WiscNet Internet Content Filtering Service New Customer ...

  • 602 views
Uploaded on

 

  • Full Name Full Name Comment goes here.
    Are you sure you want to
    Your message goes here
    Be the first to comment
    Be the first to like this
No Downloads

Views

Total Views
602
On Slideshare
0
From Embeds
0
Number of Embeds
0

Actions

Shares
Downloads
3
Comments
0
Likes
0

Embeds 0

No embeds

Report content

Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
    No notes for slide

Transcript

  • 1. WiscNet Internet Content Filtering Service New Customer Manual WiscNet's Filtering Service Overview WiscNet operates a content filtering service of World Wide Web-sites, using a current, authoritative database of blocked sites and services that permits our members to comply with local community standards and certify compliance with applicable State and Federal law. We aid our members with interfacing the filtering service to their networks. We respond efficiently to our members' detection of inappropriate sites and services and educate our members about the challenges that content filtering entails. To this end, WiscNet has adopted a hybrid filtering solution that offers superior flexibility and performance. 8E6 Performance The WiscNet hybrid Internet content filtering system consists of two main components: 1) R2000 servers running 8e6 filtering software 2) Large web cache proxy servers A R2000 server is an Intel-based computer that inspects each request and compares the web-site address to its database and returns either a block page or forwards the request to the cache/proxy server. A cache/proxy server is a computer with tremendous disk space designed to store local copies of web-sites that are downloaded from the Internet. Once cached, these web-sites can be retrieved more quickly than if they were downloaded directly from the originating web-site, e.g., www.cnn.com in Atlanta. This hybrid system allows for highly-flexible filtering without a performance penalty. Activation and Configuration The member site must configure web browsers or local proxy servers to send web traffic to the WiscNet Internet content filter server. WiscNet will create a proxy DNS name for use at the member site.
  • 2. A simplified diagram of the filtering service in relation to the WiscNet backbone architecture follows: How It Works Here is how an attempt to view a web page though our filtering system works, step by step: 1) A request for web content originates with a browser on a filtered PC. 2) This request traverses the member's local area network to their firewall, if present. 3) The firewall passes it on through the WiscNet router. 4) From there it goes to the content-filtering proxy server, a R2000 computer, running the 8e6 filtering software, as directed by the member’s configuration. 5) On the R2000, the web-site address in the request is checked against the 8e6 database to see if it is blocked. 6) If the address is blocked, a denial page is sent back to the browser via the WiscNet router and the member's firewall and LAN. 7) If the address is not blocked, then the request is sent on to the cache/proxy servers. 8) If the requested content is found in the server, then it is sent back to the filtered PC, via the WiscNet router and the member's firewall and LAN. 9) If the requested content is not found on the server, then the request is passed on to the WiscNet Internet router and on to the actual web-site on the Internet, where the requested content is sent back to the browser via the servers (where it is cached for future viewing), the WiscNet router, the member's firewall and the LAN. WiscNet’s Filtering Service and the Children’s Internet Protection Act "Does WiscNet’s Filtering Service comply with the Children's Internet Protection Act (CIPA)?" There is no such thing as a “FCC-certified” “CIPA-compliant filter.” According to CIPA’s definition, WiscNet’s filtering service is a “technological protection measure.” The Federal Communications Commission (FCC) has ruled that CIPA does not require schools and libraries to certify the effectiveness of a technological protection
  • 3. measure. Per CIPA, WiscNet offers a filtering service that protects against the visual depictions outlawed by CIPA. A WiscNet member who installs the service is completing one of the requirements of CIPA and may certify to that effect on federal funding requests, such as the FCC Form 486. Such certification is one part of CIPA compliance and maintains eligibility for E-Rate funding. Filtering Content WiscNet's filtering service only filters access to web content using the HTTP protocol. It does not filter email, ftp, telnet or other TCP/IP services. WiscNet members will need to take their own precautions to safeguard students from inappropriate content accessed via any means other than the WWW. Sites are chosen for blocking depending on whether they fit in the categories used by the 8e6 and WiscNet blocking libraries. Libraries are categorical topic groupings of web-sites used by the 8e6 software to determine whether a given site should be blocked. More information about which libraries are and aren’t blocked is available at http://www.wiscnet.net/Managed/Filtering/Categories/ WiscNet members now have the ability to block and unblock sites locally for their entire site. Instructions on how to do this can be found here: http://www.wiscnet.net/Managed/Filtering/Quickstart/ For sites to be blocked that clearly belong in categories such as porn, email etc send an email to mudcrawler@8e6technologies.com Ask them to add these sites to the R2000 library. WiscNet Member Setup Procedure Summary When WiscNet members request information about the filtering service, they are directed to http://www.wiscnet.net/Managed/Filtering/Overview/ where they will find our rate information, filtering agreements and documentation. If they want the service, they must: 1) Sign and return the Filtering Agreement and the Filtering Activation Form. 2) Contact WiscNet to schedule a time for filtering implementation. Both the member configuration of web browsers and the WiscNet configuration of the member site’s router must be coordinated. Technical Setup WiscNet begins configuring a member site's filtering service by creating a new, unique hostname in the Domain Name System server's database pointing to the cache/proxy server designated for the member. The only path to the cache/proxy server is through one of the R2000 8e6 filters. The member site must direct all web traffic that it wants filtered to this unique DNS address and the service port 8760. For example, the DNS address for the school district of the fictional Wisconsin town of
  • 4. East Milwaukee would appear as “proxy.eastmilwaukee.k12.wi.us.” Appendix A, which deals with some special cases of proxy configuration, shows where to enter these settings in both Netscape Navigator and Microsoft Internet Explorer, which may be useful in this context as well. There are several basic network designs that a WiscNet member site may have. The work to implement the filtering falls into several cases and sub-cases: Case 1: Sites with no firewall or local proxy server Within this category, there are two cases to consider: o Sub-case 1: Sites with PC Desktop Control: Sites with a system for controlling software settings (Fortress, file server login scripts etc) o Sub-case 2: Sites without PC Desktop Control Sub-case One: Sites with PC Desktop Control A site that enforces control of software settings will most likely want to implement filtering by entering settings into each PC’s browser that force the browser to send traffic to the WiscNet filtering service. If the desktop is secure, this is all that is necessary to force filtering. Considerations with Subscription Services Sites with subscriptions to services such as Grolier’s, WorldBook, SIRS, etc. should take care to configure exceptions for those services at this time (see Appendix A for examples). These exceptions will make sure that requests to the services are not filtered. Exceptions should also be entered for any servers on the local network. Filtering local servers results in poor performance and unnecessary traffic. For example, the East Milwaukee School district has its own domain, “eastmilwauke.k12.wi.us”. This domain hosts web sites for several schools in the district. Filtering has been enabled at these schools, so the web browsers in use have all been set up to go through a standard WiscNet filtering proxy server, proxy.eastmilwaukee.k12.wi.us. However unless the domain “eastmilwaukee.k12.wi.us” is added to the browser’s exceptions list the browser will load these local sites from filtering proxy server, resulting in poor performance and unnecessary network traffic. Sites with PC desktop control may allow unfiltered access to the web on certain computers by simply omitting the proxy settings from the browsers. This may not meet
  • 5. CIPA requirements. Sub-case Two: Sites without PC Desktop Control A site that doesn’t enforce control of software settings will need to enter browser settings at each PC. Because users can alter the settings, some other action is necessary to prevent unfiltered web access. Because this case includes sites that do not have firewalls or means to enforce control of software settings, WiscNet will enter an Access Control List in the WiscNet site router that prevents normal web access on the web service port (80). Members requiring this service should contact WiscNet Technical Support or send email to filter@wiscnet.net. Considerations for subscription services: For member sites with subscriptions to services such as Grolier’s etc., there are two necessary actions. 1) WiscNet staff must enter exceptions in the WiscNet router’s Access Control List to allow direct access to those servers. 2) The WiscNet member site must also enter exceptions in its browser software. Please refer to Appendix A for examples of browser exception list configuration. For example, the East Milwaukee School district has its own domain, “eastmilwauke.k12.wi.us”. This domain hosts web sites for several schools in the district. Filtering has been enabled at these schools, so the web browsers in use have all been set up to go through a standard WiscNet filtering proxy server, proxy.eastmilwaukee.k12.wi.us. However unless the domain “eastmilwaukee.k12.wi.us” is added to the browser’s exceptions list the browser will load these local sites from filtering proxy server, resulting in poor performance and unnecessary network traffic. Sites without PC desktop control may allow unfiltered access to the web on certain computers by simply omitting the proxy settings from the browsers and requesting that WiscNet permit the IP addresses of the unfiltered PCs to pass through the Access Control List. This solution requires that the IP addresses of unfiltered PCs be permanently assigned; member sites relying on DHCP or other methods of automatically assigning dynamic IP addresses cannot use this method. Case 2: Sites with a Firewall or local Proxy Server A site with its own firewall or local proxy server has more options and therefore more responsibility in implementing filtering. Depending upon the manufacturer and the features available, there are two basic ways a
  • 6. site can implement filtering in conjunction with an internal firewall: o Sub-case 1: By the use of transparent proxy o Sub-case 2: By having the browser proxy settings pointing to the local firewall/proxy o Sub-case 3: Novell’s Border Manager or other proxy servers Sub-case 1: Transparent proxy One option that a firewall or proxy server may permit is to intercept all web traffic and to redirect it to an internal or external proxy address. When successful, this option saves visits to browser desktops and provides a single point of control. Many WiscNet members find it necessary to obtain outside help to configure this option, as firewalls can be time-consuming to learn and maintain. Some WiscNet members have found this option too difficult to maintain or too unreliable. Sub-case 2: Browser Settings Pointing to Local Firewall/Proxy Another option is to use browser settings together with a local firewall or proxy server. Enter your local proxy server’s IP address and port number into each PC’s browser proxy settings. Then set the local proxy server or firewall to forward all requests to the WiscNet filtering proxy service on port 8760, for example “proxy.eastmilwaukee.k12.wi.us:8760”. Considerations for subscription services: Exceptions for Grolier, member’s local web servers, etc., as well as unfiltered browsers can be configured: • Solely in the browser, or • Solely in the firewall/proxy configuration, or • In a combination of browser settings and firewall/proxy settings In the case of a combination of browser and firewall settings, the Access Control List function will be performed by the firewall/proxy instead of the WiscNet router. The advantage to this approach is that it prevents users from defeating filtering by merely changing the browser proxy server settings. In addition to a local firewall or proxy, a WiscNet member site could employ PC desktop control in order to prevent users from changing the browser’s settings. This solution might be more expensive but may be worth it if other requirements besides filtering are a factor. Sub-case 3: Novell’s BorderManager or other proxy servers: A Special Case The documentation for Novell's Border Manager states that using "transparent proxy" eliminates the need to configure each browser's proxy server settings. WiscNet members using Border Manager who are interested in using transparent proxy should look to Novell or their Border Manager consultant for details.
  • 7. Unfiltered Access WiscNet members may have users who need unfiltered access to web-sites. There are two options to accommodate them. Option 1: Override Account The Override account is a feature built into 8e6 filtering. To use it, a member logs in to the 8e6 server. Doing so launches a java applet that constantly transmits a signal to the 8e6 server. This signal instructs the 8e6 server to allow access to unfiltered content from the IP address where the applet is running. WiscNet doesn't recommend this approach. If you’d like details on why WiscNet discourages the use of Override accounts, please contact us at filter@wiscnet.net. Option 2: Permanent The recommended method of enabling unfiltered web-site access selectively at WiscNet member sites is to configure the site's router or firewall to allow specific exceptions based on IP address. A member site can then allow access to unfiltered content to a few specific IP addresses, e.g. to permanently leave unfiltered a designated set of networked computers available only to authorized users. If a member site relies on a WiscNet supplied router, they will need to contact WiscNet support to implement this solution. If they member site has a firewall, the exceptions must be added to the firewall configuration as well. Due to the complexities of router configuration, if a WiscNet member site has its own internal router, this solution should only be attempted if the site has access to personnel with a high degree of networking sophistication or has excellent router or firewall configuration consulting services available. Unfiltered web access may not comply with CIPA. Frequently Asked Questions and Troubleshooting • What's the cost? • How long does setup take? • What is blocked/unblocked? • Can WiscNet members choose which sites are or aren’t blocked? • Does the filtering service slow down network performance? • How do WiscNet members submit requests for blocking/unblocking a site? • What if web-sites that should be blocked are accessible from a supposedly filtered PC? • When and why should I add addresses to exceptions lists in browsers and my firewall. • Does WiscNet’s filtering service include reporting features, i.e. Can I see if web users are trying to view filtered web sites, either collectively or individually? • Can I use the filtering service to block Kazaa, Morpheus, Limewire or other peer to peer file sharing services?
  • 8. • Can I use the filtering software to block unsolicited email, pornographic or otherwise? What’s the Cost? The WiscNet filtering service price list can be found at http://www.wiscnet.net/Managed/Filtering/Overview/ How long does setup take? The steps necessary on WiscNet’s end of the connection to enable filtering for the WiscNet member site typically are done within 24 hours of our receipt of the completed filtering agreement. On the member’s end the time needed for the necessary steps, including but not limited to, configuration of the firewall and the browser proxy server settings on all filtered PCs, depend largely on the resources devoted to the project. What is blocked/unblocked? See the following links for categories of content that are blocked / not blocked: http://www.wiscnet.net/Managed/Filtering/Categories/ Can WiscNet members choose which sites are or aren’t blocked? Yes. Wiscnet members can block and unblock sites by themselves. Instructions are here: http://www.wiscnet.net/Managed/Filtering/Quickstart/ Does the filtering service slow down network performance? No. In fact, due to the cache/proxy servers in the hybrid filtering system, performance may even improve for some sites accessed. How do WiscNet members submit requests for blocking/unblocking a site? WiscNet members may request blocking of individual web-sites by sending email to filter@wiscnet.net. Be sure to include the web-site address of the site to be blocked. Technical Representatives at member institutions may request unblocking of individual sites by sending email to filter@wiscnet.net. Be sure to include the URL of the site to be unblocked. WiscNet staff will then evaluate these requests. What if web-sites that should be blocked are accessible from a supposedly filtered PC? • Confirm that the browser's proxy server settings are pointing to the content filtering proxy server address • Clear the web browser's cache: o For MS Explorer: Go to the Tools menu and select Options. On the General tab, in the Temporary Internet Files section, click "Delete Files" and when the Delete Files dialog box appears, check "delete all offline content" and click OK. o For Netscape Navigator: Go to the Edit menu and select Preferences. In the Category list, double check Advanced and Cache. Click the Clear Memory Cache and the Clear Disk Cache buttons. Click OK. • If you have a firewall and filtering doesn’t seem to be working, you can test the filter by configuring your browser’s proxy server settings to point directly to the WiscNet filtering proxy server’s host name. If filtering works then, try the following:
  • 9. o If your site has a Border Manager firewall or MS Proxy server, confirm that the caches on these machines are cleared. Does WiscNet’s filtering service include reporting features, i.e. Can I see if web users are trying to view filtered web sites, either collectively or individually? There is no reporting system available at this time. If one becomes available in the future, it would not provide information on a particular machine or IP address. This is because WiscNet member sites typically use NAT or some other virtual addressing scheme internally. Externally, all HTTP requests from member sites come only from the site router’s IP addresses. Those router IP addresses are the only ones that the filtering server detects. Can I use the filtering service to block Kazaa, Morpheus, Limewire or other peer to peer file sharing services? No. Peer to Peer file sharing services are not web based services and therefore can not be blocked by the filtering service. The filtering service can block the home pages of those companies that publish peer to peer software, to help keep students from downloading and installing this peer to peer file sharing clients. Can I use the filtering software to block unsolicited email, pornographic or otherwise? No. Internet e-mail is not a web based service and therefore can not be blocked by the filtering service. Warnings and Tips Tip: Don't filter your own local servers. You don’t want to pay extra bandwidth charges because traffic from your schools’ web servers takes a costly detour through the filtering server in Madison. Be sure to avoid this added expense by entering exceptions in your web browsers’ settings. For example, if the folks at East Milwaukee Public Schools have an internal web server, they would enter *.eastmilwaukee.k12.wi.us in their web browsers proxy exception settings. Doing so prevents that server’s traffic from going through the WiscNet backbone, to the filtering server and back again. This reduces billable bandwidth usage. Tip: Set your browser's exceptions first. If you need exceptions in your browser settings, enter them the first time you touch your machines. You need browser exceptions if you subscribe to third party services such as Grolier or Worldbook, or if you have any web servers on your LAN. Subscriptions services will not let traffic from the filter/proxy server IP addresses access their servers without a password. Exceptions for servers not on your LAN will require corresponding work on the WiscNet router or your firewall.
  • 10. Tip: Don't filter WiscNetMail If you subscribe to WiscNetMail as well as WiscNet’s Filtering service, you can speed up access to WiscNetMail by adding an entry to your web browsers’ exceptions list for wiscnetmail.wiscnet.net. If you have a firewall, make sure that traffic to the server’s IP address can get through any port 80 blocks. If you don’t have a firewall, contact support@wiscnet.net and we will check your router to make sure the server can be reached. Warning: Consider not using an override account for unfiltered access. If you decide to use the override account you will likely find out why we discourage its use – someone will use it and leave the pink window open and forget to close it, leaving your whole school unfiltered. Appendix A - Configuring Proxy Server Exceptions For Internet Explorer 1) Go to Tools and select Internet Options. 2) Click on the Connections tab, and on the LAN Settings button.
  • 11. 3) Click on the Advanced button. 4) Enter in the exceptions field the subscription services’ web server names, as well as those of any web servers on your school’s domain. 5) Click the OK button in the Proxy Settings dialog. 6) Click the OK button on the LAN settings dialog. 7) Click the OK on the Internet Options dialog and you’re done
  • 12. Appendix B - Related Links WiscNet Filtering Agreements The following links allow WiscNet members to download printable versions of the filtering service agreements. WiscNet Filtering Agreement for Schools: http://www.wiscnet.net/images/stories/school_filtering_agreement.pdf WiscNet Filtering Agreement for Libraries: http://www.wiscnet.net/images/stories/library_filtering_agreement.pdf WiscNet Filtering Agreement for City Governments: http://www.wiscnet.net/downloads/city_filtering_agreement.pdf WiscNet Filtering Agreement for County Governments: http://www.wiscnet.net/images/stories/county_filtering_agreement.pdf WiscNet Filtering Policy http://www.wiscnet.net/Managed/Filtering/Policy/