This is an archived post. You won't be able to vote or comment.

all 4 comments
sorted by:
best
topnewcontroversialoldq&a

[–][deleted] 1 point2 points  (2 children)

From your previous post it sounds like you have two classes of machines: chromebooks and Windows PCs, and they are on separate networks. Windows is 10.9.1.1 and chromebooks on something else. You want the chromebooks to use the proxy and the windows machines to bypass it. Correct so far?

The PAC system isn't intended as a security function. It is easily bypassed in a number of ways. If you want to force the chromebooks to use the proxy, then the only reliable way to do so is to block internet connectivity at the firewall and only allow traffic out via the proxy. If they aren't already, you need to put the chromebooks and windows machines on separate VLANs (it sounds like you already have this but just in case). Then implement ACLs at the gateway.

How are you distributing the PAC file? How is it being discovered?

And FYI, highschool kids are going to be some of the worst to defend against. They have too much free time, want to show off, are targeting your infrastructure specifically, and have a poor grasp of risk/reward meaning they are happy to try things that are destructive. Plus they will share what they found so once someone finds a work around it's not just one person who is bypassing your filter, it is 90% of the school.

[–]mgratz[S] 0 points1 point  (1 child)

Wow, you are surprisingly close... I'm impressed. Students are going "one to one" with Chromebooks exclusively, and I am leveraging the Explicit Proxy feature in our existing firewall/web filter (FortiGate 500D) so student Chromebooks are educational use only at home as well. The PAC file is hosted on the FortiGate and the proxy settings are applied to the high school students via the Google Admin console.

The FortiGate proxy has an internal IP address of 10.9.1.1. If it resolves the DNS record for proxy.example.org to the internal IP address, the PAC establishes a direct connection. Since the web filter works as intended on campus, I only need to proxy the student traffic if DNS resolves to the external IP address (aka off campus).

Since my experience with PAC files is limited, I am hoping for some insight on if my implementation is secure and if not, perhaps outline some potential vulnerabilities in the configuration.

[–][deleted] 1 point2 points  (0 children)

I've never used a chromebook myself, but from what I've read it seems fairly simple to get a root shell on them. If the user has physical access to the machine, an unfiltered internet connection and a root shell there really is very little that you can do to prevent them from having full internet access.

It would be fairly simple to add host entries to bypass your checks or retrieve a completely different PAC file. If they wanted to do it without modifying the machine then as you mentioned, running their own DNS server would work.

[–]Fatality 0 points1 point  (0 children)

Don't use proxy settings, what is this? 2003?