There are plenty of devices that can inspect the traffic without impairing performance.
* * *ASB* *http://XeeMe.com/AndrewBaker* *Harnessing the Advantages of Technology for the SMB market… * On Sun, Feb 12, 2012 at 10:58 PM, Steve Kradel <[email protected]> wrote: > They do have to traverse your network in a manageable way, anyway... > up until the point that some wiseacre fires up a VPN or a > tunnel/proxy, it's not so hard to grab port 53 traffic on its way out > and quietly redirect it. > > However, the problem itself is extremely difficult to solve > thoroughly. How can one possibly stay on top of the IPs that SSL is > or isn't "safe" to, given that you cannot do any other meaningful > inspection of the data (not even the hostname in the HTTPS request)? > I know there are products that attempt to solve it without seriously > impairing the network, but I can't imagine they're robust against a > clever | determined kiddo. > > --Steve > > On Sun, Feb 12, 2012 at 10:22 PM, James Hill <[email protected]> wrote: > > This assumes that the students have to use your DNS as well. > > > > > > > > From: Kennedy, Jim [mailto:[email protected]] > > Sent: Saturday, 11 February 2012 1:45 AM > > > > > > To: NT System Admin Issues > > Subject: DNS Partial zone CNAMEs? > > > > > > > > Long story made somewhat short: We enforce safe search on google images > > with our filter. If a clever student hits https://www.google.com and > > searches for Excalibur Films images the safe search enforcement fails and > > they are going to get more than they should. And since I now know this, I > > will go to jail and my wife will be sad. > > > > > > > > So I need to do the below from Google: > > > > > > > > To utilize this solution, your school’s network administrator would > modify > > your DNS (Domain Name System) configuration to make Google domains, e.g. > > www.google.com to be an alias or CNAME (canonical name) of > nossl.google.com. > > When we see search requests arriving over the nossl end point we will > > redirect these to a non-SSL search session. HTTP traffic and other > services > > will not be affected. > > > > > > > > I am a bit puzzled on how to do this. If I toss up a zone for google.comand > > put up a www.google.com CNAME nossl.google.com What happens when > someone > > tries to hit mail.google.com? My zone lookup will fail…will my DNS > server > > then hit my forwarders for mail.google.com > > > > ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to [email protected] with the body: unsubscribe ntsysadmin
