Getting a Grip on Internet Services for End Users with Lightspeed Systems
Print
Many network administrators struggle daily to provide a working balance between available network bandwidth, the ever shifting demands of their network users, and reasonable assurances of network integrity and security in accordance with AUP and CIPA guidelines.
Their mission is further complicated with having to deal with the requests - and requirements - of end users seeking access to services and resources outside of the local network, such as personal email services, instant messaging services, and Internet search engines.
By proactively strategizing and mapping out an end-user path to specific sources of these Internet services, you can
- eliminate complaints of making Internet access and personal communications too restrictive,
- promote greater focus and productivity across your network, and
- minimize AUP and CIPA violations.
Restrict Outside/Personal Email Services
Background
Many school networks do not provide internal network email services for students, primarily to reduce both administrative and resource (storage and bandwidth) overhead for a fairly transient population. Along the same lines, school or district personnel are oft times discouraged or prohibited from using the internal email platform for personal email communications.
Undoubtedly, arguments will be made and supported that other email services - personal Internet email - should be accessible for both students and staff from the school or district network.
Strategy
You can restrict external email services by blocking the Forums.mail category in Content Filtering policies, but allow access to select email services, such as mail.yahoo.com, by moving the domain database entry into the Local-Allow category or another custom allowed category, such as Allowed Email.
Practice
By employing the above strategy and promoting the selected email service to your end users, you will find it easier to quantify the amount of traffic generated through these personal email services, which are easily identified within the External IP Address report or the Traffic by Category report, even though no direct monitoring or journaling of the content will be possible.
Therefore, school/district personnel should be encouraged to ONLY use such services for personal email, especially when email archiving is mandated for public or business (i.e. teacher/student/parent) communications.
NOTE: Most Internet email is processed as port 80/http traffic and cannot be readily decoded for journaling purposes. Experience has shown that traffic through Mail.Yahoo.com services is more easily reviewed, when necessary.
Consider Selective Use of Instant Messaging Services
Background
Though arguably of limited value in the immediate classroom setting, you can provide a "comfort zone" for students and administrators alike, by allowing restricted access to selected IM services at specific times, for select users, or through specific workstations on your network. The appearance of "open paths" to social networking venues can reduce the desire and attempts to circumvent totalitarian filtering policies, while providing observable data for use by SRO's and/or counseling personnel, as well as supporting manageable and justifiable communications as necessary.
Strategy
Restrict ALL instant messaging services by blocking the Forums.IM category in Content Filtering policies, but allow access to select instant messaging services, such as messenger.MSN.com, AIM.com or IM.yahoo.com - which are considered the most used - by moving the desired domain database entries into the Local-Allow category or another custom allowed category, such as Allowed IM.
Practice
Not all Instant Messaging services can be easily monitored for reporting or journaling purposes, due to a variety of IM protocols or message encryption techniques that are used. Fortunately, the most popular and most used IM services, as noted above, rely less on subversion or stealth and operate mostly in the clear, which is the root of their simplicity and popularity. By allowing instant messaging through select services, the majority of student-related IM traffic can be readily monitored and reviewed by SRO's and other administrative personnel, as necessary, using the Traffic Classification Instant Messages report or the Users HR report.
NOTE: The IM services suggested above are fully compatible with the TTC Email Archiving function.
Be Exclusive with Search Engine Services
Background
Not all Internet search engine services are designed to be compliant with CIPA guidelines, and many produce indiscriminate returns that may also indirectly promote violations of AUP restrictions as well. By limiting the accessibility of the less cooperative or less "education friendly" search services, and exclusively guiding users to a common and highly regarded search engine, such as Google, all desired monitoring, reporting, and control options are available, without sacrificing research capability.
Strategy
All search engine services should be restricted by blocking the Search category and only allowing access to google.com by moving the domain database entries into the Local-Allow category or another custom allowed category such as Allowed Search.
Practice
The above strategy will support full search engine query monitoring and suspicious query reporting, as well as enforce the Safe Search and Thumbnail Image Blocking features of the TTC content filter.
Circumvent Proxy Services
Background
Generally, proxy services inside the TTC network are unnecessary and ad hoc proxy sessions, launched by end users, should be considered suspicious, at best.
It is a common practice for many intrepid users to attempt circumvention of Internet filtering controls by accessing proxy services available on the Internet, enabled on personal computers outside of the local network or pseudo proxies accessible through cached website pages within search engine services. Blocking access to these options completely stops any proxy exploit.
Strategy
Controlling proxy circumvention tactics requires more than a single approach.
- With Search Engine services limited to google.com (outlined above), disable Google webpage caching by restricting access to the Google webpage caching service.
- Block the Security.proxy category containing all known proxy services (identified by domain and IP Address) in all Content Filtering policies.
-
Enable the Block non-http connections to blocked IP Addresses option within all Content Filter policies. It is not uncommon for users to attempt accessing proxy services using SSL (Secure Sockets Layer or HTTPS) connections. Since these SSL requests are encrypted traffic, the domain name and URL of the target proxy cannot be verified by the proxy category, and ultimately, an illicit connection could be made.
NOTE: When this option is routinely enabled, an SMTP bypass policy should be created and assigned to the IP Address of the internal email server to insure that outbound SMTP traffic is not blocked.
-
Enable the Block Unknown URLs option in Content Filtering policies. A common ploy to circumvent Content Filtering is for users to create and enable personal proxy servers on external PCs, which they can address using unknown Internet domain names or IP addresses.
Since it is likely that these temporary entries would not have been identified and categorized within the TTC Content Database (they are "Unknown"), any requests to connect to those 'unknown' addresses will be blocked by this option.
Practice
If a teacher has established an external personal proxy, its address can be easily added to the Local-Allow category, or any other custom category, such as Jane Doe Bypass. Again, legitimate proxy connections from inside the TTC network would be a rare request.
Knowledge base articles to aid implementing these options are readily available at http://wiki.lightspeedsystems.com.