Firewall Bypass Prevention
Use application layer firewalls - Application-layer inspection ensures that filtering is possible on types of content, types of program function, and repurposing of protocols is prevented.
Use very restrictive rule bases - This may seem obvious, but it always bears repeating. Allow only the absolute minimum traffic of the fewest types, from only the locations needed. The rule base will be more detailed and complex, but bypassing becomes vastly more difficult.
Force proxy use for access - Some firewalls include a proxy server or proxy interface. If all traffic for proxy-capable protocols must pass through via the proxy, possibilities for circumventing the firewall are greatly reduced.
Limit access by IP address - Ensure that systems students have access to and use are limited access by IP address. If a rogue system is put on the network or someone manages to change its address, no access at all is possible.
Require authentication for access - Along with the other restrictions in place, require authentication and authorization for use of even allowed protocols. If they don't have a valid user id and password, and aren't in an authorized group, they're blocked.
Don't allow users to install programs or change configurations - It's rare that students would need to change IP addresses, proxy settings, or install software on computers. Don't allow everyday users this level of privilege.