Geekzone: technology news, blogs, forums
Guest
Welcome Guest.
You haven't logged in yet. If you don't have an account you can register now.
Filter this topic showing only the reply marked as answer View this topic in a long page with up to 500 replies per page Create new topic
1 | 2 | 3 | 4 | 5 | 6
483 posts

Ultimate Geek
+1 received by user: 286

Trusted

  Reply # 1493381 16-Feb-2016 18:29
4 people support this post
Send private message

Let see, is a school a trusted certifying authority or a bunch of IT amateurs trying work within a very limited budget and having to deal with technology outside their range of experience where in many cases the students can run rings around the staff.

 

School provided CA on school provided hardware? Sure, no problem.

 

School CA on BYOD? No.

 

 


502 posts

Ultimate Geek
+1 received by user: 119


  Reply # 1493383 16-Feb-2016 18:45
2 people support this post
Send private message

 

 

You simply can't win - do nothing and the parents demand a meeting with the principal (one wanted to bring a lawyer along), implement HTTPS inspection using MITM techniques and the more technically literate complain, along with those who encounter any technical issues due to its implementation.


483 posts

Ultimate Geek
+1 received by user: 286

Trusted

  Reply # 1493389 16-Feb-2016 19:03
2 people support this post
Send private message

wsnz:

 

 

 

You simply can't win - do nothing, implement HTTPS inspection

 

 

That's just all or nothing. Alternatively how about school determines curriculum and list of sites to support it and allow them using DNS. Anything else is ex-curricula.

 

That can be done at the school WiFi network level, no CAs required.

 

 

 

 


690 posts

Ultimate Geek
+1 received by user: 154


  Reply # 1493400 16-Feb-2016 19:26
One person supports this post
Send private message

ScottNoakes:

 

At Linewize we reckon there's a better way to approach these issues of student internet behaviour.

 

Blindly blocking stuff in schools just gives you a false sense of security that all is well, which is rarely the reality.

 

Instead Linewize provides complete transparency and visibility over student Internet use to allow teachers to educate digital citizenship through conversation.

 

An example of how this plays out is that in your BYOD or Student Internet Agreement form you add a clause that says 'While on the school network I will not use proxies or other anonymising software'.

 

Rather than blocking all VPNs/Proxies we identify which students are using VPNs/Proxies and highlight this behaviour to their immediate teacher or staff member responsible for character education.

 

Teachers can have an immediate and specific conversation with the student and outline their concerns and the reasons for them:

 

"Jonny you were just using IPVanish.com, as you know this contravenes the Internet agreement you signed. The reason we don't permit these tools is that if you were using them to torrent copyright material on the school network we could be liable for a $15,000 fine due to the 2013 Internet copyright laws. Please refrain from this behaviour or we will restrict your internet access to only education related sites." 

 

Our experience is that this is a much more productive and constructive approach. For example at Mt Albert Grammar they were using N4L to block proxies and VPN's, when we installed Linewize we immediately recognised 20 different proxy services students were using that N4L did not block. Again a completely false sense of security. Transparency and visibility is whats needed here.

 

The other aspect of what we do is put control over internet access into the hands of the teacher through a simple dashboard. Teachers can limit applications and website use to just the content relevant to the lesson at hand (e.g. just Mathletics). Alternatively they could also relax default policy if its getting in the way of the lesson (e.g. we're studying social media so allow facebook).

 

The same dashboard shows Teachers what their students are doing and which ones are on-task, off-task or even off-line. This gives teachers who are cautious to embrace eLearning the classroom tools needed to have a sense of confidence and competency around device use in the classroom.

 

Cheers Scott.

 

While I appreciate your giving an example surely schools/education institutes etc qualify as IPAPS(internet service providers), have you seen any examples of a school etc going before the tribunal(none published as far as I can tell) or a ruling that they are liable for their students actions?


895 posts

Ultimate Geek
+1 received by user: 285


  Reply # 1493432 16-Feb-2016 20:44
One person supports this post
Send private message

The thing that I haven't heard of people doing is inspecting HTTPS handshakes for SNI hostnames, and blocking at a hostname level.  No cert needed.  I half started writing a filter once, but got distracted -- small kids don't allow for much spare-time programming.


79 posts

Master Geek
+1 received by user: 20


  Reply # 1493434 16-Feb-2016 20:47
One person supports this post
Send private message

I don't understand all the negative comments about N4L, from what I have seen their filtering has been way more reliable and accurate than historical solutions like Watchdog and Telecom (SchoolZone) provided up until recently.

 

 

 

roobarb:

 

Let see, is a school a trusted certifying authority or a bunch of IT amateurs trying work within a very limited budget and having to deal with technology outside their range of experience where in many cases the students can run rings around the staff.

 

School provided CA on school provided hardware? Sure, no problem.

 

School CA on BYOD? No.

 

 

 

 

 

 

Bit of a broad statement isn't it?

 

 

 

The fact is schools have to filter internet which includes HTTPS traffic, on school and personally owned devices.

 

Schools cannot manage whitelists for 100's of websites especially when part of the curriculum for many subjects would be the ability to freely research and compile information...

 

HTTPS traffic can't just be blocked (almost everything uses it by default now), the only option they really have is to do things like this even it's not ideal from a privacy standpoint.


2480 posts

Uber Geek
+1 received by user: 679


  Reply # 1493483 16-Feb-2016 22:16
9 people support this post
Send private message

It's their network, their rules apply. Accept the cert or don't use the net (on your BYO Device)

BYOD's are the riskiest devices on any network, as the owner has full admin rights and could be bringing all sorts of dodgy stuff into the internal network. I once worked at a place where even USB ports were locked down entirely, so you couldn't bring (or take) anything into their (UK local council) network that hadn't passed through their firewall inspection.

Same idea, their network, their rules.

Do you give every visitor/cleaner/labourer full access to your home network?
Children are most at risk, AND most likely to put themselves in risky situations. Let their parents be the ones who have to educate them morally, why do we all expect the teachers to teach morals AND skills/content these days??

Full disclosure: I'm a primary school teacher AND the IT tech of our small private/not for profit school.

What does this tag do
972 posts

Ultimate Geek
+1 received by user: 203

Subscriber

  Reply # 1493484 16-Feb-2016 22:16
Send private message

Yes they have to filter, they don't have to inspect traffic though especially on BYOD devices. Using a good 'layer 7' firewall would allow them to be relatively flexible in restricting apps and content.

 

It is no problem to block content based on the hostname, I don't think SNI has anything to do with it? Open up Fiddler on an HTTP connection you see the full hostname detail


42 posts

Geek
+1 received by user: 11


  Reply # 1493523 16-Feb-2016 23:36
9 people support this post
Send private message

Hi all,

 

I’ve been a very minor participant on Geekzone for a number of years - posting here in my work role, which is Training Lead at N4L. 

 

I'm not aware of the specific details of the school mentioned in the original post from @asjohnstone - and so without knowing exactly what the school is proposing and trying to achieve with their N4L filtering, I can’t speak to the exact case.

 

However, here are a couple of points to consider, firstly with regards to the education sector environment and to some specifics about what N4L’s filtering and SSL decryption actually entails. Some of these details are what I’ve written in other edu mailing lists, so apologies if you’ve already read them.

 

 1. The Boards of Trustees and school leaders are responsible for maintaining a safe online environment in their schools. There is specific legislation that governs this: http://www.education.govt.nz/ministry-of-education/legislation/nags/#NAG5. Secondary schools obviously have different needs and requirements from primary schools. N4L’s services, which are fully funded and available to any schools on the Managed Network have to be tailored to meet as best possible, all of their needs.

 

 

 

2. For schools on N4L’s Managed Network - 60% of the traffic is delivered over HTTPS. School’s therefore have no visibility over, or ability to apply filters to the encrypted traffic. N4L can block HTTPS traffic if requested, but this would mean preventing the use of Google, Youtube, Vimeo, Pinterest and other sites that have plenty of useful teaching and learning content, as well inappropriate content.

Search engines like Google provide the “Safesearch” security feature which is enabled by default on N4L's network. This is sufficient for some schools however it is not for many schools, particularly primary schools.

 

SSL decryption on search engines offers schools the ability to filter certain keywords from image or video searches.

 

 

 

3. Schools are able to choose and use whatever tools they wish to maintain the online environment for students. N4L's Web Filtering tools are available to any school on the Managed Network, but not mandated.

 

Schools can use combinations of N4L's tools and their own onsite tools.

 

Schools need to take ownership of who's responsible for said tools - and manage accordingly.

 

Scott has shared the options that his product provides, and there are range of other firewall and filtering providers available to schools. Schools can choose to use these instead of N4L’s services, and/or in tandem with N4L’s services.

 

As said there is no mandate to use N4L’s services, and we are happy to work with schools who are utilising other products. 

 

Obviously the more complexity you add to the system - the more responsibility and maintenance costs you place upon the schools to manage and maintain those systems.

 

 

 

4. In implementing N4L’s Secure Website Inspection (our teacher friendly phrase for HTTPS/SSL inspection) schools have full control over what sites are decrypted and then filtered.

 

N4L does not blanket decrypt all SSL traffic.

 

Certificates are issued and managed by schools.

 

Schools select and choose which categories eg. social media/search engines, or which specific URLS are decrypted.

 

Any sites or categories of sites that are not specified for decryption, and are served via HTTPS are untouched between user and site.

 

The SSL certificate generated by N4L is only used when on N4L’s Managed Network.

 

Inspection is also configurable by network and IP range so you could exclude a teacher-only SSID, or a range of machines eg. servers - from ever having traffic (HTTP or HTTPS) inspected.

 

SSL inspection cannot be applied to directory groups - it is only via network or IP range.

 

Or schools can choose to not apply SSL inspection at all.

 

 

 

We recommend that schools are open and transparent about what they're aiming to achieve with their filtering, and be specific about the online environment they are trying to create for their students, and communicate that with their communities.

 

That would include being open with the requirement to install certificates, if students wish to use their device on the school's N4L connection - if that was what the school chose to do.

 

That would include stating what sites are being decrypted - and what sites are excluded from decryption.

 

That would include being open about what any filtering can achieve - specifically stating that N4L's filtering only applies to devices using the Managed Network connection - and pointing out that if students choose to use their 3G/4G connection, then N4L's filtering cannot apply.

 

As has been mentioned there will always be ways to work around filtering, and no filtering is 100% guaranteed to prevent inappropriate use.

 

N4L’s approach is to support schools in their digital citizenship efforts and to allow teachers to get on with working with students. So education and conversations about appropriate and inappropriate use of the Internet, and engaging with students about how they are using the Internet should always be the starting point.

 

Schools, as self-managing entities are fully entitled to have a range of opinions and ways of achieving safe online environments - these opinions will be reflective of the communities within which they sit. N4L’s tools can be configured to work alongside those community needs.

 

Personally, I believe an open, secured internet is best - but I appreciate and respect those school leaders who want the options to apply more filtering to ensure the safety of students. In my role at N4L it's about helping them to understand the implications and the steps they are able to take to do so, if they choose to use N4L's tools.

 

Please feel free to contact the N4L Helpdesk on 0800 LEARNING (532 764) if you are working with a school on the Managed Network - or email me directly - tim.kong @ n4l.co.nz  - if you have any more specific queries. If I’m not able to answer them myself, I’ll loop our engineers in.

 

 

 

Regards,

 

Tim


3237 posts

Uber Geek
+1 received by user: 633

Trusted

  Reply # 1493542 17-Feb-2016 01:01
Send private message

I quite like the kerio solution.

 

Each URL that goes through the transparent proxy is checked against their shared database.

 

If a URL is uncategorised, the transparent proxy sends the url to kerio who have people which manually categorise it, and then the students are allowed to access it - usually within an hour. Otherwise they can be allowed until its categorised. The business or school can block or allow websites based on categories.

 

So they can very accurately tell the difference between the good sexual education sites for teenage boys that their mothers dont want them looking at, vs the boring sexual education sites that their mothers would prefer. This is where linguistic analyzers fail - the ones that look for key words and instantly block a site which is actually very useful.

 

However an https site just gets categorised as a domain - an example is facebook which can contain all sorts of good and bad content. Its classed as simply "social media" and can be blocked or allowed based on that category.

 

And because kerio has thousands of customers worldwide constantly sending in new URLs there is a very low chance that a website or url has not been categorised already.

 

 





Ray Taylor
Taylor Broadband (rural hawkes bay)
www.ruralkiwi.com

There is no place like localhost
For my general guide to extending your wireless network Click Here




483 posts

Ultimate Geek
+1 received by user: 286

Trusted

  Reply # 1493543 17-Feb-2016 01:06
2 people support this post
Send private message

AHitman: Bit of a broad statement isn't it?

 

All a 5 year old has to do is use 3G instead of wifi, I count that as running rings round the system.


2280 posts

Uber Geek
+1 received by user: 370

Trusted
Subscriber

  Reply # 1493546 17-Feb-2016 01:44
Send private message

jnimmo:

 

Yes they have to filter, they don't have to inspect traffic though especially on BYOD devices. Using a good 'layer 7' firewall would allow them to be relatively flexible in restricting apps and content.

 

It is no problem to block content based on the hostname, I don't think SNI has anything to do with it? Open up Fiddler on an HTTP connection you see the full hostname detail

 

 

SNI is relevant where companies such as Google present a single certificate for all their HTTPS websites with one common name, but multiple Subject Alternative Names to cover all their different services. If you capture traffic to Youtube.com you'll see that 'google.com' is the common name of the cert, and the common name is typically what filtering products would use to filter HTTPS traffic without certificates.

 

Obviously you would't normally want to block Google.com, so in the above case Google's support of SNI exposes the real hostname to the filtering product outside of the encrypted stream so that e.g Youtube traffic can be distinguished from Google search traffic.

 

I'm also of the personal opinion that if you're using someone's network that you need to accept whatever polices they put in place, or don't use the network. Back when I was in school we had cell phones confiscated if they were simply seen, so to move from that position to full BYOD within 12 years is pretty cool!

 

 


20 posts

Geek
+1 received by user: 10

Linewize

  Reply # 1493557 17-Feb-2016 06:18
2 people support this post
Send private message

In regards to the comments around using the SNI parameter to filter secure traffic, this is exactly what Linewize (and any other decent layer 7 firewall) does.

 

Using the SNI parameter allows you to filter by website down to the sub domain level and filter https traffic at this granularity.

 

This approach does not allow filtering by keyword of website CONTENT. To inspect content on secure sites you must use certs to break the encryption and enable the man-in-the-middle-attack.

 

There are however other approaches you can use. Linewize allows schools to enforce Google SafeSearch for both search an you tube on a group basis. If you're a student SafeSearch is enforced, if you're a teacher SafeSearch is turned off. You can also choose to redirect from Google to a true safe search engine like kidrex.org which has built-in keyword filtering.

 

In regards to N4L/Cisco ScanSafe the question that schools need to ask is "Do we need keyword level filtering and if so are we willing to accept the ethical concerns and admin overhead of installing and maintaining certs on every device to achieve this?"

 

By N4L's own admission keyword filtering is a very blunt tool, searches for say 'breast cancer' would most likely be blocked.

 

From both an ethical and security perspective we believe that forcing users to install trusted root CAs is not educating good digital citizenship.

 

Normalising this behaviour and teaching kids its ok to install trusted root CAs on public networks to me is not teaching cyber-smart behaviour.

 

I wouldn't want to teach my children to click past all the red warning boxes that browsers flag when trying to do this. The reason so many red flags are being raised is that allowing a third party unrestricted access to read all username and password details in plain text is a very_bad_thing.

 

Great to see so much robust discussion on this topic. :)


Mad Scientist
19013 posts

Uber Geek
+1 received by user: 2469

Trusted
Lifetime subscriber

  Reply # 1493597 17-Feb-2016 08:09
Send private message

asjohnstone:

 

As an IT pro, my immediate reaction here is "you've got to be kidding me"

 

The trusted root certification authority store is the pinnacle of safety, having a certificate in here allows them to resign all other certs without raising a red flag. It allows them to man in the middle absolutely everything. It's apparently required in order to authenticate against their proxy ?

 

Are others seeing this? Am I being too enterprise paranoid ?

 

 

 

 

I am dumb and illiterate in this department, can you explain why this is a bad thing to install? I have installed one such certificate for RDP to my company.


483 posts

Ultimate Geek
+1 received by user: 286

Trusted

  Reply # 1493638 17-Feb-2016 08:43
One person supports this post
Send private message

joker97: can you explain why this is a bad thing to install?

 

Browsers show a little padlock to show that a site is trusted and SSL is in use, this in turn allows you to trust doing any banking on the internet because you know that it is truly the bank acting as the server and you have a secure connection preventing eavesdropping by a man in the middle.

 

Being a root CA means you trust it won't sign dodgy certificates for sites that are not who they claim to be, at the very least, that they own the domain name for which an SSL certificate has been signed.

 

SSL inspection by a man in the middle completely removes this trust, and your trust now has to transfer to the filter and who ever is managing the CA and signing these effectively bogus certificates.

 

So if you now go to your bank while on the school network you wont see a certificate signed by Verisign/Thawte etc, you will see it signed by the school, and all your communications with the bank that you thought were confidential are in the clear within the filter system.

 

So you could say, that's okay, I won't do my banking at school, ( will the teachers remember that ? ), there are other scenarios regarding the CA getting compromised and agents other than the school signing certificates.

 

Sony and Lenovo were hauled over the coals for doing exactly this, and in some cases creating signed SSL certificates without even validating the original.


1 | 2 | 3 | 4 | 5 | 6
Filter this topic showing only the reply marked as answer View this topic in a long page with up to 500 replies per page Create new topic

Twitter »

Follow us to receive Twitter updates when new discussions are posted in our forums:



Follow us to receive Twitter updates when news items and blogs are posted in our frontpage:



Follow us to receive Twitter updates when tech item prices are listed in our price comparison site:



Geekzone Live »

Try automatic live updates from Geekzone directly in your browser, without refreshing the page, with Geekzone Live now.



Are you subscribed to our RSS feed? You can download the latest headlines and summaries from our stories directly to your computer or smartphone by using a feed reader.

Alternatively, you can receive a daily email with Geekzone updates.