust, but not between users and middle men (basic instruction: do not trust them) but between members of the school community. In a low trust model, there is no trust between staff and students (and management and lower levels), and low trust organizations are characterised by rigid hierarchies, centralized decision making, predetermined outcomes and high handed unilateral violation of privacy. High trust models are associated with needs and interest based networking, devolved decision making, flexibility, respect for the individual, innovation and fun. I know what kind of organization I prefer to belong to, and I will always promote the associated values.
Mike
I think you missed the point there. I'm talking about trusting our students and working SSL how it is intended. Not pretending to trust them (giving access to secure ports) then snooping anyway. That's worse than open distrust. Distrusting your ISP (and everyone else in the middle) on the other hand should be SOP.
Getting into trouble here for work emailing on holiday....
To unsubscribe from this group and stop receiving emails from it, send an email to techies-for-schools+unsub...@googlegroups.com.
--
You received this message because you are subscribed to the Google Groups "Techies for schools" group.
To unsubscribe from this group and stop receiving emails from it, send an email to techies-for-schools+unsub...@googlegroups.com.
Note:
If you are not the intended recipient of this email, please contact the sender immediately by return email or by telephone on +64 3 4718232. In this case please do not act in reliance on this email or any attachments, and destroy all copies of them. The views expressed in this email are those of the sender and not necessarily of Decision1 IT Solutions Ltd.
P Please consider the environment before printing this e-mail
This e-mail has been scanned by MailMarshal. Any enquiries should be directed to :---: in...@decision1.co.nz
--
You received this message because you are subscribed to the Google Groups "Techies for schools" group.
To unsubscribe from this group and stop receiving emails from it, send an email to techies-for-schools+unsub...@googlegroups.com.
--
You received this message because you are subscribed to the Google Groups "Techies for schools" group.
To unsubscribe from this group and stop receiving emails from it, send an email to techies-for-schools+unsub...@googlegroups.com.
--
You received this message because you are subscribed to the Google Groups "Techies for schools" group.
To unsubscribe from this group and stop receiving emails from it, send an email to techies-for-schools+unsub...@googlegroups.com.
Identified user 'nameremovedbyTimforprivacyreasons' from IP address 210.54.147.17 as part of company 'N4L_533_mtaspiringcollege'
User belongs to groups [mtaspiringcollege-standard, WinNT://master\Social-Media-OK, WinNT://master\MacSenior] User belongs to static groups [mtaspiringcollege-standard, WinNT://master\Social-Media-OK, WinNT://master\MacSenior, Statics, ISR Router] Site categorized as 'Social Networking' Evaluating 21 rules after reading request headers Evaluating rule 'School - Enforced Allow' Rule 'School - Enforced Allow' doesn't match Evaluating rule 'Direct_Out_Permitted_No_Auth' Rule 'Direct_Out_Permitted_No_Auth' doesn't match Evaluating rule 'MAC_Authenticate' Evaluating rule 'Students_Banned' Rule 'Students_Banned' doesn't match Evaluating rule 'No_Student_Access_HTTPS' Rule 'No_Student_Access_HTTPS' doesn't match Evaluating rule 'Unauthenticated YouTube' Rule 'Unauthenticated YouTube' doesn't match Evaluating rule 'Standard_Allow' Rule 'Standard_Allow' doesn't match Evaluating rule 'Authenticated Staff' Rule 'Authenticated Staff' doesn't match Evaluating rule 'Authenticated Block' Rule 'Authenticated Block' doesn't match Evaluating rule 'Social_Media_OK_1_2' Rule 'Social_Media_OK_1_2' doesn't match Evaluating rule 'Social_Media_OK_3_4' Taking allow action because of category 'Social Networking' Evaluating 0 rules at stage reqmod Evaluating 1 HTTPS rules HTTPS rule 'MAC_SSL' matches, using certificate 'N4L' to decrypt
Identified user 'nameremovedbyTimforprivacyreasons' from IP address 210.54.147.17 as part of company 'N4L_533_mtaspiringcollege'
User belongs to groups [mtaspiringcollege-standard, WinNT://master\Social-Media-OK, WinNT://master\MacSenior] User belongs to static groups [mtaspiringcollege-standard, WinNT://master\Social-Media-OK, WinNT://master\MacSenior, Statics, ISR Router] Site categorized as 'Finance'
Evaluating 21 rules after reading request headers Evaluating rule 'School - Enforced Allow' Rule 'School - Enforced Allow' doesn't match Evaluating rule 'Direct_Out_Permitted_No_Auth' Rule 'Direct_Out_Permitted_No_Auth' doesn't match Evaluating rule 'MAC_Authenticate' Evaluating rule 'Students_Banned' Rule 'Students_Banned' doesn't match Evaluating rule 'No_Student_Access_HTTPS' Rule 'No_Student_Access_HTTPS' doesn't match Evaluating rule 'Unauthenticated YouTube' Rule 'Unauthenticated YouTube' doesn't match Evaluating rule 'Standard_Allow' Rule 'Standard_Allow' doesn't match Evaluating rule 'Authenticated Staff' Rule 'Authenticated Staff' doesn't match Evaluating rule 'Authenticated Block' Rule 'Authenticated Block' doesn't match Evaluating rule 'Social_Media_OK_1_2' Rule 'Social_Media_OK_1_2' doesn't match Evaluating rule 'Social_Media_OK_3_4' Rule 'Social_Media_OK_3_4' doesn't match Evaluating rule 'Social_Media_OK_6' Rule 'Social_Media_OK_6' doesn't match Evaluating rule 'Student_Social_Block_1_2_HTTPS' Rule 'Student_Social_Block_1_2_HTTPS' doesn't match Evaluating rule 'Student_Social_Block_3_4_HTTPS' Rule 'Student_Social_Block_3_4_HTTPS' doesn't match Evaluating rule 'Student_Social_Block_6_HTTPS' Rule 'Student_Social_Block_6_HTTPS' doesn't match Evaluating rule 'Hostel_Prep_HTTPS' Rule 'Hostel_Prep_HTTPS' doesn't match Evaluating rule 'Authenticated_Allow_Explicit_Words' Rule 'Authenticated_Allow_Explicit_Words' doesn't match Evaluating rule 'Standard_Block' Rule 'Standard_Block' doesn't match Evaluating rule 'School - Enforced BLOCK' Rule 'School - Enforced BLOCK' doesn't match Evaluating rule 'Explict_keyword_master' Rule 'Explict_keyword_master' doesn't match Evaluating default rule at stage reqmod Taking allow action because of adv-rule-match 'No exception exists to allow this web page' Evaluating 0 rules at stage reqmod Evaluating 1 HTTPS rules HTTPS rule 'MAC_SSL' doesnt match
To unsubscribe from this group and stop receiving emails from it, send an email to techies-for-sch...@googlegroups.com.
To unsubscribe from this group and stop receiving emails from it, send an email to techies-for-sch...@googlegroups.com.
The trick with the ‘knowingly allowed’ test is that it’s either never true (You “know” that your filtering is failsafe) or always true (You recognise that any filtering system is flawed and can be bypassed). A technical solution to a social problem can only ever be ‘best effort’ and/or ‘reasonable effort’. As soon as you introduce customised filtering (different users/devices have different access) the can of worms becomes larger as you have to include the users in the equation – have they taken suitable precautions? Have you taken suitable steps to make them aware of suitable precautions? Legal issues are best left with the lawyer that’s going to have to defend the position they advise J
The ‘man in the middle’ approach is nothing more than a technique for snooping on content that’s intended to be unsnoopable. The two points of debate are whether or not deliberately putting a man in the middle lowers overall security and whether or not you should be snooping on the traffic in any case.
They are similar and related, but also separate arguments (and end-game, security is really about what you *can* do, not what you *actually* do – you *can* snoop on arbitrary SSL sites without notifying the user is the concern).
I like N4L overall. There are aspects which could potentially be improved, and alternatives that can be used to augment the N4L offering. It’s still a good path to go down, and seems to be getting better…
J,
--
You received this message because you are subscribed to the Google Groups "Techies for schools" group.
To unsubscribe from this group and stop receiving emails from it, send an email to techies-for-sch...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.
--
You received this message because you are subscribed to the Google Groups "Techies for schools" group.
To unsubscribe from this group and stop receiving emails from it, send an email to techies-for-sch...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.
Note:
If you are not the intended recipient of this email, please contact the sender immediately by return email or by telephone on +64 3 4718232. In this case please do not act in reliance on this email or any attachments, and destroy all copies of them. The views expressed in this email are those of the sender and not necessarily of Decision1 IT Solutions Ltd.
P Please consider the environment before printing this e-mail
This e-mail has been scanned by MailMarshal. Any enquiries should be directed to :---: in...@decision1.co.nz
--
You received this message because you are subscribed to the Google Groups "Techies for schools" group.
To unsubscribe from this group and stop receiving emails from it, send an email to techies-for-sch...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.
--
You received this message because you are subscribed to the Google Groups "Techies for schools" group.
To unsubscribe from this group and stop receiving emails from it, send an email to techies-for-sch...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.
--
You received this message because you are subscribed to the Google Groups "Techies for schools" group.
To unsubscribe from this group and stop receiving emails from it, send an email to techies-for-sch...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.
--
You received this message because you are subscribed to the Google Groups "Techies for schools" group.
To unsubscribe from this group and stop receiving emails from it, send an email to techies-for-sch...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.
In an ideal world, that would be both true and adhered to by all users. In the schools I’ve dealt with it tends to be a little less black and white in reality.
From: techies-f...@googlegroups.com [mailto:techies-f...@googlegroups.com]
On Behalf Of Patrick Dunford
Sent: Tuesday, 7 April 2015 1:21 p.m.
To: techies-f...@googlegroups.com
Subject: Re: [techies-for-schools] pfSense
To me it’s simple, the network is for school use only, there should be no issue for school purposes as compared to personal purposes.
--
You received this message because you are subscribed to the Google Groups "Techies for schools" group.
To unsubscribe from this group and stop receiving emails from it, send an email to
techies-for-sch...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.