Ask Slashdot: How To Best Setup a School Internet Filter?

An anonymous reader writes "I was recently volunteered to be the network/computer admin for a small non-profit school. One of the items asked of me had to do with filtering inappropriate content (i.e. stuff you wouldn't want your mother to see). Essentially we want to protect people who aren't able to protect themselves, at least while on campus. Basic site filtering is fairly easy — setup squid with one of the many filtering engines and click to filter the categories your interested. Additionally, making the computer lab highly visible uses public shame and humiliation to limit additional activity. The real question — How do you filter Facebook? There is a lot of great content and features on Facebook, and its a great way to stay in contact with friends, but there is also a potentially dark side. Along with inappropriate content, there is a tendency to share more information than should be shared, and not everyone follows proper security and privacy guidelines. What's the best way to setup campus-wide security/privacy policies for Facebook?"

opendns

[twistedcubic]

OpenDNS has parental control addresses, so it's a start.

Re:Don't

[jbolden]

We're now having to look into decryption which brings its own issues pertaining to certificate management.

What do you even mean there? You aren't going to be able to pull off a man in the middle attack. You either block https or game over.

Re:opendns

[Anonymous Coward]

OpenDNS is a huge scam - right up there with all the other Bait & Switch slime.

It used to be free, our public library used them to filter porn so that they met the basic filtering requirements in order to get Federal grant money.

Then OpenDNS said no more free filtering - all right, everyone needs to make a buck or two right?

So how much for 50 workstations - $1250/year (and that's with a non-profit discount) - for DNS service.

Yeah, going from free to outrageous isn't exactly a viable business plan.

DynDNS offers pretty much the same thing (i.e. category filtering) for $20/year - guess which plan the Library went with?

Re:Don't

[chrb]

What do you even mean there? You aren't going to be able to pull off a man in the middle attack.

Oh but you can, and it's increasingly being done and the people being intercepted are probably completely unaware of it. All of the big providers of content filtering hardware offer SSL interception now [blogspot.co.uk] (actually that article was written in 2006, so it's been going on for a while now). The sysadmin just has to deploy a trusted CA key to each desktop. I still think it is probably a violation of various wiretap laws because, regardless of what the local user has agreed to, the remote side (Google, your bank etc.) have not agreed to your interception of their encrypted communications. But, afaik, surprisingly nobody has yet sued over this issue.

They shouldnt have facebook accounts

[headhot]

I'm assuming its not a university or a college. If thats the case you need to be 18 to have a facaebook account acording to their ToS. So, no kids should need to get to facebook.

Re:Don't

[wolrahnaes]

This is correct. In a managed environment it's not exactly rocket science to put your cert on the computer, allowing you to resign anything HTTPS. Make it clear to the users that EVERYTHING is being monitored and they have no expectation of privacy on said computers and go for it.

Using a bogus cert that throws warnings in the browser is just an idiotic way to train your users that clicking through SSL warnings is normal.

How old are these kids?

[dacut]

If they're under 13 (elementary and middle school age range), they're not allowed to access Facebook due to their terms of service and (in the US, at least) COPPA.

From Facebook's terms of service [facebook.com]:
You will not use Facebook if you are under 13.

This is due to the Children's Online Privacy Protection Act [wikipedia.org], which requires verified parental consent before children can provide information to the website. While this does not impact you directly (that is, the FTC isn't going to knock on your door), you could get some heat from parents or administrators for allowing it at all.

Personally, I think the law is too draconian, but I wouldn't put my position in jeopardy to protest it.

PfSense + DansGardian + OpenDNS + Unbound DNS

[Anonymous Coward]

Use PFsense with Squid Proxy WAN object caching and DansGuardian (with the paid list updates) and on top of that, OpenDNS filtering.

OpenDNS will help with malware prevention and botnet computers.

Use Unbound forwarding to pull OpenDNS but also locally cache DNS entries for faster response times.

Block DNS port 53 from exiting the WAN from anything but the pfsense proxy to prevent circumvention of your local proxy.

Re:can't partially-filter Facebook

[Nonesuch]

Actually, many of the more complex commercial firewall products CAN partially filter facebook. For example, you can permit reading but block posting updates, or permit access to most pages but block Farmville and all streaming media from fbcdn.' I've always thought the easy way to cut down on problems with this sort of Internet access was to permit Content-type: text/* but block all images, audio, and video. Basically, let them read Playboy for the articles!

Comment removed

[account_deleted]

Comment removed based on user account deletion

Re:Don't

[ShanghaiBill]

I work at a college and we do no filtering of any kind due to academic freedom.

High school is not college. College students are adults fully responsible for their own behavior. High school students are legally children, and giving them access to things their parents don't approve of is not only going to cause administrative problems, but may even be illegal in some cases.

Re:Whitelists?

[sc0ob5]

Not a bad idea for elementary kids. A simple redirect using squid to a PHP form which would email someone a link to the site in question and another PHP form for approval which would then automatically append to a whitelist if approved and to a blacklist if denied so students can’t keep submitting the same site. There are a few sites around that have whitelists for education purposes opendns.com springs to mind. The problem is with so many sites being created daily it’s impossible to keep up with educational resources for middle school and high school kids and you are better off with just a blacklist which are more readily available.

When I was first starting out in IT I worked at a reasonably large high school and found the best way to filter was using squid and have a large blacklist automatically updated weekly and use a log analyser such as Sarg to generate reports on a daily basis and anything that seemed out of place or got a lot of traffic and wasn’t related to education would go on the blacklist. Of course none of this was available off the shelf back then, but it’s still probably the best way to go about it considering that it’s a non-profit school. As for facebook, it should be blocked in any school environment, there is nothing on there of any education value.

I don’t know the age range the OP is talking about, kind of seems contradictory. People not able to protect themselves but yet have shame.. doesn’t really make sense.