Spring 2007 N2H2 Training and Open Discussion for K-12 schools.
-
Upload
ralf-knight -
Category
Documents
-
view
215 -
download
0
Transcript of Spring 2007 N2H2 Training and Open Discussion for K-12 schools.
Spring 2007Spring 2007
N2H2 Training and Open Discussion for N2H2 Training and Open Discussion for
K-12 schoolsK-12 schools
Structure of Structure of MeetingMeeting
Review of Fall ’06 material for new Review of Fall ’06 material for new attendeesattendees
Questions on review materialQuestions on review material Quick breakQuick break Delegating administrationDelegating administration Spring Cleaning for the listsSpring Cleaning for the lists HTTPS proxyHTTPS proxy Discussion/suggestions for next Discussion/suggestions for next
timetime
Chose which categories to block, create custom categories
Assign filters to IP’s, IP blocks, time based filtering
Block/Unblock specific sites. CBL overrules filter assignments
Disabled feature unless explicitly requested by district
Choose the default CEN block page or a custom one
Subdivide your zone and create sub administrators
User name and password administration
Limitations
of N2H2
N2H2 only filters the public CEN IP address, therefore
Can not monitor internal IP addresses or their activity
If all internal IP addresses NAT to one public address there is limited granularity in separating groups of users
Similarly, an override will remove all filtering for all machines behind that IP for the specified time period
Custom block list syntax can be tricky or selective
Only blocks port 80 HTTP traffic! (more on this later!)
Blocking sites with messaging content does NOT block AOL/AIM/MSN Messenger services
Create zones to split your main zone up into semi-autonomous smaller zones
Ideal if your district is already segmented through your firewall to NAT different schools or servers to different IP addresses
Create sub administrators to manage these different zones
Helpful if each schools has their own designated technical administrator, reduces the need for daily requests to be routed through one person
Each sub administrator will receive a login name, filter options, custom block lists, and only have access to the zone specifically delegated to them
Under Assign Filters you can also split up your zone for customized filtering, however you lose the granularity of different custom block lists for different IP ranges
Assign filters to IP addresses/ranges, even specify what time period a filter will be applied (optional)
The CEN Filter is the global default filter. Unless you explicitly define your range to receive a certain filter, this will be the one that is applied
If you want a range or an IP unfiltered, you must define it under Assign Filters as a range and select “No Filter” as the filter. Keep in mind, anything in your CBL will be applied if this isn’t delegated out
Even if you like the CEN Filter, it is best to define your range and select CEN Filter as the filter instead of receiving the global rule base. This will allow you to make changes later on if need be
Filters are groups of categories that are set to be allowed or blocked. N2H2 comes preloaded with the default CEN Filter and a handful of others.
You have the ability to view and edit any of the filters listed under your Define Filters tab without affecting anyone else, or create a brand new one!
Each category can be set to
Block – disable access, user received block page
Warn – user receives a warn page and must click a link to access, email sent to administrator
Monitor – access not prohibited, email sent to administrator when accessed
Don’t Block (do nothing)
Exceptions can be used as well to allow such things as historical violence (wars, etc) even if violence as a category is blocked. Use at own risk!
Filter(“CEN Filter”,
“Typical Minimum Filter”,
etc)
Blocked Categories
Allowed Categories
Custom Block/Allow Lists
Categories which are listed in BOLD were created by other schools. Use at your own risk, you can not view or edit these
If a site is categorized under 2 categories and you block one of them, the site will be blocked unless you use your custom allow list (don’t worry, almost there)
Using Custom Categories in place of custom block lists is a tricky procedure, it may or may not work to your expectations depending on the site, categories, etc. If you want some sites allowed for some IP addresses and not others consider using the Delegation options discussed earlier instead.
₪ If you had opted to retain overrides at the time of our upgrade last school year you have already heard our spiel, please enjoy your “donuts & more” for a minute or so
₪ Assigning overrides allows you to assign an admin, teacher, truancy officer, etc, the power to override a block page with a user name and password you provide.
₪Your ENRT### login information is also capable of overriding a block page. Please do not give out your login information to anyone.
₪ An override will remove blocking TOTALLY on the public IP address the blocked machine is using for NAT for the time period specified, not just that one site and not just that one machine! Remember, N2H2 only blocks the public IP addresses, not your internal network IP space.
₪ If your network is segmented there is less chance of an override removing filtering for everybody, it will only do it for the one IP address
₪ Reduce the time specified in the override. It defaults to 15 minutes, you can reduce that to your needs
₪ At the end of the override session a window will pop up on the machine which requested it to see if filtering should be reinstated or overriding continued. Be VERY careful to reinstate filtering. If you chose filtering to be off for the rest of the day, that is exactly how long it will be off for. We can not reinstate filtering for you until the service restarts, sometime around 4 am.
Your handy dandy control center login page:
HTTPS://n2h2.cen.ct.gov/controlcenter
Secure Computing’s URL checker, helpful for all those municipal sites wrongly categorized as inappropriate:
http://www.securecomputing.com/sfwhere/index.cfm
The DOIT Help Desk, our first line of defense:
1 -860-622-2300
Separating the Separating the Network by Network by
Public iPPublic iP
Scenario: You have more than one school/age group going through the filter, and want each to have separate settings for filtering levels.
Requirement: Capable of using NAT to route different network segments to unique public IP addresses
CEN Connection
Firewall
Middle School
High School
Elementary School
65.251.55.4
65.251.55.5
65.251.55.6
Separating the Network by Separating the Network by Public iPPublic iP
Having your network prepared to filter IP addresses differently is the hard part, configuring N2H2 to properly reflect this is easy.
Using Delegated Admin, create your different zones and new administrators.
Delegate each new zone to its corresponding admin
Confused? Watch this demo
****MOST IMPORTANTLY****
Your main account assigned originally by CEN is your “super administrator” compared to those accounts you create under it
Any Custom Block/Allow Entry you have stored under this account will outweigh those you put in each individual account
Remove all custom blocking and filter settings from the main account and use a separate list per sub account
Spring Spring Cleaning!!Cleaning!!
Reduce the Size and Server Load of your
Custom Lists
Custom Block Lists are the most memory intensive portion of N2H2 but a necessary evil
Wildcards (* or ?) require the server to do much more processing of URL’s, however time has shown using a wildcard catches more unsavory sites to block
URL’s with a wildcard are not picked up by Virtual Reviewer, which when activated will compare your CBL entries against the N2H2 database and remove those which are already categorized. You can have this turned on AND still keep certain sites in the list by using the ‘[LOCK]’ function
Suggested Entry FormsSuggested Entry Forms An entire Web siteAn entire Web site http://<host name> or sitename.domainhttp://<host name> or sitename.domain http://www.ergo.net or http://www.ergo.net or
ergo.netergo.net Particular sections of a Web siteParticular sections of a Web site http://<host name>/<path> http://www.ergo.net/abouthttp://<host name>/<path> http://www.ergo.net/about Particular pages in a Web siteParticular pages in a Web site http://<host name>/<path>/<page>http://<host name>/<path>/<page>
http://www.ergo.net/about/info.htmlhttp://www.ergo.net/about/info.html An IP addressAn IP address http://<IP address> http://64.58.79.230http://<IP address> http://64.58.79.230 A file type (from any HTTP source)A file type (from any HTTP source) [ftype] <file extension> [ftype] jpg[ftype] <file extension> [ftype] jpg A file type (from a particular HTTP location)A file type (from a particular HTTP location) http://<host name>/*.<file extension>http://<host name>/*.<file extension> http://www.ergo.net/*.jpg http://www.ergo.net/*.jpg URLs that contain a particular keyword or phrase anywhere in the URLURLs that contain a particular keyword or phrase anywhere in the URL [keyurl] <word> [keyurl] travel vacation [keyurl] stocks[keyurl] <word> [keyurl] travel vacation [keyurl] stocks URLs that contain a particular keyword in the CGI portion of the URLURLs that contain a particular keyword in the CGI portion of the URL [keycgi] <word> [keycgi] sexyphotos [keycgi] stocks[keycgi] <word> [keycgi] sexyphotos [keycgi] stocks
Spring Cleaning!!Spring Cleaning!!
Go home and clean!Go home and clean!If each school reduces the overall size of If each school reduces the overall size of their Custom Block List and removes a their Custom Block List and removes a small portion of their wildcards, the small portion of their wildcards, the overall performance of the admin filtering overall performance of the admin filtering server will improve!server will improve!
Turn on Virtual Reviewer, check lists for Turn on Virtual Reviewer, check lists for stale/old entries, reduce the number of stale/old entries, reduce the number of wildcards!wildcards!
Spring Spring Cleaning!!Cleaning!!
HTTPS and N2H2HTTPS and N2H2
HTTPS and N2H2HTTPS and N2H2On its own N2H2 in our environment does not handle HTTPS content filtering
We have setup a non-transparent proxy to route HTTPS traffic through to be filtered
Requires configuring the browsers on your workstations to point HTTPS connections at our proxy, either individually or with Active Directory/group policies
URL’s are filtered by the same rule base you use for HTTP filtering
HTTPS and N2H2HTTPS and N2H2
HTTPS and N2H2HTTPS and N2H2
http://proxy.cen.ct.gov:8888/CEN-http://proxy.cen.ct.gov:8888/CEN-PROXY-CONFIG-FILE.pacPROXY-CONFIG-FILE.pac
proxy.cen.ct.gov port 8888proxy.cen.ct.gov port 8888
HTTPS and N2H2HTTPS and N2H2
Only port 443 traffic should be routed at Only port 443 traffic should be routed at the proxy serverthe proxy server
Make sure you have security measures Make sure you have security measures in your network environment! Students in your network environment! Students should not have access to change the should not have access to change the browser settingsbrowser settings
HTTPS and N2H2HTTPS and N2H2
Once this is setup on your network, you will Once this is setup on your network, you will start receiving blocks on HTTPS sites that you start receiving blocks on HTTPS sites that you currently have blocked as URL’s either in a currently have blocked as URL’s either in a category or Custom Block Listcategory or Custom Block List
Continue to administer the Control Center just Continue to administer the Control Center just as you would for HTTP traffic. Adding as you would for HTTP traffic. Adding www.google.com will now block www.google.com will now block
http://www.google.com http://www.google.com
AND https://www.google.comAND https://www.google.com
HTTPS and N2H2HTTPS and N2H2
If this is implemented on a laptop that also is If this is implemented on a laptop that also is used outside CEN, these changes will affect used outside CEN, these changes will affect access to HTTPS sites.access to HTTPS sites.
Excluding internal IP addresses and servers, Excluding internal IP addresses and servers, etc, when using Group Policy is highly etc, when using Group Policy is highly recommended to avoid disrupting servicesrecommended to avoid disrupting services
If you are still having issues with students If you are still having issues with students reaching inappropriate sites try using your reaching inappropriate sites try using your firewall as well to block certain connectionsfirewall as well to block certain connections
HTTPS and N2H2HTTPS and N2H2
Control Center login for administration:Control Center login for administration: https://n2h2.cen.ct.gov/controlcenterhttps://n2h2.cen.ct.gov/controlcenter The URL Checker, your new best friend: The URL Checker, your new best friend: http://www.securecomputing.com/sfwhere/index.cfmhttp://www.securecomputing.com/sfwhere/index.cfm