Spring 2007Spring 2007

N2H2 Training and Open Discussion for N2H2 Training and Open Discussion for

K-12 schoolsK-12 schools

Structure of Structure of MeetingMeeting

Review of Fall ’06 material for new Review of Fall ’06 material for new attendeesattendees

Questions on review materialQuestions on review material Quick breakQuick break Delegating administrationDelegating administration Spring Cleaning for the listsSpring Cleaning for the lists HTTPS proxyHTTPS proxy Discussion/suggestions for next Discussion/suggestions for next

timetime

Chose which categories to block, create custom categories

Assign filters to IP’s, IP blocks, time based filtering

Block/Unblock specific sites. CBL overrules filter assignments

Disabled feature unless explicitly requested by district

Choose the default CEN block page or a custom one

Subdivide your zone and create sub administrators

User name and password administration

Limitations

of N2H2

N2H2 only filters the public CEN IP address, therefore

Can not monitor internal IP addresses or their activity

If all internal IP addresses NAT to one public address there is limited granularity in separating groups of users

Similarly, an override will remove all filtering for all machines behind that IP for the specified time period

Custom block list syntax can be tricky or selective

Only blocks port 80 HTTP traffic! (more on this later!)

Blocking sites with messaging content does NOT block AOL/AIM/MSN Messenger services

Create zones to split your main zone up into semi-autonomous smaller zones

Ideal if your district is already segmented through your firewall to NAT different schools or servers to different IP addresses

Create sub administrators to manage these different zones

Helpful if each schools has their own designated technical administrator, reduces the need for daily requests to be routed through one person

Each sub administrator will receive a login name, filter options, custom block lists, and only have access to the zone specifically delegated to them

Under Assign Filters you can also split up your zone for customized filtering, however you lose the granularity of different custom block lists for different IP ranges

Assign filters to IP addresses/ranges, even specify what time period a filter will be applied (optional)

The CEN Filter is the global default filter. Unless you explicitly define your range to receive a certain filter, this will be the one that is applied

If you want a range or an IP unfiltered, you must define it under Assign Filters as a range and select “No Filter” as the filter. Keep in mind, anything in your CBL will be applied if this isn’t delegated out

Even if you like the CEN Filter, it is best to define your range and select CEN Filter as the filter instead of receiving the global rule base. This will allow you to make changes later on if need be

Filters are groups of categories that are set to be allowed or blocked. N2H2 comes preloaded with the default CEN Filter and a handful of others.

You have the ability to view and edit any of the filters listed under your Define Filters tab without affecting anyone else, or create a brand new one!

Each category can be set to

Block – disable access, user received block page

Warn – user receives a warn page and must click a link to access, email sent to administrator

Monitor – access not prohibited, email sent to administrator when accessed

Don’t Block (do nothing)

Exceptions can be used as well to allow such things as historical violence (wars, etc) even if violence as a category is blocked. Use at own risk!

Filter(“CEN Filter”,

“Typical Minimum Filter”,

etc)

Blocked Categories

Allowed Categories

Custom Block/Allow Lists

Categories which are listed in BOLD were created by other schools. Use at your own risk, you can not view or edit these

If a site is categorized under 2 categories and you block one of them, the site will be blocked unless you use your custom allow list (don’t worry, almost there)

Using Custom Categories in place of custom block lists is a tricky procedure, it may or may not work to your expectations depending on the site, categories, etc. If you want some sites allowed for some IP addresses and not others consider using the Delegation options discussed earlier instead.

₪ If you had opted to retain overrides at the time of our upgrade last school year you have already heard our spiel, please enjoy your “donuts & more” for a minute or so

₪ Assigning overrides allows you to assign an admin, teacher, truancy officer, etc, the power to override a block page with a user name and password you provide.

₪Your ENRT### login information is also capable of overriding a block page. Please do not give out your login information to anyone.

₪ An override will remove blocking TOTALLY on the public IP address the blocked machine is using for NAT for the time period specified, not just that one site and not just that one machine! Remember, N2H2 only blocks the public IP addresses, not your internal network IP space.

₪ If your network is segmented there is less chance of an override removing filtering for everybody, it will only do it for the one IP address

₪ Reduce the time specified in the override. It defaults to 15 minutes, you can reduce that to your needs

₪ At the end of the override session a window will pop up on the machine which requested it to see if filtering should be reinstated or overriding continued. Be VERY careful to reinstate filtering. If you chose filtering to be off for the rest of the day, that is exactly how long it will be off for. We can not reinstate filtering for you until the service restarts, sometime around 4 am.

Your handy dandy control center login page:

HTTPS://n2h2.cen.ct.gov/controlcenter

Secure Computing’s URL checker, helpful for all those municipal sites wrongly categorized as inappropriate:

http://www.securecomputing.com/sfwhere/index.cfm

The DOIT Help Desk, our first line of defense:

1 -860-622-2300

Separating the Separating the Network by Network by

Public iPPublic iP

Scenario: You have more than one school/age group going through the filter, and want each to have separate settings for filtering levels.

Requirement: Capable of using NAT to route different network segments to unique public IP addresses

CEN Connection

Firewall

Middle School

High School

Elementary School

65.251.55.4

65.251.55.5

65.251.55.6

Separating the Network by Separating the Network by Public iPPublic iP

Having your network prepared to filter IP addresses differently is the hard part, configuring N2H2 to properly reflect this is easy.

Using Delegated Admin, create your different zones and new administrators.

Delegate each new zone to its corresponding admin

Confused? Watch this demo

****MOST IMPORTANTLY****

Your main account assigned originally by CEN is your “super administrator” compared to those accounts you create under it

Any Custom Block/Allow Entry you have stored under this account will outweigh those you put in each individual account

Remove all custom blocking and filter settings from the main account and use a separate list per sub account

Spring Spring Cleaning!!Cleaning!!

Reduce the Size and Server Load of your

Custom Lists

Custom Block Lists are the most memory intensive portion of N2H2 but a necessary evil

Wildcards (* or ?) require the server to do much more processing of URL’s, however time has shown using a wildcard catches more unsavory sites to block

URL’s with a wildcard are not picked up by Virtual Reviewer, which when activated will compare your CBL entries against the N2H2 database and remove those which are already categorized. You can have this turned on AND still keep certain sites in the list by using the ‘[LOCK]’ function

Suggested Entry FormsSuggested Entry Forms An entire Web siteAn entire Web site http://<host name> or sitename.domainhttp://<host name> or sitename.domain http://www.ergo.net or http://www.ergo.net or

ergo.netergo.net Particular sections of a Web siteParticular sections of a Web site http://<host name>/<path> http://www.ergo.net/abouthttp://<host name>/<path> http://www.ergo.net/about Particular pages in a Web siteParticular pages in a Web site http://<host name>/<path>/<page>http://<host name>/<path>/<page>

http://www.ergo.net/about/info.htmlhttp://www.ergo.net/about/info.html An IP addressAn IP address http://<IP address> http://64.58.79.230http://<IP address> http://64.58.79.230 A file type (from any HTTP source)A file type (from any HTTP source) [ftype] <file extension> [ftype] jpg[ftype] <file extension> [ftype] jpg A file type (from a particular HTTP location)A file type (from a particular HTTP location) http://<host name>/*.<file extension>http://<host name>/*.<file extension> http://www.ergo.net/*.jpg http://www.ergo.net/*.jpg URLs that contain a particular keyword or phrase anywhere in the URLURLs that contain a particular keyword or phrase anywhere in the URL [keyurl] <word> [keyurl] travel vacation [keyurl] stocks[keyurl] <word> [keyurl] travel vacation [keyurl] stocks URLs that contain a particular keyword in the CGI portion of the URLURLs that contain a particular keyword in the CGI portion of the URL [keycgi] <word> [keycgi] sexyphotos [keycgi] stocks[keycgi] <word> [keycgi] sexyphotos [keycgi] stocks

Spring Cleaning!!Spring Cleaning!!

Go home and clean!Go home and clean!If each school reduces the overall size of If each school reduces the overall size of their Custom Block List and removes a their Custom Block List and removes a small portion of their wildcards, the small portion of their wildcards, the overall performance of the admin filtering overall performance of the admin filtering server will improve!server will improve!

Turn on Virtual Reviewer, check lists for Turn on Virtual Reviewer, check lists for stale/old entries, reduce the number of stale/old entries, reduce the number of wildcards!wildcards!

Spring Spring Cleaning!!Cleaning!!

HTTPS and N2H2HTTPS and N2H2

HTTPS and N2H2HTTPS and N2H2On its own N2H2 in our environment does not handle HTTPS content filtering

We have setup a non-transparent proxy to route HTTPS traffic through to be filtered

Requires configuring the browsers on your workstations to point HTTPS connections at our proxy, either individually or with Active Directory/group policies

URL’s are filtered by the same rule base you use for HTTP filtering

HTTPS and N2H2HTTPS and N2H2

HTTPS and N2H2HTTPS and N2H2

http://proxy.cen.ct.gov:8888/CEN-http://proxy.cen.ct.gov:8888/CEN-PROXY-CONFIG-FILE.pacPROXY-CONFIG-FILE.pac

proxy.cen.ct.gov port 8888proxy.cen.ct.gov port 8888

HTTPS and N2H2HTTPS and N2H2

Only port 443 traffic should be routed at Only port 443 traffic should be routed at the proxy serverthe proxy server

Make sure you have security measures Make sure you have security measures in your network environment! Students in your network environment! Students should not have access to change the should not have access to change the browser settingsbrowser settings

HTTPS and N2H2HTTPS and N2H2

Once this is setup on your network, you will Once this is setup on your network, you will start receiving blocks on HTTPS sites that you start receiving blocks on HTTPS sites that you currently have blocked as URL’s either in a currently have blocked as URL’s either in a category or Custom Block Listcategory or Custom Block List

Continue to administer the Control Center just Continue to administer the Control Center just as you would for HTTP traffic. Adding as you would for HTTP traffic. Adding www.google.com will now block www.google.com will now block

http://www.google.com http://www.google.com

AND https://www.google.comAND https://www.google.com

HTTPS and N2H2HTTPS and N2H2

If this is implemented on a laptop that also is If this is implemented on a laptop that also is used outside CEN, these changes will affect used outside CEN, these changes will affect access to HTTPS sites.access to HTTPS sites.

Excluding internal IP addresses and servers, Excluding internal IP addresses and servers, etc, when using Group Policy is highly etc, when using Group Policy is highly recommended to avoid disrupting servicesrecommended to avoid disrupting services

If you are still having issues with students If you are still having issues with students reaching inappropriate sites try using your reaching inappropriate sites try using your firewall as well to block certain connectionsfirewall as well to block certain connections

HTTPS and N2H2HTTPS and N2H2

Control Center login for administration:Control Center login for administration: https://n2h2.cen.ct.gov/controlcenterhttps://n2h2.cen.ct.gov/controlcenter The URL Checker, your new best friend: The URL Checker, your new best friend: http://www.securecomputing.com/sfwhere/index.cfmhttp://www.securecomputing.com/sfwhere/index.cfm