White Paper

7 Ways Students Are Bypassing

Your Content Filter and Putting
Your K-12 Network at Risk
Executive Summary
Today’s students are more technologically advanced than any other generation
to ever step foot inside a classroom. Thanks to the advent of innovative
educational applications, BYOD programs and adaptive learning environments,
students are now perpetually connected and depend on the use of technology
to learn, collaborate and solve problems in new and exciting ways. On the
flipside, today’s savvy students are also smart enough to creatively use
technology to workaround any roadblocks they may come across when trying
to access or share content on the school district’s network.

As a K-12 IT professional, your top priority is ensuring all the students in your
school or district have safe and secure access to the educational content and
courseware they need, and that critical learning applications perform optimally
whenever students and teachers need them. The majority of school districts
have implemented firewalls and content filters to aid in enforcing appropriate
use of the network and to prevent students from accessing prohibited content,
but this is no longer enough. Advances in technology and the rising popularity
of BYOD and 1:1 programs have given your students the tools they need to
get around traditional content filters. And given how smart today’s connected
generation is, it’s likely that some students in your district are actively
bypassing your web filter today to access restricted materials without your
knowledge.

Additionally, there are legal implications that make providing a safe learning
environment for your students by restricting access to harmful content even
more critical. Regulations like the Children’s Internet Protection Act clearly
state that your IT department is responsible for the online safety of your
students, and funding such as E-Rate is often tied to your team’s ability to
prove you are maintaining compliance and blocking access to content outside
of your district’s Acceptable Use Policy.

This white paper will outline seven ways K-12 students are currently using
technology to circumvent your web filter, access content and applications
outside of your Acceptable Use Policy, and put your funding at risk.
 White Paper
7 Ways Students Are Bypassing Your Content Filter and Putting Your K-12 Network at Risk

Controlling The 7 Types Of Bypass Traffic

Crossing Your District’s Network

No matter how secure you think your K-12 network is today, there will
always be a select group of rogue students that will be able to find a
way to evade your filtering tools to access unauthorized content. In fact,
there’s a good chance that the firewall and web filter you currently have in
place are not catching all the traffic traversing your network. You may be
surprised, but some if not all of the following traffic types outlined below
are being used on your network every day to bypass your content filter.

Bypass Method #1: Virtual Private Networks (VPN)

Virtual Private Networks are used for unrestricted browsing, and given
that there is a plethora of easy to use, free or inexpensive VPNs available
today, many students are actively using them to circumvent school
web filters. Even if you have blocked VPN access on your district’s
network, determined students can easily get around your filter by
enabling a VPN connection on their cellular network and then switching
over to district WiFi once the connection has been established.

Solution
Use a real-time network monitoring tool to analyze and inspect all
application traffic crossing your network at layer 7. The tool you select
should be sophisticated enough to allow you to not only see and identify
VPN traffic, but allow you to drill down to associate specific users
with these traffic flows. From there, you can discern if the VPN user
in question is faculty and using VPN for legitimate purposes, or if the
user is a student using VPN to bypass your web filter. If you detect that
VPN is being misused by students, you can quickly create a policy to
limit the user or user group’s ability to access VPN on your network.
 White Paper
7 Ways Students Are Bypassing Your Content Filter and Putting Your K-12 Network at Risk

Bypass Method #2: Tor Network

The Tor network and Tor browser have reached mainstream popularity
in recent years. No longer just used by hacktivists to access the deep
web, Tor is now being used by your typical middle and high school
students to anonymously access websites and applications that you’ve
designated as outside of your district’s Acceptable Use Policy.
To use Tor at school, all a student has to do is download the Tor
browser to their computer or device, connect to the Tor network, and
start browsing. It’s that easy to use, but much more difficult to block.

Solution
As Tor traffic can easily slip past your web filter, investing in an additional
tool with deep packet inspection that can complement your filter is
key if you want to ensure you have complete coverage across your
network and keep students from accessing inappropriate material.
Because Tor runs on web service ports, only a comprehensive DPI tool
can detect, inspect and classify this traffic with the level of granularity
needed. Once Tor traffic has been identified, setting a policy to discard
those packets will effectively prevent students from using it.

Bypass Method #3: Anonymous Proxies

Anonymous Proxies are another popular choice with students looking
to bypass their school’s web filter. Anonymous proxies enable users
to access blocked websites and browse anonymously by tunneling
this traffic over a regular or encrypted HTTP session. What’s most
challenging about Anonymous Proxies is that even if you are able
to catch one and restrict access to it, Anonymous Proxies are
constantly changing and new ones are popping up all the time.
 White Paper
7 Ways Students Are Bypassing Your Content Filter and Putting Your K-12 Network at Risk

Solution
Your network monitoring tool’s classification engine should be able to
easily identify and expose this bypass traffic in real time. From there,
you should be able to apply QoS policies to traffic using Anonymous
Proxies to either block it completely or limit the amount of bandwidth
it can use. To make your life easier, your solution should also be
receiving daily auto-updates containing new Anonymous Proxy sites
as they go live. This allows you to be proactive in protecting your
students from accessing harmful content and saves you the headache
of constantly adding new URLs to your blacklisted database.

Bypass Method #4: HTTPS Access

Secured and encrypted browsing traffic also poses a huge risk for
school districts. As secured connections are encrypted, it can be
incredibly difficult to determine if the traffic is critical and related
to learning and administrative activities, or if a student is actually
misusing network resources to access something they shouldn’t be.

Solution
Make sure that your solution is able to provide full visibility and control
over all applications and secured browsing traffic crossing your network
to stop students from bypassing your filter through encrypted sessions.
However, you don’t want to cut off access to HTTPS traffic altogether, as
students and teachers also connect securely to a myriad of e-learning
applications, as well as their learning management systems. To achieve
this, create policies as you normally would to prioritize HTTP and HTTPS
access to your critical learning applications, and set policies to limit HTTPs
access to URLs and applications outside of your Acceptable Use Policy.
 White Paper
7 Ways Students Are Bypassing Your Content Filter and Putting Your K-12 Network at Risk

Bypass Method #5: SSH Tunnels

Some students will even go as far as creating an SSH tunnel to
access whatever content you have worked hard to block in order
to keep them safe and stay compliant with CIPA regulations.
Once a student has established an SSH connection, they are then able
to tunnel their traffic at school through to an external SSH server to
connect to their home computer remotely in order to access inappropriate
content and circumvent your school’s firewall and web filter.

Solution
Your network management solution should also be fully integrated
with Microsoft Active Directory, to easily allow or limit access to
specific URLs or applications at the user or group level. If you have
particular users or groups in your district that have a legitimate
need to access an SSH tunnel, you can create a policy that only
allows those specific users or groups access, and restricts
access to the rest of the students and faculty in your district.

Bypass Method #6: Remote Desktop Clients

Remote desktop applications like GoToMyPC and Microsoft Remote Desktop
make it easy to access your PC from anywhere – which can be convenient
if you’re a teacher or administrative staff and need to access a remote file
or application quickly. But if students use a remote desktop client to access
their home network, they can evade your filter and potentially put you at risk.

Solution
Eliminating remote desktop application usage from your K-12 network
can be done in a matter of clicks. Using a robust bandwidth management
solution with built-in traffic shaping capabilities, it’s easy to create policies
that either completely block access to these applications, or only allow
access to certain user groups, such as faculty or administrative staff.
 White Paper
7 Ways Students Are Bypassing Your Content Filter and Putting Your K-12 Network at Risk

Bypass Method #7: Purpose-built Programs

Desktop Proxy programs like Ultrasurf and Your Freedom were designed
to allow users to bypass content filters, evade censorship, and protect
their online privacy. Purpose-built to encrypt traffic to bypass filters by
transforming the local device into a web proxy to connect directly to hosted
proxies, these applications are challenging to block as they can tunnel
through firewalls, web proxies, FTP proxies, DNS server and more. Students
can easily install these applications using a flash drive, and there are plenty
of video tutorials available online that walk through the set-up process.

Solution
The network monitoring solution you select should come equipped with
a robust layer 7 signature database that is able to classify these types of
purpose-built programs. Tools with integrated bandwidth management
capabilities allow your IT staff to throttle or discard the traffic completely
to control how bandwidth should be allocated to these applications. C
 White Paper
7 Ways Students Are Bypassing Your Content Filter and Putting Your K-12 Network at Risk

Conclusion

Today’s perpetually connected students are used to anywhere, anytime

access to the applications they love and if you currently have a firewall
or web filter in place to restrict access to content that violates your
district’s Acceptable Use Policy, you can bet that some of your students
are either trying to bypass your content filter or they already have.
Not only does this put you at risk of losing funding, this resource-
taxing traffic is also taking away bandwidth from critical learning
and administrative applications and negatively impacting their
ability to perform when they’re needed most in the classroom.
To maintain regulatory compliance and safeguard your funding, your
school district’s IT department must augment its existing content
filtering strategy to provide broader coverage. When it comes to today’s
connected generation, only a solution that combines network monitoring,
application control and bandwidth management can effectively detect
and block the creative bypass techniques of savvy students.

Next Steps
Do you suspect that students in your district are bypassing your firewall
or web filter to access inappropriate content? Contact an Exinda Solutions
Expert today to arrange a quick demo and see how we can help.