The Filtering Challenge

4/20/2007 By: James Careless

from Technology & Learning

All Web filters are not created equal. Is yours doing the job?

Web literacy is a key 21st-century skill, and teaching students to be savvy consumers of online infor-mation is defi-nitely a mandate for schools today. Filtering—with all its pros and cons—has become a necessary way of life for most institutions. But how can you be sure your Web filter is the most appropriate choice for the tasks you want it to perform?

Below, experts offer some basic information, tips, and advice on filtering in your district.


The best filtering resources, such as Lightspeed's, let districts choose the types of sites they want to block.

1 Filtering Basics

"A Web filter is something that filters all outgoing traffic related to the Web," explains Mark Josupait, a network and security specialist with CDW-Government, an IT solutions provider for government and educators. "Basically, a Web filter lets you specify what sites users can and cannot access through their computers based on criteria that you set at the administrator level. You can set this criteria on a blanket basis, by groups (i.e. students and teachers), or based on a user profile."

"You may provide different levels of access to faculty members during different time periods," Josupait says. "During school hours, for instance, you may want the highest level of protection possible, to keep students safe. After hours, you may choose to lessen the restrictions, since only adults will still be on-site."

Ultimately, the purpose of a Web filter is "to keep good people good," Josupait says. For students, this means preventing them from logging on to sites with themes that are sexual, violent, gambling-related, or simply non-educational. For staff, Web filters prevent access to inappropriate sites that could not only interfere with their jobs, but might also cause considerable embarrassment to their employers should such surfing become public knowledge.

2 Go or No-Go Sites

Web filters categorize Web sites by their basic content themes and then compare these themes against a list of approved and blocked categories to decide whether or not access can be allowed. For instance, CNN.com would be classified as news and assigned to the approved list. Whitehouse.com—an adult site often mistakenly confused for the official Web site of the nation's capital—would be classified as adult and assigned to the blocked list, preventing surfers from getting an eyeful. In those cases where a site can't be categorized, the default decision is to block it.

So who decides which sites are assigned to which list? In theory, this can be done by any administrator. However, given the ongoing controversies that surround Web access, especially where children are concerned, the wisest approach is to create a committee including parents, staff, and school district officials to jointly devise Web filtering rules.

This is the approach used by Duval County Public Schools in Jacksonville, Florida. "You don't want a CIO deciding what sites to approve or block," says Jim Culbert, an information security analyst with DCPS's technology division. "That's something that needs to be worked out by a parent/teacher/district committee, because of the sensitive nature of these decisions. At DCPS, I chair such a committee, but I don't vote on what gets approved or blocked. That would be politically inappropriate and really not part of my job."

3 Evolving Web Threats

Be warned: The threats that Web filters have to contend with are ever-changing in their complexity and deviousness. Web filter manufacturers know this and are adapting to these changes, but they usually find themselves having to play catch-up.

"Filtering in education used to be about legal liability—blocking 'bad' sites such as those with violent content," explains Josupait. "Blocking objectionable content still remains important, but security is becoming ever more prevalent and critical." He adds that, as security threats change (Web viruses, spyware, hacking tools, malicious content, worms), it is even more important to block those sites before they can make an appearance in schools.

Worse yet, "New Web applications are becoming more and more savvy," Josupait notes. "Programs like Instant Messaging can now mask themselves to appear as normal Web traffic or utilize a different port going out that may be open. In addition, the ability to block sites with spyware, phishing, worms, and more all help protect users' personal information, which is part of meeting [Children's Internet Protection Act] compliancy."

But there is good news. "Sites are now categorized inside the content filter, and as the list of sites has grown so have the categories that we can block or allow," says Culbert. "Authentication of the users is the biggest step forward. The ability to identify by name users' activities on the network brings with it accountability."

4 Purchasing Filters

Functionally, there are two types of Web filters available. The first is software-based; it simply gets loaded on to the server that controls Web access. The second is a hardware-based "appliance" loaded with Web filter software, for clients who lack a Web access server or prefer to have Web filtering executed by a separate device.

Duval County Public Schools opted for this second route when it chose 8e6 Technologies's R3000 Internet Filter and Enterprise Reporter to solve its Web filtering issues. Based in Jacksonville, DCPS is the 16th largest school district in the country, with roughly 140,000 students, 16,000 teachers and staff, and 165 schools covering the K-12 range.

"Our old Web filter didn't stop students from using anonymous proxies to access blocked sites," says Culbert. "As well, we needed to set up an authentication system that would tell us who and where these students were as they made these attempts. Finally, we didn't want to add these extra requirements onto our existing server, but instead have it handled by a stand-alone device connected to our network."

8e6's stand-alone R3000 unit is now managing all of these tasks for DCPS, including invisibly authenticating each user in real-time as they access the Web. As well, the R3000 comes with "Proxy Pattern Blocking" to keep kids from bypassing the Web filter with anonymous proxies. It even records how many times they make these attempts.

5 The Cheap Filter Option

As with anything in life, you get what you pay for. A cheap filter will lack the sophistication to discern between subtle variants of Web sites. It will also quickly become out-of-date. To remain effective, a Web filter's site database must constantly be maintained.

This is why it makes sense to choose a Web filter vendor that constantly records and rates new Web sites as they appear, then sends this data to your Web filter to keep it up to date. Granted, this service costs money, but without it a Web filter is ineffective.

As for cost? Josupait says, "$500 will buy a Web filter solution that can protect a very small environment. The more users you have and the more functionality you need, the higher the cost. However, manufacturers will offer per-unit discounts when you buy in volume."

6 Licensing

Fortunately, Web filters are licensed by the number of PCs on the network, not how many people use them. "A school district may have 10,000 students, but only 2,000 PCs," Josupait says. "Hence you only have to pay for 2,000 licenses—not 10,000."

7 School-Specific Web Filters

There are lots of Web filters on the market, but not all of them are tailored for schools. "Some vendors' categories don't make distinctions between gaming sites and educational gaming sites," Culbert gives as an example. "Before you buy, take a hard look at their categories. Otherwise, you could waste a lot of time after the fact registering exceptions to your blocked list."

8 The Bottom Line

Web filters are a must for school districts, no matter what their size. However, not every Web filter is good enough. Before you buy, form a committee of stakeholders, determine what your needs are and how detailed you want the filtering process to be, and then go shopping.

James Careless is a freelance journalist based in Ottawa, Canada.

Web Filter Resources

ASA CIPA Content Filtering Service FAQ

Internet Child Safety and Child Internet Protection

Kids Outsmart Web Filters

Naughty Employees Threaten IT Security

Safeguarding the Wired Schoolhouse

The Children's Internet Protection Act: Advice and Resources


Who's Who

8e6 Technologies

Lightspeed Systems

St. Bernard

Secure Computing

SonicWALL

SurfControl

Websense

Sponsored
Alert to All Users of the Disqus commenting system:
Because of a recent global security issue, the Disqus website recommends that all users change their Disqus passwords.
Here's a URL about the issue: http://engineering.disqus.com/2014/04/10/heartbleed.html
comments powered by Disqus

SUBSCRIBE

current issue

Game changer or vaporware?

CONNECT WITH US