1 / 33

Spring 2007 N2H2 Training and Open Discussion for K-12 schools

Connecticut Education Network. Spring 2007 N2H2 Training and Open Discussion for K-12 schools. Structure of Meeting. Review of Fall ’06 material for new attendees Questions on review material Quick break Delegating administration Spring Cleaning for the lists HTTPS proxy

nyoko
Télécharger la présentation

Spring 2007 N2H2 Training and Open Discussion for K-12 schools

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Connecticut Education Network Spring 2007 N2H2 Training and Open Discussion for K-12 schools

  2. Structure of Meeting • Review of Fall ’06 material for new attendees • Questions on review material • Quick break • Delegating administration • Spring Cleaning for the lists • HTTPS proxy • Discussion/suggestions for next time

  3. Chose which categories to block, create custom categories • Assign filters to IP’s, IP blocks, time based filtering • Block/Unblock specific sites. CBL overrules filter assignments • Disabled feature unless explicitly requested by district • Choose the default CEN block page or a custom one • Subdivide your zone and create sub administrators • User name and password administration

  4. Limitations of N2H2 • N2H2 only filters the public CEN IP address, therefore • Can not monitor internal IP addresses or their activity • If all internal IP addresses NAT to one public address there is limited granularity in separating groups of users • Similarly, an override will remove all filtering for all machines behind that IP for the specified time period • Custom block list syntax can be tricky or selective • Only blocks port 80 HTTP traffic! (more on this later!) • Blocking sites with messaging content does NOT block AOL/AIM/MSN Messenger services

  5. Create zones to split your main zone up into semi-autonomous smaller zones • Ideal if your district is already segmented through your firewall to NAT different schools or servers to different IP addresses • Create sub administrators to manage these different zones • Helpful if each schools has their own designated technical administrator, reduces the need for daily requests to be routed through one person • Each sub administrator will receive a login name, filter options, custom block lists, and only have access to the zone specifically delegated to them

  6. Under Assign Filters you can also split up your zone for customized filtering, however you lose the granularity of different custom block lists for different IP ranges • Assign filters to IP addresses/ranges, even specify what time period a filter will be applied (optional) • The CEN Filter is the global default filter. Unless you explicitly define your range to receive a certain filter, this will be the one that is applied

  7. If you want a range or an IP unfiltered, you must define it under Assign Filters as a range and select “No Filter” as the filter. Keep in mind, anything in your CBL will be applied if this isn’t delegated out • Even if you like the CEN Filter, it is best to define your range and select CEN Filter as the filter instead of receiving the global rule base. This will allow you to make changes later on if need be

  8. Filters are groups of categories that are set to be allowed or blocked. N2H2 comes preloaded with the default CEN Filter and a handful of others. • You have the ability to view and edit any of the filters listed under your Define Filters tab without affecting anyone else, or create a brand new one! • Each category can be set to • Block – disable access, user received block page • Warn – user receives a warn page and must click a link to access, email sent to administrator • Monitor – access not prohibited, email sent to administrator when accessed • Don’t Block (do nothing) • Exceptions can be used as well to allow such things as historical violence (wars, etc) even if violence as a category is blocked. Use at own risk!

  9. Categories which are listed in BOLD were created by other schools. Use at your own risk, you can not view or edit these • If a site is categorized under 2 categories and you block one of them, the site will be blocked unless you use your custom allow list (don’t worry, almost there) • Using Custom Categories in place of custom block lists is a tricky procedure, it may or may not work to your expectations depending on the site, categories, etc. If you want some sites allowed for some IP addresses and not others consider using the Delegation options discussed earlier instead.

  10. If you had opted to retain overrides at the time of our upgrade last school year you have already heard our spiel, please enjoy your “donuts & more” for a minute or so • Assigning overrides allows you to assign an admin, teacher, truancy officer, etc, the power to override a block page with a user name and password you provide. • Your ENRT### login information is also capable of overriding a block page. Please do not give out your login information to anyone. • An override will remove blocking TOTALLY on the public IP address the blocked machine is using for NAT for the time period specified, not just that one site and not just that one machine! Remember, N2H2 only blocks the public IP addresses, not your internal network IP space.

  11. If your network is segmented there is less chance of an override removing filtering for everybody, it will only do it for the one IP address • Reduce the time specified in the override. It defaults to 15 minutes, you can reduce that to your needs • At the end of the override session a window will pop up on the machine which requested it to see if filtering should be reinstated or overriding continued. Be VERY careful to reinstate filtering. If you chose filtering to be off for the rest of the day, that is exactly how long it will be off for. We can not reinstate filtering for you until the service restarts, sometime around 4 am.

  12. Your handy dandy control center login page: HTTPS://n2h2.cen.ct.gov/controlcenter Secure Computing’s URL checker, helpful for all those municipal sites wrongly categorized as inappropriate: http://www.securecomputing.com/sfwhere/index.cfm The DOIT Help Desk, our first line of defense: 1 -860-622-2300

  13. Separating the Network by Public iP

  14. Scenario: You have more than one school/age group going through the filter, and want each to have separate settings for filtering levels. Requirement: Capable of using NAT to route different network segments to unique public IP addresses

  15. Separating the Network by Public iP Having your network prepared to filter IP addresses differently is the hard part, configuring N2H2 to properly reflect this is easy. Using Delegated Admin, create your different zones and new administrators. Delegate each new zone to its corresponding admin Confused? Watch this demo

  16. ****MOST IMPORTANTLY**** Your main account assigned originally by CEN is your “super administrator” compared to those accounts you create under it Any Custom Block/Allow Entry you have stored under this account will outweigh those you put in each individual account Remove all custom blocking and filter settings from the main account and use a separate list per sub account

  17. Spring Cleaning!!  Reduce the Size and Server Load of your Custom Lists

  18. Custom Block Lists are the most memory intensive portion of N2H2 but a necessary evil Wildcards (* or ?) require the server to do much more processing of URL’s, however time has shown using a wildcard catches more unsavory sites to block URL’s with a wildcard are not picked up by Virtual Reviewer, which when activated will compare your CBL entries against the N2H2 database and remove those which are already categorized. You can have this turned on AND still keep certain sites in the list by using the ‘[LOCK]’ function

  19. Suggested Entry Forms • An entire Web site • http://<host name> or sitename.domainhttp://www.ergo.net or ergo.net • Particular sections of a Web site • http://<host name>/<path> http://www.ergo.net/about • Particular pages in a Web site • http://<host name>/<path>/<page>http://www.ergo.net/about/info.html • An IP address • http://<IP address> http://64.58.79.230 • A file type (from any HTTP source) • [ftype] <file extension> [ftype] jpg • A file type (from a particular HTTP location) • http://<host name>/*.<file extension>http://www.ergo.net/*.jpg • URLs that contain a particular keyword or phrase anywhere in the URL • [keyurl] <word> [keyurl] travel vacation [keyurl] stocks • URLs that contain a particular keyword in the CGI portion of the URL • [keycgi] <word> [keycgi] sexyphotos [keycgi] stocks

  20. Spring Cleaning!! • Go home and clean!If each school reduces the overall size of their Custom Block List and removes a small portion of their wildcards, the overall performance of the admin filtering server will improve! • Turn on Virtual Reviewer, check lists for stale/old entries, reduce the number of wildcards!

  21. Spring Cleaning!!

  22. HTTPS and N2H2

  23. HTTPS and N2H2 On its own N2H2 in our environment does not handle HTTPS content filtering We have setup a non-transparent proxy to route HTTPS traffic through to be filtered Requires configuring the browsers on your workstations to point HTTPS connections at our proxy, either individually or with Active Directory/group policies URL’s are filtered by the same rule base you use for HTTP filtering

  24. HTTPS and N2H2

  25. HTTPS and N2H2

  26. HTTPS and N2H2 • http://proxy.cen.ct.gov:8888/CEN-PROXY-CONFIG-FILE.pac • proxy.cen.ct.gov port 8888

  27. HTTPS and N2H2 • Only port 443 traffic should be routed at the proxy server • Make sure you have security measures in your network environment! Students should not have access to change the browser settings

  28. HTTPS and N2H2 • Once this is setup on your network, you will start receiving blocks on HTTPS sites that you currently have blocked as URL’s either in a category or Custom Block List • Continue to administer the Control Center just as you would for HTTP traffic. Adding www.google.com will now block http://www.google.com AND https://www.google.com

  29. HTTPS and N2H2 • If this is implemented on a laptop that also is used outside CEN, these changes will affect access to HTTPS sites. • Excluding internal IP addresses and servers, etc, when using Group Policy is highly recommended to avoid disrupting services • If you are still having issues with students reaching inappropriate sites try using your firewall as well to block certain connections

  30. Control Center login for administration: • https://n2h2.cen.ct.gov/controlcenter • The URL Checker, your new best friend: • http://www.securecomputing.com/sfwhere/index.cfm

More Related