pfSense

[Patrick Dunford]

Has anyone got this running on Hyper-V in their system? Thoughts, insights?

[trevor storr]

no, but on vmware.  What are you using ir for?

On Mon, Mar 30, 2015 at 8:55 PM, Patrick Dunford <kahuk...@gmail.com> wrote:

Has anyone got this running on Hyper-V in their system? Thoughts, insights?

--
You received this message because you are subscribed to the Google Groups "Techies for schools" group.
To unsubscribe from this group and stop receiving emails from it, send an email to techies-for-sch...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

--

cheers

Trevor

Trevor Storr
Director of eLearning, CantaNET http://educo.vln.school.nz
Waimate High School
Waimate
New Zealand

[J B]

Had it kind of going a while back but the new version is apparently a lot better under hyper-v.  I know that before it only worked with legacy adaptors which are 100mbit and inefficient CPU wise but I think it now works with the synthetic optimized 1gb virtual nics.  I read a post that on some older versions you needed to add in an init script or just manually drop and lift each interface after a boot in the shell to make it work.  Also it can glitch and lock when trying to shutdown, you need to just stop the VM.

I have just put pfsense on a VMware box (just for it, everything else is hyperv) as I could not get it going on any of the three lots of actual hardware I tried it on and would have needed another dedicated Nic in the hyperv server to do it safely, it either would not recognize the nics, went into a reboot loop or could not install to the hard drive.  Had issues with the config to when assigning interfaces, in the end giving it the exact hardware it expected via VMware so the defaults worked got it going. Seems to be alright now if a bit unstable when trying to change the config interface from http to https.

Good luck, I think it should work well when it is going but BSD is just a nightmare compatibility wise.

Jeffrey.

Sent from my Windows Phone

---

From: trevor storr
Sent: ‎30/‎03/‎2015 9:00 p.m.
To: techies-f...@googlegroups.com
Subject: Re: [techies-for-schools] pfSense

[Patrick Dunford]

Just looking at this prebuilt for Hyper-V

 

http://winfrasoft.com/products/Appliances/pfsense/

 

iOS 8 will not work with our current authenticating proxy, we have to come up with a solution fast for our BYOD.

[Pete Eaton]

What is the purpose of authenticating to the proxy?

As an idea , could you change it so you had a transparent proxy but used radius for wireless logins so you could authenticate the users at the point of wireless logon?  

You would have control over connecting to the internet (i.e. by managing access to wireless) and have traceability as you can log the MAC (and subsequently the IP) of the device the user uses the log on to the wireless.

This suggestion may not be of any use to you, but sometimes it helps to approach a problem from a slightly different angle...

:)

Pete

[Patrick Dunford]

Something like that is what we are looking at. it needs to be transparent at the front end to the devices and then authenticate behind the scenes instead.

 

The logon needs to be a web page rather than invoking the web browser’s proxy settings because we have run into a lot of problems with integrated browser proxy authentication. Chromebooks won’t popup a dialog box most of the time for example.

[Pete Eaton]

Most WiFi systems have a captive-portal sort of thing: it is much easier to do this sort of stuff before the user gets on WiFi, rather than wait until they try to access the internet IMHO.   Since most traffic is going offsite, users will equate wireless as being the internet anyway.

Of course, IT Nerds know what the internet really is:

https://www.youtube.com/watch?v=iDbyYGrswtg

Pete

[Julian Davison]

Captive portal is the thing.
Wireless systems often do offer a captive portal; N4L’s user integration will do that too, as will Linewize, or pfSense.

 

Historically pfSense hasn’t played well with Hyper-V, but was fine under VMWare – the older versions were based on a FreeBSD that wasn’t very good with Hyper-V. I believe that the current versions (post-2.2) are using a more recent FreeBSD that behaves much better.

 

J,

---

Note:
If you are not the intended recipient of this email, please contact the sender immediately by return email or by telephone on +64 3 4718232.  In this case please do not act in reliance on this email or any attachments, and destroy all copies of them. The views expressed in this email are those of the sender and not necessarily of Decision1 IT Solutions Ltd.

---

P Please consider the environment before printing this e-mail

---

This e-mail has been scanned by MailMarshal.  Any enquiries should be directed to :---: in...@decision1.co.nz

---

[Patrick Dunford]

We currently have an authenticating proxy which gets credentials from the browser popup or these being manually configured on a device. When the schools got Chromebooks these wouldn’t work and there are other issues like they need to be provisioned over wireless in a way that doesn’t require them to authenticate when connecting to the Google sites that provision them.

 

I could possibly make provisioning work through the authenticating proxy by exempting the provisioning sites from requiring authentication.

 

However there is still a problem in that the Chrome browser in the Chromebooks doesn’t seem to be able to popup the username and password dialog box in any case but tries to redirect it to a URL which doesn’t seem to work either.

 

To add to this, Apple in iOS8 has introduced some features that won’t work with our proxy server so we have this problem that none of the ipads in the school will currently work with the proxy server, whereas they all did work on iOS7.

 

It looks to me that the schools will have to give up on being able to track the usage or sites of individual students and instead rely on monitoring their activities with Hapara. Hapara doesn’t work on desktops where Chrome is not being used but they can use the existing authenticating proxy for that. But with iPads they can’t track anything, just filter.

 

Essentially the system for wireless devices would be

- open wireless connection or one with a very simple password

- transparent proxy (pfSense) for the web browser

- authenticating behind the proxy with a logon screen that authenticates them against their user account for Windows (using some system)

- they will be mass filtered using N4L

- Can we get separate staff and student filtering profiles in N4L?

[Julian Davison]

A captive portal is the usual answer to this.

 

Sitting at the gateway it requires users to sign into a web page in order to allow their device (essentially their IP) access to external resources. pfSense does this admirably (I believe it will even offer you different captive portals for different interfaces/VLANs now).

Transparent proxies are an entirely different can of worms with a whole new range of pitfalls.

 

Both N4L and Linewize have solutions that will do this for you, based on integration with some directory or other (both support AD) and allow things like site exceptions from authentication. They allow different categorisation based on source (user, or user-is-member-of-group, or IP) along with (presumably) logging where people have gone.

I’m not entirely sure how far along the release path N4Ls per-user captive-portal-esque system is, but there are sites using it fairly effectively.

Linewize is available fairly immediately, though there is a cost involved.

pfSense is available immediately, is free, but does take some setting up. If you’re leading into the term break it might be an opportune time to deploy it with some scope for experimentation – or I’m sure there are people here who can help (including me J)

 

J,

[Tim Harper]

Apple:  it has been fascinating or more accurately frustrating and I am seeing issues pop up everywhere.

Apple seem to have rewritten software in response to the recent iCloud hack.  Their new software now looks to see if there is any traffic inspection happening that could lead to credentials been stolen.  If the software detects inspection then it will not pass credentials and it will not work.  I will let others make statements about the validity of this approach.  I have two machines here running OSX 10.8 and 10.10 - 10.10 has issues and 10.8 works every time.  My iPad 1 with iOS 5.1.1 is fine.  Later versions can struggle.  The amount of pain can vary day by day - I think this is to do with how APple randomly assign IP addresses as a part of their security measures

Additionally Apple have also put some other tests on wifi connections (not on cabled connections!) and they like their wifi devices to randomly connect to these sites:

captive.apple.com www.airport.us www.ibook.info www.thinkdifferent.us www.appleiphonecell.com www.itools.info

Thus these have been added to whitelists on eg N4L so no authentication is required.  Now the wifi connected OSX devices work without continually popping up annoying web access requests.  I rang Apple and they had no knowledge of this on their help desks.  It is officially CNA - Captive Network Assistance - but I found it anything but helpful.

Filtering etc - see my post to your other N4L query.  pfSense is about to be retired here in the holidays - it has served its purpose and we will use N4L only for all firewall and filtering going forwards.  It will let us do what we need.  And one less box to manage here.

regards,

Tim Harper


Phone 0800 755 966 option 2 then 3 (SchoolZone)
Phone 03 443 5167 (DDI)
Mobile 027 443 1236
Fax 03 443 0491

t...@mtaspiring.school.nz
www.mtaspiring.school.nz

[Andrew Godfrey]

On 2 April 2015 at 11:11, Patrick Dunford <kahuk...@gmail.com> wrote:

Essentially the system for wireless devices would be 

- open wireless connection or one with a very simple password

A more secure system would be 802.1x.

 

- transparent proxy (pfSense) for the web browser

I wonder how much savings you make or performance improvements there will be using a proxy. We had our firewall, NAT and proxy on pfsense and it was struggling so now it only does firewall and NAT. Still only averaging 200Mbps during class time. Slower connections may benefit from a proxy if it doesn't slow down your pfsense too much.

 

- authenticating behind the proxy with a logon screen that authenticates them against their user account for Windows (using some system)

Linewize works great for this but will not prompt if your first site is SSL (as any reasonable non-man-in-the-middle attack server should). Perhaps N4L(actually Spark/CISCO) is using some dodgy mechanism to get around this and that is what is tripping iOS8 up? But maybe I'm wrong about that.

_______________________________________

 

Andrew Godfrey  |  Network Manager  |  Burnside High School  |  Christchurch | New Zealand

[Mike Etheridge]

When our N4L router was put in, they wanted to stick a certificate on it which our hosts would trust - essentially allowing them to carry out man-in-the-middle attacks. We said no. Maybe others said yes?

Mike

[Julian Davison]

That does seem to be an integral part of their filtering-ssl system. Not really clear how practical that is in the world of BYOD.

I’m aware of at least one school that has said yes…

 

From: techies-f...@googlegroups.com [mailto:techies-f...@googlegroups.com] On Behalf Of Mike Etheridge
Sent: Thursday, 2 April 2015 12:27 p.m.
To: techies-f...@googlegroups.com
Subject: Re: [techies-for-schools] pfSense

 

When our N4L router was put in, they wanted to stick a certificate on it which our hosts would trust - essentially allowing them to carry out man-in-the-middle attacks. We said no. Maybe others said yes?

[Julian Davison]

What were you running pfSense on? Fundamentally pfSense’s proxy tends to be squid running on FreeBSD which isn’t inherently terrible. The squid process can be a complex one, though, as it processes cache-item-availability and the likes, and it can be quite IO heavy so is a bit more sensitive to specs than some other loads…

 

J,

 

From: techies-f...@googlegroups.com [mailto:techies-f...@googlegroups.com] On Behalf Of Andrew Godfrey
Sent: Thursday, 2 April 2015 12:20 p.m.
To: techies-f...@googlegroups.com
Subject: Re: [techies-for-schools] pfSense

 

 

On 2 April 2015 at 11:11, Patrick Dunford <kahuk...@gmail.com> wrote:

--

You received this message because you are subscribed to the Google Groups "Techies for schools" group.
To unsubscribe from this group and stop receiving emails from it, send an email to techies-for-sch...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

[Andrew Godfrey]

On 2 April 2015 at 12:31, Julian Davison <Jul...@decision1.co.nz> wrote:

What were you running pfSense on? Fundamentally pfSense’s proxy tends to be squid running on FreeBSD which isn’t inherently terrible. The squid process can be a complex one, though, as it processes cache-item-availability and the likes, and it can be quite IO heavy so is a bit more sensitive to specs than some other loads…

It's a fairly old ML110 with more memory than it first arrived with and several NICs added in as well. Squid is still running as some of our workstations haven't had their proxy settings removed but I've turned squidguard off as linewize has taken that job over. It's doing its job well at the moment so we'll leave it there for a little while longer.

[Tim Harper]

N4L and authentication:  I'm trialling this with Cisco and it works really well.

Yes we use SSL certificates.  This is not "man in the middle".  People might want to argue the point but essentially a MitM is a secret attack.  There is nothing secret about the N4L certificate as users specifically have to opt to install it.  The certificate allows Cisco to inspect the traffic.  We only use it with the Social Networking and Streaming Video categories.  Installing the certificates was easy and students can manage it themselves mostly on their own devices.  Domain machines can have it pushed via a policy.  Students were incented to to it because once it was done they could access Facebook at approved times (eg lunch or after school etc.)

We can define quite closely what is inspected and even if authentication is needed to access a site.  It has worked well here.

SSO is another feature of the system using an IdP but I've not gone there yet.

regards,

Tim Harper


Phone 0800 755 966 option 2 then 3 (SchoolZone)
Phone 03 443 5167 (DDI)
Mobile 027 443 1236
Fax 03 443 0491

t...@mtaspiring.school.nz
www.mtaspiring.school.nz

--

[Julian Davison]

I’ll argue that. “Man in the middle” is a description of a technique, not an exploit title.

Putting something ‘in the middle’ that’s examining the traffic is an example of the “Man in the Middle” technique. That’s exactly what the Cisco system does. Secret or not.

 

J,

 

From: techies-f...@googlegroups.com [mailto:techies-f...@googlegroups.com] On Behalf Of Tim Harper
Sent: Thursday, 2 April 2015 12:52 p.m.
To: techies-f...@googlegroups.com
Subject: Re: [techies-for-schools] pfSense

 

N4L and authentication:  I'm trialling this with Cisco and it works really well.

[Mike Etheridge]

I agree. There is no way a responsible netadmin can allow this.

Mike

[Mike Etheridge]

The NICs you are running are vital here. You don’t want units that generate CPU interrupts, e.g the realtek units that are ubiquitous. A server grade NIC won’t generate interrupts and bog the CPU.

Mike

 

On 2/04/2015, at 12:48 pm, Andrew Godfrey <godf...@burnside.school.nz> wrote:

On 2 April 2015 at 12:31, Julian Davison <Jul...@decision1.co.nz> wrote:

What were you running pfSense on? Fundamentally pfSense’s proxy tends to be squid running on FreeBSD which isn’t inherently terrible. The squid process can be a complex one, though, as it processes cache-item-availability and the likes, and it can be quite IO heavy so is a bit more sensitive to specs than some other loads…

It's a fairly old ML110 with more memory than it first arrived with and several NICs added in as well. Squid is still running as some of our workstations haven't had their proxy settings removed but I've turned squidguard off as linewize has taken that job over. It's doing its job well at the moment so we'll leave it there for a little while longer.

<image.png>

_______________________________________

 

Andrew Godfrey  |  Network Manager  |  Burnside High School  |  Christchurch | New Zealand

[Patrick Dunford]

Part of iOS8 is it doesn’t accept servers with self signed certificates as proxies (or perhaps routers).

[Patrick Dunford]

The problem is a third party proxy (Trustwave), not N4L.

 

From: Andrew Godfrey

Sent: Thursday, April 2, 2015 12:19 PM

To: techies-f...@googlegroups.com

Subject: Re: [techies-for-schools] pfSense

 

[Patrick Dunford]

Before that there was ISA server doing exactly the same thing

 

These are all different from the likes of Superfish (intercepting secure traffic to inject advertisements). A lot different.

 

From: Julian Davison

Sent: Thursday, April 2, 2015 12:54 PM

To: techies-f...@googlegroups.com

Subject: RE: [techies-for-schools] pfSense

 

I’ll argue that. “Man in the middle” is a description of a technique, not an exploit title.

[Patrick Dunford]

Really?

 

We are responsible for everything those students do on our network. The school discipline demands it and parents demand it.

 

It might surprise you to learn that a number of schools we work with are keeping records of kid’s logons to Google Apps so they can ensure they can access their accounts if something untoward happens.

 

I don’t hold at all with the viewpoint we should just let the students have completely unmonitored and free reign on our networks just because they can do everything they want with cellular data connection.

[Tim Harper]

Hi Mike,

I see no issues with this approach to filtering.  If people are expecting their SSL traffic to be secure and you want filtering then the approach works well.  We tell people that we monitor certain categories only via SSL.  Thus we are being honest and up front about it - we are not hiding what we do.  If people don't like that approach then of course they are free to to do something else - and that includes users who have the choice then not to install the SSL certificate. The alternative is to use some other system and then not tell people what you are doing - which to me seems wrong.  There is a practical need to filter https sites and this solution works.

I never really liked the SchoolZone system for SSL filtering as is was a true MitM with the proxy masquerading as the source/destination to the other party.  This way there is no masquerading - we simply read the traffic as it passes.

Hi Patrick,

this system permits us to record and log what happens so if there is an issue we have data for a year on any student who accesses blocked sites.  45 days of records are kept for all other activity.  If we want to we can export reports of all browsing behaviour and keep it for ever if we want to.

Like you we keep records of kids logins to Google Apps too.  The main purpose is so we can tell them if they forget their login credentials but a secondary consideration is for the reason you state.  I'd be thinking lots of schools do this.

I'm a fan of permitting wide access to sites.  Clearly we block the obvious but after that I'd prefer to see students taking the responsibility.  This is one of the key competencies in the NZC - "Managing Self"  .  Self-responsibility is a core element of what we expect of students at Mt Aspiring College.  So long as we have the reporting tools to back it all up then we are happy.  I'd personally like to see the reporting tools go further and actively look for and report on behaviour that is counter-productive to learning - eg consistently browsing sites in class time that have no immediate direct relevance to class work.

Just because technology can do some things it does not follow that it can do everything.  There is still a role for teachers to ensure that what they are doing is class is sufficiently interesting to keep students engaged or have some sort of device hand in policy.  There are lots of things that can be done to manage behaviour and I think kids should see people in charge of that rather than technology.  That said I've often shown kids how we know what is happening.  that acts as a pretty swift brake on aberrant activity.

But, like you, we don't need to have the kids having free reign either.  We do have some restrictions.  Eg at 11pm access for students to everything on the internet except the core sites (eg Google for email or docs for assignments etc) is blocked and we re-instate it at 6am.  We want our hostel to sleep.

regards,

Tim Harper


Phone 0800 755 966 option 2 then 3 (SchoolZone)
Phone 03 443 5167 (DDI)
Mobile 027 443 1236
Fax 03 443 0491

t...@mtaspiring.school.nz
www.mtaspiring.school.nz

[Patrick Dunford]

When the schools I was working with started doing this I was uncomfortable with it – and to some extent I still am, because they have access to personal email conversations.

 

However the fact is that students are not being compelled to use Google Apps except for school work – and no one is suggesting we have access to their own private email addresses.

 

There have, necessarily, been questions raised by some schools about very private personal information (e.g. counselling) going onto Gmail addresses when everyone knows Google uses keyword-based advertising and could be profiling people based on the information – lots of discussions been had here about the terms of service etc and “Big Data”.

 

Ultimately I would prefer that admins had access to students’ drive storage the same way as on our servers, without knowing students’ login details, but that doesn’t seem to be offered by Google – or is it just that they don’t provide a client for it?

[eaton...@gmail.com]

Just a quick note that Google no longer mine student GAFE account and usage data for advertising, which was a valid concern for some when using their services at schools. https://support.google.com/a/answer/139019?hl=en Pete Saturday, 4 April 2015 1:44 pm +1300 from Patrick Dunford <kahuk...@gmail.com>:

[Tim Harper]

Hi Patrick,

I understand that all advertising is turned off for GAFE.  I do not know if this means they do not profile as well.  I wonder what Google are making of this conversation - seeing as we are using a Google group and we are both using Google accounts to communicate with the group!

I know that a super admin, as part of the account deletion process, can move all drive data to another user.  Super admins can also restore data too if it was removed.  I'm not sure that a super admin could more directly look at another user's drive data short of knowing/changing the password and logging in as that user.   Thus there are ways but if it was necessary to do it some effort would be needed and then some sort of audit trail is hopefully left behind to show who did what when.

regards,

Tim Harper


Phone 0800 755 966 option 2 then 3 (SchoolZone)
Phone 03 443 5167 (DDI)
Mobile 027 443 1236
Fax 03 443 0491

t...@mtaspiring.school.nz
www.mtaspiring.school.nz

[Mike Etheridge]

You may well see no issues. Most netadmins on the planet would disagree with you, I think.

Mike

[Tim Harper]

Hi Mike,

I've stated why I think it is ok.  Can you assist the conversation and put the case as to why you think differently?

regards,

Tim Harper


Phone 0800 755 966 option 2 then 3 (SchoolZone)
Phone 03 443 5167 (DDI)
Mobile 027 443 1236
Fax 03 443 0491

t...@mtaspiring.school.nz
www.mtaspiring.school.nz

[Andrew Godfrey]

Hi Tim,

Do you also filter staff access this way?

[Tim Harper]

Hi Andrew,

yes we do.  By virtue of the AD group that staff are in a specific set of filtering rules is applied.    All the filtering rules have three elements - what, who and when.  For staff the "What" is very broad, the "who" is the AD security group that all staff are in and the "When" is anytime.

Staff also must use SSL certs.  As their laptops or desktops are all on the domain the certificate is pushed via group policies.  For their personal devices (eg phones) they must install the certificate manually.  But they only have to install the certificate if they want to access sites in the "Social Networking" or "Streaming Video" categories.  As we do not inspect sites in any other category the certificate is not needed.  We have the certificate on out website and various other places to make it as easily accessible as possible.

I'll be at Google South at Burnside next week - happy to spend some time "off task" showing you how it works in practice if you want.

regards,

Tim Harper


Phone 0800 755 966 option 2 then 3 (SchoolZone)
Phone 03 443 5167 (DDI)
Mobile 027 443 1236
Fax 03 443 0491

t...@mtaspiring.school.nz
www.mtaspiring.school.nz

[J B]

Have the staff been trained to check the certificate in use manually each time for sensitive stuff like banking.  I know that at the moment you say that you currently only inspect social sites with SSL.  What if there is a malfunction or misconfiguration at some point in the future. Not only would that be bad but depending on the wording of contracts with banks or whatever other third party they may well be in breach of their agreement and have given up all protections by knowingly using a compromised system.

If the N4L cert ever gets compromised, a softer target and possibly more lucrative than a single bank certificate there are going to be a large amount of devices and users open to exploitation.

I'll have to read more into the granular filtering somehow tied to LDAP as that could be useful but would be more than hesitant about using a third party global wildcard cert on devices for the same reasons I still throw up a firewall between N4L and hosts, the transparency of operation still is not there.  What we get is 'yea, sure it's fine and secure, trust us', it may well be secure but without any real idea as to what is going on with the edge devices and no real consequences for n4l if they hash it everyone should take pause.

As with all of this stuff, no one is worried about the best case scenario but rather the worst case or that terrifying middle ground that MoE projects always seem to find. Where they demand to rip out half your network as an 'upgrade' or propone byod at all costs no matter if it is practical at all, in schools where kids don't get breakfast or lunch if the school does not provide it.

Sent from my Windows Phone

---

From: Tim Harper
Sent: ‎4/‎04/‎2015 5:27 p.m.

[J B]

You can't take that line, there has to be some user responsibility as well, the government is not responsible for every road death in the country because they own the roads.  They impose rules which are punishable, it is a behavior problem not necessarily a technological problem.  If you take the role of being responsible for everything you need to break open and moniter everything causing more harm than good in general.  Don't leg everyone elses behavior be pinned on IT, you are letting them offload personal responsibility onto you and or your team.

Sent from my Windows Phone

---

From: Patrick Dunford
Sent: ‎4/‎04/‎2015 10:30 p.m.

To: techies-f...@googlegroups.com
Subject: Re: [techies-for-schools] pfSense

[Tim Harper]

Hi Jeffrey (I'm assuming this is you?),

What do you mean by check the certificate - and which staff are you referring to?  If you are referring to the actual inspection done in N4L filtering then that is rock-solid and I cannot see how it would go wrong. There is an audit process in Cisco that defines any changes made so if someone did change SSL inspection rules that would be stored and be visible - I looked now and it is saying that I made an https filter update on 23 March @ 7:52am.

Schools can generate their own certificates inside the platform.  There is no requirement for all schools to use the same certificate.  The TTL for the certificate can be set for as long as seven years.  There are positives and negatives about different approaches.  Eg at the relaxed end of the security spectrum if all schools adopted the same certificate with a lengthy TTL then as teachers move between schools there would be no need to install a new certificate and it will likely last for the life time of the device.    But at the other cautious end of the security spectrum there could be just the sort of issues that you outline too so deciding on the point that you are happy to live at will be a decision for schools to make and those who want to minimise a potential security risk would use their own certificate with a short TTL.

In the end we have to trust someone.  Why not trust N4L?  Lots of people trust Apple and they never discuss their security systems with anyone.  And iCloud still got hacked.

Why spend money on another firewall that you trust when that money could provide other services? This is a real issue that schools are grappling with now and actively seeking advice about.  (I know some of you have views about this around services but I am saying this in the context of trust as that was the context it was raised in.)

regards,

Tim Harper


Phone 0800 755 966 option 2 then 3 (SchoolZone)
Phone 03 443 5167 (DDI)
Mobile 027 443 1236
Fax 03 443 0491

t...@mtaspiring.school.nz
www.mtaspiring.school.nz

[Mike Etheridge]

Why not trust N4L? Because we don't know anything about their staff or their hiring policies. Our staff have to be police vetted. No disrespect intended, just a fact.

[J B]

Yes, it is me :)

Individual certs are better, I don't know about the platforms generation facility so there may still be holes but there always will be.  There is a lot I don't know about it as the training never happened for it.  Kind of like the Raspberry Pi that was supposedly something to do with it.

As to Apple I would not trust them as far as I could throw them and make decisions that include their competence and transparency as weighting factors.

N4L has a tough job of being trustable as it is an MoE project and there are a long line of burns and redirects I the past.

I never said that they could not be trusted but there is a saying, "trust but verify" and with N4L you can't verify as the device directly backing onto your network is a black box.  Sure you can probe ports from the internet but that does not preclude a misconfig in the access lists letting some random internal N4L address have full access to internal hosts.  There probably is not but you can't know and how can you honestly say to the school that you have protected their network (as best you can)when they are a config change away from an open network without anyone on site being any the wiser.

We now use the filtering which is good if a little annoying with its amateur hour green ticks and pop overs injected into searches.  Still have and will for the foreseeable future have a firewall there though until the transparency is resolved.  An old box with free VMware and pfsence is virtually free and will easily cope with the speeds I can manage through n4L even if it does limit filtering to one rule for all unless you static 1:1 Nat the whole set of ranges which is something I'm considering.

Jeffrey.

Sent from my Windows Phone

---

From: Tim Harper
Sent: ‎5/‎04/‎2015 11:52 a.m.

[Tim Harper]

Hi Mike,

you can't be serious??!!

Is Google police vetted?  No.  But you still use their services for email.  I could go on.  

What I will say is that the Code of Conduct for State Sector employees prevails and you can search that out with all it's implications.  

Jeffrey - hopefully the same SSC things can give you some reassurances too.  Also those green ticks can be disabled if you want - do you have access to the platform?  It is in Web Filtering - Management - Global Settings.

regards,

Tim Harper


Phone 0800 755 966 option 2 then 3 (SchoolZone)
Phone 03 443 5167 (DDI)
Mobile 027 443 1236
Fax 03 443 0491

t...@mtaspiring.school.nz
www.mtaspiring.school.nz

[J B]

Partially but I was already taking that into account in its trustability.   Misconfiguration can happen in all sorts of ways, people are fallible and I know how easy it is to make an almost invisible hole in an acl by messing up the order when you don't mean to.  It is still prudent to have a testable layer of protection in place.

Oh realized I did not explain the cert bit, what I mean is check the cert in the browser title bar padlock bit to make sure it is not the inspection one when banking  If that cert ever got compromised any device with it on could be vulnerable on whatever network.  If using those certs the user should check beforehand that the cert is the right one incase for some reason the inspection is on for it or its being spoofed.  You can't do this in stuff like phone apps.  The main point is though that a trusted universal wildcard cert on a device opens it up to new threats and these should also be considered.

Thanks, I can get access to that area so may well switch that off as several of the staff were rightly concerned that their computers had been compromised by malware thanks to the pop overs and different behavior between home and work.

Sent from my Windows Phone

---

From: Tim Harper
Sent: ‎5/‎04/‎2015 12:38 p.m.

[Mike Etheridge]

Actually, Tim, I am serious. The Google mail example doesn't stack up. I can ( and do, off my phone) encrypt my mail because I actually don't trust Google. As a netadmin, I don't choose to subvert the intention of end to end secure connection that SSL is supposed to deliver. I won't train my users to agree to give away that security to a man in the middle.

This whole thing comes down to trust, but not between users and middle men (basic instruction: do not trust them) but between members of the school community. In a low trust model, there is no trust between staff and students (and management and lower levels), and low trust organizations are characterised by rigid hierarchies, centralized decision making, predetermined outcomes and high handed unilateral violation of privacy. High trust models are associated with needs and interest based networking, devolved decision making, flexibility, respect for the individual, innovation and fun. I know what kind of organization I prefer to belong to, and I will always promote the associated values.

Mike

[Tim Harper]

We don;t specifically tell staff to look at the padlock.  Most would get confused.  We would be telling people PDQ if there was an issue and actually pulling the certificate from filtering first.

Even Google shows issues with it's own site!    I get the orange triangle - possibly because of some of the extensions I have loaded.

regards,

Tim Harper


Phone 0800 755 966 option 2 then 3 (SchoolZone)
Phone 03 443 5167 (DDI)
Mobile 027 443 1236
Fax 03 443 0491

t...@mtaspiring.school.nz
www.mtaspiring.school.nz

[Tim Harper]

Hi Mike,

I'm happy with your description.  I feel that we are in a high trust model already with regard to N4L.  What do you think are the short comings of the trust relationship between yourself, your school and N4L that would place eg N4L in anything other than a high trust model?  I would have thought that the State Services Commission Code of Conduct would give you that trust?

regards,

Tim Harper


Phone 0800 755 966 option 2 then 3 (SchoolZone)
Phone 03 443 5167 (DDI)
Mobile 027 443 1236
Fax 03 443 0491

t...@mtaspiring.school.nz
www.mtaspiring.school.nz

[Patrick Dunford]

Does the N4L system involve posing as a Root Certificate Authority and reissuing certificates from secure websites

 

e.g. a certificate from an online banking site, issued by (say) Verisign, is replaced by one issued by N4L or Cisco

 

For example read this (a recent real world example)

 

https://blog.mozilla.org/security/2015/02/27/getting-superfish-out-of-firefox/

[Mike Etheridge]

I think you missed the point there. I'm talking about trusting our students and working SSL how it is intended. Not pretending to trust them (giving access to secure ports) then snooping anyway. That's worse than open distrust. Distrusting your ISP (and everyone else in the middle) on the other hand should be SOP.

Getting into trouble here for work emailing on holiday....

[Patrick Dunford]

Not speaking for Mike of course but people will ask questions about the government’s intent, there are already enough questions over the fact Google can read all your email without the question that the NZ government would like to as well it appears.

[Tim Harper]

Hi Mike,

Hmm - I thought this was part of the "fun"!!!  Having fun is what we do on holiday.

I'm totally missing your point.  I thought you were talking about not trusting N4L.

You are trusting your students in what way here?  Are you saying that you do not use any SSL inspection/filtering of any sort?  Thus meaning that the students could eg browse to https://www.facebook.com?  Which means that you are trusting students not to use https sites that they should not be on?  What happens when they breach that trust relationship?  And how do you know if they do?

Hi Patrick,

The GCSB is totally different to N4L in terms of a government agency.  N4L is not actually supplying data - that is purchased from commercial suppliers who have to operate in accordance with what ever the law says and if that means the GCSB can request that specific monitoring take place then we have to live with that.  One example of monitoring that does happen is the child exploitation filter run by DIA.  Not all NZ ISPs have signed up to use it but I'm pleased that N4L's supplier does.

regards,

Tim Harper


Phone 0800 755 966 option 2 then 3 (SchoolZone)
Phone 03 443 5167 (DDI)
Mobile 027 443 1236
Fax 03 443 0491

t...@mtaspiring.school.nz
www.mtaspiring.school.nz

[Tim Harper]

Hi Patrick,

sorry - I missed this one in the myriad of others.

I've asked upstream on this - I do not know the actual answer.  It is a good question.  I will post back once I find out more but expect it to take a few days.

regards,

Tim Harper


Phone 0800 755 966 option 2 then 3 (SchoolZone)
Phone 03 443 5167 (DDI)
Mobile 027 443 1236
Fax 03 443 0491

t...@mtaspiring.school.nz
www.mtaspiring.school.nz

[Ict Technician]

I've recently been talking to a lawyer over just these issues. This lawyer was involved in serious criminal cases around IT. It it was his opinion that if i knowingly allowed students (minors) to access objectionable material, then i would be liable. He also told me that pretty much all objectionable material that comes into the country is monitored for the purpose of building criminal cases.

It was my opinion, and he reinforced it, that i was responsible for ensuring that the minors using the school network were not able to access objectionable material, or engage in illegal activity, with the proviso that if they deliberately work around reasonable restrictions then i'm not liable unless i know about it and fail to act.

The 'man in the middle' approach that n4l is taking to allow SSL traffic analysis is a good thing. Many big time network security appliances provide exactly such a service, with the responsibility for the security of their certificates (and the liability) being that of the service provider. It may make us feel powerless, but we are no more or less powerless than when any other certificate is used, beyond the scope of the potential breech.

We are not using n4l yet but plan to move on it as other workloads decrease. Having read everyone's concerns, the only thing i'd ask for was that i could exempt certain sites from packet interception. Namely banking sites (just in case), but potentially any that staff asked for. rather than throw around statements claiming that using the system will break banking t&c, i'd contact the banks and ask them. 

I'd also ask n4l for a statement on liability. If they are not willing to wear it, then i wouldn't use the service.

Having SSL inspection is far more useful than dangerous, imo. Forced google  safe search on https (a DNS fix requiring external DNS request blocking and breaking things like google voice search) is by-passable with simple IP based search request, or by using alternative search engines. I trust n4l more than i trust a 12 year old.

just my 2c

To unsubscribe from this group and stop receiving emails from it, send an email to techies-for-schools+unsub...@googlegroups.com.

For more options, visit https://groups.google.com/d/optout.

-- 
You received this message because you are subscribed to the Google Groups "Techies for schools" group.

To unsubscribe from this group and stop receiving emails from it, send an email to techies-for-schools+unsub...@googlegroups.com.

For more options, visit https://groups.google.com/d/optout.

---

Note:
If you are not the intended recipient of this email, please contact the sender immediately by return email or by telephone on +64 3 4718232.  In this case please do not act in reliance on this email or any attachments, and destroy all copies of them. The views expressed in this email are those of the sender and not necessarily of Decision1 IT Solutions Ltd.

---

 

P Please consider the environment before printing this e-mail

---

This e-mail has been scanned by MailMarshal.  Any enquiries should be directed to :---: in...@decision1.co.nz

---

 

-- 
You received this message because you are subscribed to the Google Groups "Techies for schools" group.

To unsubscribe from this group and stop receiving emails from it, send an email to techies-for-schools+unsub...@googlegroups.com.

For more options, visit https://groups.google.com/d/optout.

--
You received this message because you are subscribed to the Google Groups "Techies for schools" group.

To unsubscribe from this group and stop receiving emails from it, send an email to techies-for-schools+unsub...@googlegroups.com.

For more options, visit https://groups.google.com/d/optout.

--
You received this message because you are subscribed to the Google Groups "Techies for schools" group.

To unsubscribe from this group and stop receiving emails from it, send an email to techies-for-schools+unsub...@googlegroups.com.

[Tim Harper]

Hi Flow,

we only inspect for "Social Networking" and "Streaming Video" categories.  All other categories are not inspected. We do not inspect specific domains but we could.  Exempting sites from inspection is easy - you can either simply not include the category that the site is in for inspection or you can explicitly exclude the domain from inspection.

Cisco has a great tool for evaluating what category a site is in - from inside the network use http://policytrace.scansafe.net and it will tell you the category and why the site is allowed or disallowed.  The example below shows what happens when a student browses to https://www.facebook.com:

Identified user 'nameremovedbyTimforprivacyreasons' from IP address 210.54.147.17 as part of company 'N4L_533_mtaspiringcollege'
User belongs to groups [mtaspiringcollege-standard, WinNT://master\Social-Media-OK, WinNT://master\MacSenior]
User belongs to static groups [mtaspiringcollege-standard, WinNT://master\Social-Media-OK, WinNT://master\MacSenior, Statics, ISR Router]
Site categorized as 'Social Networking'

Evaluating 21 rules after reading request headers
Evaluating rule 'School - Enforced Allow'
Rule 'School - Enforced Allow' doesn't match
Evaluating rule 'Direct_Out_Permitted_No_Auth'
Rule 'Direct_Out_Permitted_No_Auth' doesn't match
Evaluating rule 'MAC_Authenticate'
Evaluating rule 'Students_Banned'
Rule 'Students_Banned' doesn't match
Evaluating rule 'No_Student_Access_HTTPS'
Rule 'No_Student_Access_HTTPS' doesn't match
Evaluating rule 'Unauthenticated YouTube'
Rule 'Unauthenticated YouTube' doesn't match
Evaluating rule 'Standard_Allow'
Rule 'Standard_Allow' doesn't match
Evaluating rule 'Authenticated Staff'
Rule 'Authenticated Staff' doesn't match
Evaluating rule 'Authenticated Block'
Rule 'Authenticated Block' doesn't match
Evaluating rule 'Social_Media_OK_1_2'
Rule 'Social_Media_OK_1_2' doesn't match
Evaluating rule 'Social_Media_OK_3_4'
Taking allow action because of category 'Social Networking'
Evaluating 0 rules at stage reqmod
Evaluating 1 HTTPS rules
HTTPS rule 'MAC_SSL' matches, using certificate 'N4L' to decrypt

In this case the student is allowed to use Facebook as they are in a local AD security group set up for that purpose.

The same user browsing to https://www.bnz.co.nz is not inspected and is permitted:

Identified user 'nameremovedbyTimforprivacyreasons' from IP address 210.54.147.17 as part of company 'N4L_533_mtaspiringcollege'
User belongs to groups [mtaspiringcollege-standard, WinNT://master\Social-Media-OK, WinNT://master\MacSenior]
User belongs to static groups [mtaspiringcollege-standard, WinNT://master\Social-Media-OK, WinNT://master\MacSenior, Statics, ISR Router]
Site categorized as 'Finance'

Evaluating 21 rules after reading request headers
Evaluating rule 'School - Enforced Allow'
Rule 'School - Enforced Allow' doesn't match
Evaluating rule 'Direct_Out_Permitted_No_Auth'
Rule 'Direct_Out_Permitted_No_Auth' doesn't match
Evaluating rule 'MAC_Authenticate'
Evaluating rule 'Students_Banned'
Rule 'Students_Banned' doesn't match
Evaluating rule 'No_Student_Access_HTTPS'
Rule 'No_Student_Access_HTTPS' doesn't match
Evaluating rule 'Unauthenticated YouTube'
Rule 'Unauthenticated YouTube' doesn't match
Evaluating rule 'Standard_Allow'
Rule 'Standard_Allow' doesn't match
Evaluating rule 'Authenticated Staff'
Rule 'Authenticated Staff' doesn't match
Evaluating rule 'Authenticated Block'
Rule 'Authenticated Block' doesn't match
Evaluating rule 'Social_Media_OK_1_2'
Rule 'Social_Media_OK_1_2' doesn't match
Evaluating rule 'Social_Media_OK_3_4'
Rule 'Social_Media_OK_3_4' doesn't match
Evaluating rule 'Social_Media_OK_6'
Rule 'Social_Media_OK_6' doesn't match
Evaluating rule 'Student_Social_Block_1_2_HTTPS'
Rule 'Student_Social_Block_1_2_HTTPS' doesn't match
Evaluating rule 'Student_Social_Block_3_4_HTTPS'
Rule 'Student_Social_Block_3_4_HTTPS' doesn't match
Evaluating rule 'Student_Social_Block_6_HTTPS'
Rule 'Student_Social_Block_6_HTTPS' doesn't match
Evaluating rule 'Hostel_Prep_HTTPS'
Rule 'Hostel_Prep_HTTPS' doesn't match
Evaluating rule 'Authenticated_Allow_Explicit_Words'
Rule 'Authenticated_Allow_Explicit_Words' doesn't match
Evaluating rule 'Standard_Block'
Rule 'Standard_Block' doesn't match
Evaluating rule 'School - Enforced BLOCK'
Rule 'School - Enforced BLOCK' doesn't match
Evaluating rule 'Explict_keyword_master'
Rule 'Explict_keyword_master' doesn't match
Evaluating default rule at stage reqmod
Taking allow action because of adv-rule-match 'No exception exists to allow this web page'
Evaluating 0 rules at stage reqmod
Evaluating 1 HTTPS rules
HTTPS rule 'MAC_SSL' doesnt match

regards,

Tim Harper


Phone 0800 755 966 option 2 then 3 (SchoolZone)
Phone 03 443 5167 (DDI)
Mobile 027 443 1236
Fax 03 443 0491

t...@mtaspiring.school.nz
www.mtaspiring.school.nz

To unsubscribe from this group and stop receiving emails from it, send an email to techies-for-sch...@googlegroups.com.

[trevor storr]

Hi,

we too use SSl inspection set up in a similar way to MAS.  SSL is inspected and  policies enforced for social media and streaming media.  The N4L certificate is deployed via policies on school owned devices and to others that request them.  Additionally we use user auth with our eDirectory instance (using LDAP hooks).  By having an outward facing squid proxy and pushing this proxy out to our chromebooks we can enforce the N4L filtering on to the chromebooks when they are taken home.  This is great for our school community, though we do ensure that they understand that it is a best effort service and that filtering may be turned off (actually it's the proxy/ cb policy that we'd adjust for maintenance etc.).  We use split horizon DNS so that when the CB's are in school they don't route through the proxy and just go directly out.  All users, even those that are banned from the internet can get to GAFE.  By building policies around user agents, all students can get to GAFE on their own phones using gmail & gdocs apps etc without having to authenticate against N4L.

 From a BOT perspective I'd anticipate that liability is of equal importance to safety.  N4L's policy is one of limited liability (I wouldn't expect them to be legally liable for school activity) and the privacy policy is fairly standard stuff.  I do know (and it would be reasonable to expect) that legal advice was obtained before making the SSL interception product available to schools.  So how does using a limited legal liability N4L service improve liability for BOT's?  I think the fact that N4L are willing to work with schools to provide advice and guidance around filtering provides BOT's with some confidence that the possibility of mistakes happening is reduced.  Additionally because the filter is provided under contract to N4L it means that BOT's ( but usually ICT staff TIC's) can worry about things other than filtering infrastructure.  I for one am very grateful that other IT professionals are able to look over the filtering policies and ask the hard questions about what does what and why.  It provides my employer and I with a degree of reassurance that we are operating openly and professionally.  If things did go wrong (ie a filter was incorrectly applied) then at least I'd have the help of N4L staff in getting it put right.

To unsubscribe from this group and stop receiving emails from it, send an email to techies-for-sch...@googlegroups.com.

For more options, visit https://groups.google.com/d/optout.

--

cheers

Trevor

Trevor Storr
Director of eLearning, CantaNET http://educo.vln.school.nz
Waimate High School
Waimate
New Zealand

[Julian Davison]

The trick with the ‘knowingly allowed’ test is that it’s either never true (You “know” that your filtering is failsafe) or always true (You recognise that any filtering system is flawed and can be bypassed). A technical solution to a social problem can only ever be ‘best effort’ and/or ‘reasonable effort’. As soon as you introduce customised filtering (different users/devices have different access) the can of worms becomes larger as you have to include the users in the equation – have they taken suitable precautions? Have you taken suitable steps to make them aware of suitable precautions? Legal issues are best left with the lawyer that’s going to have to defend the position they advise J

 

The ‘man in the middle’ approach is nothing more than a technique for snooping on content that’s intended to be unsnoopable. The two points of debate are whether or not deliberately putting a man in the middle lowers overall security and whether or not you should be snooping on the traffic in any case.

They are similar and related, but also separate arguments (and end-game, security is really about what you *can* do, not what you *actually* do – you *can* snoop on arbitrary SSL sites without notifying the user is the concern).

 

I like N4L overall. There are aspects which could potentially be improved, and alternatives that can be used to augment the N4L offering. It’s still a good path to go down, and seems to be getting better…

 

J,

-- 

You received this message because you are subscribed to the Google Groups "Techies for schools" group.

To unsubscribe from this group and stop receiving emails from it, send an email to techies-for-sch...@googlegroups.com.

For more options, visit https://groups.google.com/d/optout.

-- 
You received this message because you are subscribed to the Google Groups "Techies for schools" group.

To unsubscribe from this group and stop receiving emails from it, send an email to techies-for-sch...@googlegroups.com.

For more options, visit https://groups.google.com/d/optout.

---

Note:
If you are not the intended recipient of this email, please contact the sender immediately by return email or by telephone on +64 3 4718232.  In this case please do not act in reliance on this email or any attachments, and destroy all copies of them. The views expressed in this email are those of the sender and not necessarily of Decision1 IT Solutions Ltd.

---

 

P Please consider the environment before printing this e-mail

---

This e-mail has been scanned by MailMarshal.  Any enquiries should be directed to :---: in...@decision1.co.nz

---

 

-- 
You received this message because you are subscribed to the Google Groups "Techies for schools" group.

To unsubscribe from this group and stop receiving emails from it, send an email to techies-for-sch...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

 

--
You received this message because you are subscribed to the Google Groups "Techies for schools" group.

To unsubscribe from this group and stop receiving emails from it, send an email to techies-for-sch...@googlegroups.com.

For more options, visit https://groups.google.com/d/optout.

--
You received this message because you are subscribed to the Google Groups "Techies for schools" group.

To unsubscribe from this group and stop receiving emails from it, send an email to techies-for-sch...@googlegroups.com.

For more options, visit https://groups.google.com/d/optout.

--
You received this message because you are subscribed to the Google Groups "Techies for schools" group.

To unsubscribe from this group and stop receiving emails from it, send an email to techies-for-sch...@googlegroups.com.

For more options, visit https://groups.google.com/d/optout.

[Patrick Dunford]

To me it’s simple, the network is for school use only, there should be no issue for school purposes as compared to personal purposes.

[Julian Davison]

In an ideal world, that would be both true and adhered to by all users. In the schools I’ve dealt with it tends to be a little less black and white in reality.

 

From: techies-f...@googlegroups.com [mailto:techies-f...@googlegroups.com] On Behalf Of Patrick Dunford
Sent: Tuesday, 7 April 2015 1:21 p.m.
To: techies-f...@googlegroups.com
Subject: Re: [techies-for-schools] pfSense

 

To me it’s simple, the network is for school use only, there should be no issue for school purposes as compared to personal purposes.

--

You received this message because you are subscribed to the Google Groups "Techies for schools" group.
To unsubscribe from this group and stop receiving emails from it, send an email to techies-for-sch...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.