New York School District Stops Students from  Accessing Tunnel Web Sites with Burstek Software

View in PDF

FORT MYERS, FL - March 7, 2008 – Burstek and client Jordan-Elbridge Central School District want to let parents and school administrators everywhere know about a new twist in the growing problem of student access to inappropriate Web content from school networks: Anonymous proxy sites.

Jordan-Elbridge Central School District is located in a rural community between Syracuse and Auburn, New York and includes 3 campuses with over 1,600 k-12 students. Clark Smith, Director of Operations at Jordan-Elbridge cautions anyone who thinks the installation of basic Web site blocking software will protect children from the dangers of the Internet to take heed: “The kids have found a way to circumvent some of those tools with “Tunnel” sites.”

Tunnel Web sites are anonymous proxy sites designed to help Internet surfers get around filtering tools and access whatever they want on the Web anonymously, from social networking sites like MySpace to pornography, and new tunnel sites are rapidly increasing. “Tunnel sites present a particularly serious problem for education because of their popularity among Internet savvy young people, who are constantly motivated by the age-old challenge of ‘getting around the system’,” says Smith.

When Smith’s IT team discovered high school students bypassing their former filtering solution through tunneling sites, their first challenge was determining exactly how many and who. Like many other schools, computer workstations at Jordan-Elbridge are shared; further, their filter not only wasn’t blocking tunnel sites, it couldn’t provide the detailed reporting required to identify the extent of the problem.

Finding an advanced Internet security solution at minimal cost is part of the challenge for a school district on a budget. Most budget tools filter by IP addresses, and therefore cannot identify actual users and the sites they are going to.

Smith found Burstek’s bt-LogAnalyzer software to be the ideal solution for their ISA server environment. “The software integrates seamlessly into Active Directory, so we were able to generate reports on Internet activity by actual user name or group membership” He adds.

The school was able to take disciplinary action with the students and reinforce the school’s Acceptable Use Policy with the entire student body. However, reporting on the problem was only part of the solution, and Smith quickly added Burstek’s bt-WebFilter to block access to Anonymizers and proxy sites and all other inappropriate Web content.

“At the heart of our software is a dynamic, robust control list with over 50 categories, including Anonymizers”, says Michael Faisst, Director of Product Development Burstek. The list is continuously updated with new sites and content. “We also offer customers the opportunity to contribute to the control list in a program called Web Extras, as Jordan-Elbridge does,” Faisst added. “They regularly run reports on sites that students are trying to access and send them to our control list technicians for integration.”

Of course, not all inappropriate access is intentional, which is why a vital learning tool like the Web can also be a dangerous place for children. Faisst says that in addition to curious minds, a miss-key or click can quickly lead to the wrong places if unfiltered. “Burstek prevents the infection of malicious code and spyware obtained through inadvertent activity as well, which protects organizations from security threats before they enter the network,” he added.

Delivering CIPA compliance as well as confidence in student protection for parents and school administrators are vital parts of the mission, says Smith. “Keeping the kids safe is what it’s’ all about. Burstek enables us to monitor and protect them from both accidental and intentional access, and allows us to deliver safe Internet access for learning.”

Burstek has been providing affordable, sophisticated Internet security solutions to global organizations since 1997. Flagship software tools, bt-WebFilter and bt-LogAnalyzer enable thousands of businesses, schools and non-profit organizations to turn the Internet into a powerful, safe tool for all of their users.

To learn more about anonymous proxy and tunneling sites or Internet security solutions, visit our website at www.burstek.com.

All product and company names herein may be trademarks of their respective owners.

For many ISA Firewall admins, they find that after installing Windows Server 2003 SP2 that their ISA Firewalls no longer work as they used to. Not only do ISA Firewalls get horked, but many other negative side effects take place. For example, consider this list:

• When you try to connect to the server by using a VPN connection, you receive the following error message: Error 800: Unable to establish connection.
• You cannot create a Remote Desktop Protocol (RDP) connection to the server.
• You cannot connect to shares on the server from a computer on the local area network.
• You cannot join a client computer to the domain.
• You cannot connect to the Exchange server from a computer that is running Microsoft Outlook.
• Inactive Outlook connections to the Exchange server may not be cleaned up.
• You experience slow network performance.
• You may experience slow network performance when you communicate with a Windows Vista-based computer.
• You cannot create an outgoing FTP connection from the server.
• The Dynamic Host Configuration Protocol (DHCP) server service crashes.
• You experience slow performance when you log on to the domain.
• Network Address Translation (NAT) clients that are located behind Windows Small Business Server 2003 or Internet Security and Acceleration (ISA) Server experience intermittent connection failures.
• You experience intermittent RPC communications failures.
• The server stops responding.
• The server runs low on nonpaged pool memory

These negative side effects where due to the Windows Server 2003 SP2 team deciding to enable Receive Side Scaling and TCP/IP Offloading by default. Technical problems introduced with enabling these features include:

• RSS is incompatible with NAT or with Network Load Balancing (NLB).
• TCP/IP Offload has a problem with the Window Scaling feature. This problem typically occurs when you communicate with a Windows Vista-based computer. Windows Vista uses the Window Scaling feature.
• Some TCP/IP Offload-enabled network adapters do not send TCP keep-alive messages. However, Exchange servers use TCP keep-alive messages to clean up inactive client sessions.
• The TCP/IP Offload-enabled network adapter may consume lots of nonpaged pool memory. This may cause other problems in the operating system.
• In some cases, the TCP/IP Offload-enabled network adapter may request large blocks of contiguous memory. This makes the computer stop responding when it tries to free the memory

In the past you had to make some Registry changes to fix the problem. But Microsoft has done us all a great favor by providing a downloadable fix. You can get it at:

http://support.microsoft.com/kb/948496

HTH,

Tom

Thomas W Shinder, M.D.
Site: http://www.isaserver.org/
Blog: http://blogs.isaserver.org/shinder/
GET THE NEW BOOK! Go to http://tinyurl.com/2gpoo8
Email: tshinder@isaserver.org
MVP — Microsoft Firewalls (ISA)