NCompass Live - July 26, 2023.
http://nlc.nebraska.gov/NCompassLive/
Special monthly episodes of NCompass Live! Join the NLC’s Technology Innovation Librarian, Amanda Sweet, as she guides us through the world of library-related Pretty Sweet Tech.
To take advantage of the E-rate funding to pay for your library’s Internet service, you are required to have CIPA (Children’s Internet Protection Act) compliant filtering in place. Filtering can also provide strong cybersecurity protection for library staff and customers. Guest Presenter Andrew "Sherm" Sherman, with the Nebraska Library Commission Computer Services team, will discuss how this filtering can be implemented, the cyber security benefits, and the various solutions that meet CIPA guidelines.
3. The Router
(It’s so busy!)
• The Modem & Gateway – connects the ISP’s
(Internet Service Provider) network to the
library’s LAN (Local Area Network)
• DHCP (Dynamic Host Configuration Protocol)
• When a device boots/powers up, the DHCP server
provides all the network addressing info
• DNS (Domain Name Server, port 53)
• The Internet’s phone book
• URL (Uniform Resource Locator) to IP (Internet
Protocol) Address
• Caching for speed boost but delays change
propagation.
• NAT (Network Address Translation, port 5351)
• Leases a Private IP Address to a device
• Library’s Public IP Address from the ISP
• Static & Dynamic
• The dreaded CIN (Copyright Infringement Notice)
letter from your ISP/RIAA/MPA.
• Block BitTorrent app!
• WiFi Server
• and the VPN (Virtual Private Network) Server?
Whew!
• Add an “edge” router and/or WAP (Wireless
Access Point) to improve WiFi performance?
4. Device Level
• PCs will automatically use the DNS server DHCP
tells it to by default
• The PCs can be set to use a different DNS server
• Change it in Windows
• Safe Search on the browser is not a CIPA
compliant filter.
Cloud Based
• Free filters can be too restrictive with no ability to modify them (use
OpenDNS Home, maybe NextDNS?)
• DNSFilter (Basic cybersecurity. NLC provided solution!)
• Cisco Umbrella (Strong cybersecurity. Expensive.)
• Pricing may be an issue since many cloud options are per user. Talk with
your vendor about pricing for a library and education discounts.
• At a minimum, use Quad9 for free cybersecurity.
DNS Filtering Methods
Network Level
• Change it on the Router
• All devices using DHCP
• VLAN (Virtual Local Area Network)
• Requires a high-end router or firewall
• Leave the Public WiFi unfiltered?
Local Device Based
• Firewalls have it as a built-in feature. (Ubiquiti’s Dream Machine
firewall uses free CleanBrowsing and it’s too restrictive.)
• App on the PCs. CyberSitter is a popular one.
• CyberSitter BLACK (New! $195)
• Raspberry Pi based on Pi-hole ad blocker distro
• Squidguard is another Raspberry Pi option
5. Modifying DNS Network Settings
• On a PC (Windows 11 Network Properties) • On a Router (Netgear Orbi)
6. DNS Filtering (outbound)
• DNS
• Domain (google.com, wikipedia.org)
• Subdomain (www.google.com, en.wikipedia.org)
• Top Level Domain (Russia, *.ru)
• IP4 Address (32-bit, 142.250.191.206)
• IP6 Address (128-bit, 2607:f8b0:4009:81a::200e)
• Utilize IP4 address of your DNS filter vendor’s DNS server
• Whitelists (good places)
• Blacklists (bad places)
• Block Screen issues (HTTP vs HTTPS)
• Load DNS filter vendor’s certificate on PCs to fix
Firewalls (inbound & outbound)
• DNS Filtering
• Stateful, packet inspection
• Stateless, packet filter
• App & Port blocking
• Deep Inspection is the new standard
• Examines the entire packet in detail
• Has to be high performing ($$$) so as not cause lag
• NGFW (Next-Generation Firewall) throughput in
mbps is a measure of throughput when IPS
(Intrusion Prevention Services) and AC
(Application Control) are running
Cybersecurity
7. Filtered Website Results
HTTP or HTTPS with the DNSFilter Certificate installed.
This is the “block” screen. The block can be bypassed with the
use of the bypass password. Once bypassed, NO filtering will be
performed for the duration of the browser session.
8. Filtered Website Results
HTTPS and the DNSFilter Certificate is not installed.
Recommend installing the DNSFilter Certificate on the Public
PCs to get the block screen.
9. Filtered Website Results
The Dynamic IP address changed. The DNSFilter deployment (library) has to
be updated with the new Dynamic IP address for Internet access.
Request a Static IP address from your ISP to prevent this. If the ISP
can’t provide one, Dynamic DNS can be utilized.
10. CIPA (Children's Internet Protection Act)
• Internet Safety Policy
• Public Notice and Hearing/Meeting
• Technology Protection Measure
• “a specific technology that blocks or filters internet
access.”
• “that protects against access by adults and minors to
visual depictions that are obscene, child pornography, or –
with respect to use of computers with internet access by
minors – harmful to minors. “
• Enabled on all library owned devices with Internet access
Disabling the filter
• “the library may disable the technology protection
measure during use by an adult to enable access
for bona fide research or other lawful purpose.”
• Disable via app/client on the PC?
• Use the DNS filter’s bypass password?
• Add to DNS filter account’s whitelist?
• Login to DNS Filter account to add
• Not instantaneous with caching
• Modify DNS setting on the PC
• Ethernet or WiFi?
• Switch to Manual
• Use Google’s IP4 DNS servers
• Preferred: 8.8.8.8 and Alternate: 8.8.4.4
• Requires Admin login to save
• Will need to be switched back to Automatic (DHCP)
• Reboot/Restore in place? (It should be!)
E-Rate
What’s required (USAC)?
• ALA (American Library Association)
• FCC (Federal Communications Commission)
• NLC ( Nebraska Library Commission)
• USAC (Universal Service Administrative Company)
11. My contact info:
Andrew “Sherm” Sherman
Library Technology Support Specialist
Nebraska Library Commission
402-471-4559
andrew.Sherman@nebraska.gov