K-8 Filtering

[Schlorff, Tony]

Hey everyone,

We are having a hard time filtering and keeping safe search on.  We are having a really hard time with our mobile filter still allowing nude and pornographic images.  Have any of you in the K-8 had a similar issue and what have you done to ensure student safety?

Thanks,

Tony

Tony Schlorff

Instructional Technology Coordinator

CCSD93

630-893-9393

[Jaymon Lefebvre]

Im just evaluating securly.com.  should do what you need it to...

--
--
You received this message because you are subscribed to the Google
Groups "Google Apps K12 Technical Forum" group.
To post to this group, send email to k12ap...@googlegroups.com
To unsubscribe from this group, send email to
k12appstech...@googlegroups.com
For more options, visit this group at
http://groups.google.com/group/k12appstech?hl=en?hl=en
 
---
You received this message because you are subscribed to the Google Groups "Google Apps K12 Technical Forum" group.
To unsubscribe from this group and stop receiving emails from it, send an email to k12appstech...@googlegroups.com.
For more options, visit https://groups.google.com/groups/opt_out.

[Edward Crist]

We've been using Securly since August....1-1 laptops and they take them home

So far, it works well.  Still a newer company, but I like the folks there and they are very responsive

Edward Crist

Technology Manager

City Charter High School

201 Stanwix St.

Pittsburgh, PA 15222

(412) 690-2489

(412) 690-2316 fax

www.cityhigh.org

cr...@cityhigh.org

[Joel Lowsky]

I'm curious ... is Securly an installed-client, or is it a DNS service?

[Sean Eisner]

It is a DNS-based service. We just signed up with them last week. I have not rolled it out district-wide yet, but it looks like it will meet our needs.

Sean

[Jaymon Lefebvre]

strangely, kind of both.  its a DNS based service that also has forced sign on integration with GAFE.

[Joel Lowsky]

Doesn't that cause trouble for students connecting to their home networks?  They might be able to get online, but they wouldn't be able to access networked printers, I don't think.  And if they use the comps on some corporate networks or public libraries, they might not be able to do anything...

Also, are you worried about the kids figuring out how to change the DNS settings?

Thanks for answering...

Joel

[Sean Eisner]

That is why I want to be a bit more comfortable with it before I roll it out district-wide. I was trying it with different browsers and seeing how browser-cache affects the initial page shown to anyone who plans on surfing while logged in with their district account.

Sean

[Sean Eisner]

This in an interesting one. Unless I am the only one who cannot get around it (and this is possible) I can't change DNS/network settings on a Chromebook once it's enrolled in a domain. I've called support and I am told this is not possible. I said, "As a super admin, there MUST be a way to do this, right?" The reply, "That's a good idea and will be submitted for future upgrades."

On a non-Chromebook device, I would lock that portion of the network settings down. There is a very extensive audit trail with Securly, but it does have to go through their system, obviously. I am still playing with it, but I wanted something that would easily interface with GAFE.

Sean

Sean

[Edward Crist]

Well, Securly and I came up with a workable solution to the "take home" issue.

We have all Windows 7 laptops.

I wrote a script that sets 2 static DNS IP addresses...

#1 IP is our internal DNS server....when in school, all browser traffic goes through this DNS and is forwarded to the Securly servers.

#2 IP is one of the Securly DNS #'s.

So when the student is home, connects to home wifi (or any wifi), DNS IP #1 doesn't work since it's internal here at the school, but DNS IP#2 picks up the traffic and routes it all to Securly's servers

We've been doing this for 2.5 months now and it's working flawlessly.

Edward Crist

Technology Manager

City Charter High School

201 Stanwix St.

Pittsburgh, PA 15222

(412) 690-2489

(412) 690-2316 fax

www.cityhigh.org

cr...@cityhigh.org

[Bjorn Behrendt]

1. Network printers are all done using Cloudprint (https://tools.google.com/dlpage/cloudprintservice), so the problem is less about access to printers while in school and more about preventing them from printing to the schools printers form home.

2. You set the Securly DNS up as a Forwarder on your internal DNS server, and there is no need to touch the Chromebooks DNS.

3. For take home I am not as verse on (I don't believe in filtering off-campus), but I think it is a Chrome-app that tells the device to look at Secur.ly.   I do know that Secur.ly registers the public IP of where the Chromebooks are connecting from.     So if I am remembering correctly students can use the default DHCP settings on any network, but if they are logged into the Chrome Browser using their school address they will be filtered if you have that turned on.

Bjorn Behrendt M.Ed ~ Never Stop Learning

   b...@askbj.net | (802) 772-0003

   Google Apps For Education Certified Trainer

My Sites

 ~ Edlisten.com ~ Educational Podcast

 ~ AskBj.net ~ Online Training and Ed Tech Resources

 ~ VTed.org ~ Vermont's Personal Learning Network

gClassFolders ~ Create Google folders for your class.

[Jaymon Lefebvre]

I think Joel brings up a good point though.  If the device with the forced DNS settings goes to a location where DNS is restricted, that would be a problem.

My institution for example, implements a DNS hierarchy.  You first use your site based DNS server, which has forwarders upstream to a couple core DNS servers, which then again forward upstream to Google's DNS for public resolution.

If someone was to bring a device on location that forced securly as the DNS as the only option, this would absolutely be a complete fail.  

Im not really looking for the off campus filtering (as other's here have also mentioned) so for me this is not a huge concern.  In Canada, I do not believe we have the same legislation as the US does.  

In a webinar I watched, Securly had made a statement that if the device was owned and provisioned from the school authority, and it was being given to the student's for use at home, then the school authority remained responsible for web content filtering.  Again, Im not the expect in this subject matter, it is just what I was led to believe.  Maybe someone down south has a better idea.  All I know is that in Canada, a piece of legislation or advisement on policy has yet to come across my desk.

Cheers,

Jaymon

[Edward Crist]

Jaymon's points are valid.  We have over 650 laptops taken home each night and no one is reporting any DNS issues. (been waiting to hear, knock on wood)

Securly also offers a proxy service for take home laptops....more expensive though.

Edward Crist

Technology Manager

City Charter High School

201 Stanwix St.

Pittsburgh, PA 15222

(412) 690-2489

(412) 690-2316 fax

www.cityhigh.org

cr...@cityhigh.org

[Jaymon Lefebvre]

Cheers Edward.  My authority also restricts proxy services at Layer 7.  so you would not get DNS to work, or a proxy solution unless I explicitly allow it.  

This is most likely not going to be an issue for use at home, but if Bobby brings the device to Mom or Dad's work to use the guest network there, it most certainly could be.  The differentiation is basically going be whether it is a home router (pretty standard default ACL's, allow inside any to outside any) versus a corporate maintained router (which generally is default deny inside any to outside any)

[Wes Bartlett]

For those of you using securly offsite - are you using it with chrome books?  I don't see any way to manage the DNS setting which leaves us with the more expensive proxy solution from them.  We are getting ready to do a pilot of the service, largely for at home filtering which is desired by others in my environment.

Thanks,

Wes Bartlett

Network Administrator

Perrysburg Schools

419-872-8840

A+,  N+, ACMT

Confidentiality Notice: This message may contain student personally identifiable information that is confidential. Such information is intended only for the use of the individual or entity named above. If you are not the intended recipient, you are hereby notified that any disclosure, copying, printing, distribution or the taking of any action in reliance on the contents of the information contained herein is strictly prohibited. If you receive this email message in error, please immediately notify me by telephone at 419-874-9131. Please also delete the message from your computer. Thank you. 

[Doug Blatti]

Just to clarify – there are 2 products.  I believe both can share a single rule-set on the backend.  They sell the DNS based service as an on-site filtering solution and the proxy solution as the “Take-home 1:1 Chromebook Filtering”.

 

Doug Blatti

Technology Program Manager

Community High School District 155

@dblatti, http://blatti.net

[Jaymon Lefebvre]

as well, they offer a "relaxed take home" policy, if you wanted to say allow things like social media and chat from home, but not at school.

[Edward Crist]

We lock our Windows laptops down with GPO's so kids can't get to the DNS settings.

My daughter goes to our school and I did extensive testing with her and her laptop at home, and 12 different private and public internet hot spots.  So far, she's connecting and getting filtered through Securly.

The forced login feature is really nice...no browsing at all unless you are logged into our school GAFE account.

The guys at Securly have been great to work with....so far they have shown themselves are really committed to making it work and listening for ideas on future development.

There is no reporting feature to speak of except for an audit download....but it's fine for now till they improve that part of the program.

Edward Crist

Technology Manager

City Charter High School

201 Stanwix St.

Pittsburgh, PA 15222

(412) 690-2489

(412) 690-2316 fax

www.cityhigh.org

cr...@cityhigh.org

[Lisa Fusco]

Actually we are evaluating securly.com and have been very satisfied with their responsiveness -

nothing is perfect and there are certainly ways around all filtering - but so far so good for this religious school

On Mon, Oct 28, 2013 at 1:47 PM, Jaymon Lefebvre <jaymon....@wrsd.ca> wrote:

--

Lisa Fusco
Director of Technology


The Moriah School
53 S. Woodland Street
Englewood, NJ  07631
201-567-0208 ext. 325

 

[Debby Atwater]

Hi Everyone, 

I saw that Tony Schlorff's original question asked about not being able to keep Safe Search on.  Last week, my district's IT Department discovered the same issue as we were testing our student Google Account experience. We had settings already in place in our content filtering software that have been working, but Google made some recent changes that made those settings no longer effective.  We did successfully fix the issue and here is what we discovered.   I'd like to share our findings and solutions for those that are interested. This was a summary from those that fixed the issue in our district:

History:

Google recently turned on SSL searching under pressure to protect the privacy of users - everyone in now directed to https://www.google.com. This was forced "on" around the end of September.  What this did was NOT pass on the keywords you would type in for searching.  Previously a site could use these keywords to place ads based on terms you use to search (i.e. searching on "spotted dog training", might lead you to more dog food ads).  Now those keywords are encrypted so a site can't see what terms you are using to search.
     The side effect of this change was now web filters could no longer "see" search terms in order to decide if it should block content returned from the search (i.e. searching on "babes" would yield some interesting results - not appropriate for K-12).  This was/is a big issue for schools and some businesses.  You simply couldn't block https://www.google.com because other Google services relied on https:// for authentication.

Problem:  

Safe search was not being enforced in browsers/search engines, allowing inappropriate content (especially under Image search)

Resolution: 

1) Verified the setting on our content/web filter for forcing all browsers to safe search was enabled for each Web Profile (checkbox = Force all browsers to use safe search).  This had been enabled.

2) Because of the change with Google and SSL search, our IT department made the change necessary to redirect search to a non-SSL site (nosslsearch.google.com).  This was verified by performing: nslookup www.google.com at a command prompt.  This is was caused the new message to appear.

3) Working with our content filter's support, we verified that the correct parameter was being added to the search URL.  In most cases this is "&safe=active" ("&adlt-strict" for Bing).

4) Removed network exceptions for Google's networks on the iPrism.  In the initial rollout of GoogleApps, we encountered some strange problems we thought might be related to the filter; so we added several exceptions on the iPrism to ignore traffic for Google.  Having these exceptions overrode the safe search setting and allowed the content.

Side Effect:

Some search terms will return a message - Example: When searching the term babes

The word "babes" has been filtered from the search because Google SafeSearch is active.

Unfortunately we don't control what terms Google deems appropriate to search on.  


I hope this can help those of you who experienced the same issue we did. 
Thanks!

Debby Atwater
Coordinator for 21st Century Learning
Chapel Hill-Carrboro City Schools

[Bunn, James]

Thank you for the information. Good to know that it is possible. We are having issues implementing Google SafeSearch enforcement with a Sonicwall. Has anyone had success with this on a Sonicwall? If so, are you using host name to host name redirection or host name to IP redirection?

 

Due to MS 2008 R2, we can only do IP redirection. We have also tested using hosts file. We have a case open with Sonicwall. 

 

Thanks

 

James Bunn

Technology Director

North Palos School District 117

[Lisa Fusco]

Please keep us informed with your progress involving the sonicwall  - we are having the same issues.

[Justin Wagner]

James,
We are also using SonicWall and couldn't figure out a solution. We
implemented Debby Atwater's solution that she had posted.

We used our internal DNS server to resolve www.google.com (A Record)
to nosslsearch.google.com's IP address.

Justin

>>> The Moriah School
>>> 53 S. Woodland Street
>>> Englewood, NJ 07631
>>> 201-567-0208 ext. 325
>>>
>>>
>>>

Justin Wagner
Network Manager
Wilmette Public Schools District 39
wag...@wilmette39.org
847-256-2450 x6056

[Bunn, James]

Sonicwall has escalated our case to the development team for review. There is a problem. It may help if others would submit cases as well. I will let you know of any updates to our case.

 

 

James

[Giancarlo Acosta]

[Bunn, James]

Sonicwall has provided a HF and we will be testing it this week. Not sure on the general availability of the HF.

 

James

NPD117

[Jason Meyer]

We are having the same issue, but have noticed something else that is troubling.

 

We use ADFS to tie accounts back to our ActiveDirectory and Google Chrome really hates the redirects used. It just stops working when it goes to https://www.google.com/a/appsname, for obvious reason, which then is supposed to redirect to our sign on page. Interesting thing, all other browsers seem to be fine so far. Anyone else have this issue?

 

Then there is if you use the search bar in Chrome, it fails completely....work around. Browse to www.google.com first, then search away. I am assume any browser with the google search will have the same result.

 

I have contacted Google Chrome product support, but have heard back yet.

 

Jason Meyer

Server/Systems Manager

Roseville Area Schools

Roseville, MN

[James Dazley]

We're using a Lightspeed filter, the support has been great, and we have chrome proxied for at home filtering. Recently I discovered kids were using a bad search keywords in youtube, we threw in a search keyword filter for a catch-all.

James Dazley

Interim Technology Director

Bedford Public Schools

[Ann DeBolt]

We, too, have Lightspeed and students are finding inappropriate YouTube videos. James, are you saying that your keyword filter fixed that problem? If so, please share how you did this!

Ann DeBolt

Instructional Technology Specialist

Brenham ISD

Brenham, Texas

--

--
You received this message because you are subscribed to the Google
Groups "Google Apps K12 Technical Forum" group.
To post to this group, send email to k12ap...@googlegroups.com
To unsubscribe from this group, send email to
k12appstech...@googlegroups.com
For more options, visit this group at
http://groups.google.com/group/k12appstech?hl=en?hl=en

---
You received this message because you are subscribed to the Google Groups "Google Apps K12 Technical Forum" group.
To unsubscribe from this group and stop receiving emails from it, send an email to k12appstech...@googlegroups.com.

For more options, visit https://groups.google.com/d/optout.

[Steve Kellogg]

I think that with Lightspped you can enforce YouTube Education.  It may be limiting, but videos that aren't indexed can be added to playlists on your school YouTube account.  Here's a long link to a PDF with some explanatory material:

https://www.google.com/url?sa=t&rct=j&q=&esrc=s&source=web&cd=2&cad=rja&uact=8&ved=0CDMQFjAB&url=https%3A%2F%2Fwiki.nwoca.org%2Fdownload%2Fattachments%2F13534132%2FTRECA_Jan2013.pdf%3Fversion%3D1%26modificationDate%3D1357830147000%26api%3Dv2&ei=JvsqU8yaIpHGkQfut4GwBw&usg=AFQjCNGZYaNr29YjtOjCoxK61i61zmV8ag&bvm=bv.62922401,d.eW0

Steve Kellogg

--

[James Dazley]

Sure, i'd be happy to! So the root of the problem is that we block pornography, but we allow youtube. The filter will notice that the youtube search results in pornography, but it allows it, because we say youtube is ok. Our current workaround is to block certain search keywords, I do not dare post it here, but I can make it available to you via a google doc. To put them in place, go to you lightspeed filter, click the web filter button, on the left side pane, click blocked search keywords, then click new list. Ann, i'll send you the list, but beware, it's quite vulgar.

--

 

James Dazley

Interim IT Director

Bedford Public Schools

734-850-6091

419-279-5041

james....@mybedford.us

[George Sorrells]

James how about posting the link to the google doc? 

[James Dazley]

Sure HERE it is! 

To put them in place, go to you lightspeed filter, click the web filter button, on the left side pane, click blocked search keywords, then click new list.

[Sean Eisner]

I will be sharing this in my next leadership meeting. Seriously, though, this list will be never-ending...as unfortunate as that is. Man, what a list!

Sean

--

[George Sorrells]

Thank you!!!