written by: Lee Clemmer•edited by: Bill Bunter•updated: 5/5/2010
School firewalls are in unique positions. Every year or semester, a new batch of young, curious Internet explorers appears to probe and search for new surreptitious means to circumvent firewalls and their access rules. How do students bypass a school firewall when they try?
slide 1 of 3
"How to bypass a school firewall" is one of the most popular searches on Google. This article isn't going to explain how to bypass a school firewall; rather it will explain how school IT admins can ensure that their firewall isn't bypassed using the information that students find during their Google search. There are several methods consistently used by students to bypass, or try to bypass firewalls. Some of these persist and are still effective due to the firewall technology in place. Even installing the latest and greatest firewall tech is no assurance of security. The firewall is only as good as the configuration and rules in place. Let's take a look at the basics to prevent firewall bypass by students.
slide 2 of 3
Firewall Bypass Prevention
Use application layer firewalls - Application-layer inspection ensures that filtering is possible on types of content, types of program function, and repurposing of protocols is prevented.
Use very restrictive rule bases - This may seem obvious, but it always bears repeating. Allow only the absolute minimum traffic of the fewest types, from only the locations needed. The rule base will be more detailed and complex, but bypassing becomes vastly more difficult.
Force proxy use for access - Some firewalls include a proxy server or proxy interface. If all traffic for proxy-capable protocols must pass through via the proxy, possibilities for circumventing the firewall are greatly reduced.
Limit access by IP address - Ensure that systems students have access to and use are limited access by IP address. If a rogue system is put on the network or someone manages to change its address, no access at all is possible.
Require authentication for access - Along with the other restrictions in place, require authentication and authorization for use of even allowed protocols. If they don't have a valid user id and password, and aren't in an authorized group, they're blocked.
Don't allow users to install programs or change configurations - It's rare that students would need to change IP addresses, proxy settings, or install software on computers. Don't allow everyday users this level of privilege.
slide 3 of 3
These are the beginnings of a secure perimeter firewall and network configuration. Advanced techniques for tunneling protocols, piggybacking on other traffic, and repurposing protocols exist. Usually a modern, strong application-layer firewall can greatly reduce the efficacy of these methods of bypassing the firewall. Encryption (and more generally, tunneling of any sort) is much harder to prevent as a means of bypass. Consider denying the use of encrypted protocols by students or denying them without authentication at the firewall first, and have only a trusted user group that can utilize them.