CoSN Community

Expand all | Collapse all

Content Filtering Recommendations

  • 1.  Content Filtering Recommendations

    Posted 09-17-2018 09:56

    Which product do you use to filter Internet content for CIPA compliance?  We use Symantec BlueCoat proxy servers that filter as well as proxy.  My current opinion of them is that the hardware and support costs are high and while they are granular and highly configurable, those capabilities carry a cost of complexity and the need for highly trained staff to properly utilize. I've explored replacing our current system with ContentKeeper, LIghtspeed Systems, Securly, Fortinet, and Cisco's URL filtering in conjunction with Umbrella for our FTD firewalls we currently use for traditional firewall use. If anyone has used any of these options and has feedback, that would be great to read.  If there are other products that you utilize and would recommend, please share that too.

    Requirements and Goals:  Our division has 90k students.  We require SSL interception for some sites to have visibility for Google, Craigslists, and other encrypted sites.  We would prefer to use cloud-based services, not have on-prem hardware, and not deploy client-based software, but I have come to the acceptance that if we want to support student take-home devices being filtered, we likely can't have all 3 (cloud, no on-prem hardware, no client).  My goals are to reduce our costs, reduce the complexity of management, and perhaps no longer proxy traffic, but simply filter in an efficient manner.

    I found the recent help desk software thread so helpful and informative, I'm hoping that others may benefit from this filtering discussion as much as I did reading that thread.

    Respectfully,

    Andy Wolfenbarger



    ------------------------------
    Andrew Wolfenbarger
    Supervisor of Information Security Services
    Prince William County Public Schools
    Manasss VA
    (703) 791-8112
    ------------------------------


  • 2.  RE: Content Filtering Recommendations

    Posted 09-18-2018 06:36
    This is a great question Andrew and I am also interested in hearing what others are using and what the benefits/downsides are of different solutions. When I was in the field (2+ years ago) we used a Barracuda web filter and a Sonicwall Firewall, but we were a small independent school (850 students). The Barracuda sometimes served as a traffic chokepoint which was quite frustrating. Have people had the same challenges with software filtering solutions?

    ------------------------------
    Susan Bearden
    Chief Innovation Officer
    Consortium for School Networking
    sbearden@cosn.org
    ------------------------------



  • 3.  RE: Content Filtering Recommendations

    Posted 09-18-2018 10:14
    Susan,

    Yes, throughput, chokepoints, scalability, and the associated costs and labor to scale are big considerations still today, especially when performing SSL/TLS interception, as SSL takes tremendous resources to process. With bandwidth demand continuing to climb steady, it's tough to find solutions that fit today and will scale tomorrow, for an affordable price and easy to implement. In addition, it's a bit of our rough science to calculate how much bandwidth each device will support, considering traffic conditions, payloads, and what is being intercepted varies.  It's very hard to get vendors to guarantee set rates of throughput and equally hard, if not more so, to validate throughput.  Unfortunately, this leads to educated guessing and having to rely on poor user performance to know when limits are met.

    Andy


    ------------------------------
    Andrew Wolfenbarger
    Supervisor of Information Security Services
    Prince William County Public Schools
    Manasss VA
    (703) 791-8112
    ------------------------------



  • 4.  RE: Content Filtering Recommendations

    Posted 09-19-2018 07:40
    @Andrew Wolfenbarger "With bandwidth demand continuing to climb steady, it's tough to find solutions that fit today and will scale tomorrow, for an affordable price and easy to implement." You summed up the challenges of selecting a content filtering solution perfectly! ​​

    ------------------------------
    Susan Bearden
    Chief Innovation Officer
    Consortium for School Networking
    sbearden@cosn.org
    ------------------------------



  • 5.  RE: Content Filtering Recommendations

    Posted 09-19-2018 10:21
    Greetings:

    ​Up until recently we were using our on-premise Fortinet appliances to content filter, but we decided we needed a more robust and comprehensive solution especially for our devices that go offsite of our campuses. We looked SaaS Securly last school year (17-18) and while that solution showed promise, we felt that much work needed to be improved on their solution to fit our needs given we are a Windows and iOS environment.

    This school year (18-19) we transitioned to Lightspeed Systems' Relay solution and while it has its quirks (what system does not) we feel this system is going to service the needs of our district.  They have been great to deal with and the pricing is very reasonable albeit it is a annual renewal but we are all accustom to that.


    ------------------------------
    Coby Culbertson
    Director of Technology
    Dubuque Community Schools
    Dubuque IA
    (563) 552-3049
    ------------------------------



  • 6.  RE: Content Filtering Recommendations

    Posted 09-19-2018 09:05
    We have been using Fortinet (Fortiguard) on-premise for 4 years and this month we are adding FortiClient for our VILS iPads and loaner devices that go home.  Until an issue that popped up two weeks ago (due to a bad/mis-configuration) we have had no issues with content filtering and SSL inspection.  Certificates are deployed by automation without users needing to know the password and we try to change that on an annual basis.  Unmanaged devices are the most difficult to work with because those have to be touched but that is likely true for all solutions.  I chose the FortiClient for off-network devices because it doesn't depend on contact with the data center or cloud solution plus it works with the multiple languages the districts services; language testing was a new criteria for evaluation.

    Because of the outage we are recovering from, I would suggest not going with large boxes and instead going dual, splitting traffic if necessary as having a single content filter brought us to our knees.

    ------------------------------
    Jeffrey Eagen
    Manager of Internet Security and Communications
    San Antonio ISD
    ------------------------------



  • 7.  RE: Content Filtering Recommendations

    Posted 09-18-2018 09:41
    Edited by Tammy Woods 09-18-2018 09:41
    We are looking to replace our content filter this year as well. We use iBoss. I'm not a fan, though, of content filters that filter by url. iBoss is okay, but I don't feel like I'd recommend it.

    That's a nice segue to my add-on question of whether anyone has used Smoothwall. I love the way they use content-aware inspection but I have concerns about their ability to handle traffic. I'm hoping they've upped their processing power to support high traffic loads without having to purchase a crazy number of devices to support it.

    ------------------------------
    Tammy Woods
    Sr. IT Systems Manager
    El Paso County School District Eight
    Fountain CO

    ------------------------------



  • 8.  RE: Content Filtering Recommendations

    Posted 09-18-2018 10:18
    Tammy,

    I've heard form others that iBoss has fallen out of favor, but I'm not certain as to why.  I've known one division who used Smoothwall but ultimately switched.  I think the former is more widely deployed than the latter, but I don't think either are huge players in the market, but just not sure.  I appreciate your feedback on iBoss as it supports other opinions I've heard previously.

    Andy


    ------------------------------
    Andrew Wolfenbarger
    Supervisor of Information Security Services
    Prince William County Public Schools
    Manasss VA
    (703) 791-8112
    ------------------------------



  • 9.  RE: Content Filtering Recommendations

    Posted 09-18-2018 09:43
    We are currently using Umbrella from Cisco. It is relatively low maintenance and the categories give us very few false positives on the filtering. Adding blocked sites is easy and fast when phishing emails get through our O365 filters. This week it took us less than 5 minutes to block a 500+ user phishing attack, that linked directly to a credential stealer. We then used Umbrella to check which if any users had already visited the phishing site, luckily none had. We rolled the cost into our overall Cisco yearly plan so the hit was not to large.

    Happy to discuss more via pm or phone if you would like additional info

    ------------------------------
    Alan Cunningham
    Information Security Officer
    Washoe County School District
    Reno NV
    (775) 789-3400
    ------------------------------



  • 10.  RE: Content Filtering Recommendations

    Posted 09-18-2018 10:23

    Alan,

    Thank you for the reply.  You are the first division I've heard of that use Cisco Umbrella as their content filter.  We use it too, but just as a supplement.  We recently acquired a Cisco ELA which essentially gives us Umbrella and firewall URL filtering free of charge (included with ELA) and that option is very appealing as it is very simple and very low cost, but I've wondered if they have the same category maintenance and URL databases as the other vendors.  I will send you a PM to connect since you were so kind to offer, but wanted to publicly thank you as well.

    Andy



    ------------------------------
    Andrew Wolfenbarger
    Supervisor of Information Security Services
    Prince William County Public Schools
    Manasss VA
    (703) 791-8112
    ------------------------------



  • 11.  RE: Content Filtering Recommendations

    Posted 09-18-2018 11:45
    Many of the 41 Utah school districts and 100+ charter schools use iBoss.  In our school district, we've used M8E6, LightSpeed, filtered off our Palo Alto firewall using their Global Protect product and now use iBoss.  Our number one goal is to protect students from being harmed by illegal, immoral or unethical web content.  It's a given that no product or the support that goes with it is perfect, however some products and associated support are better than others.  I'm sure every IT director endeavors to comply with federal and state laws concerning protection of our students.  Threads like these connect individuals from all over the nation which I find extremely helpful.  Two of our hurdles are the amount of time it takes to effectively manage the content filter and secondly obtaining timely feedback from staff and students concerning sites they need to get to as opposed to sites they find that are outside CIPA guidelines.  If there were more local, state and federal funding to hire and maintain additional IT staff to manage systems such as content filters, I'm sure we could do a better job at protecting our students.

    In a recent discussion in our Utah CoSN chapter meeting, a comment was conveyed that it is interesting that society places value on some positions (e.g. custodians, secretaries, librarians etc.,) and insists that there are at least one of the aforementioned staff in every building yet there is an expectation that one tech person can take care of multiple buildings and multiple systems?

    Regards,

    ------------------------------
    Jim N. Langston, M.A., CETL
    Director of Information Technology
    Tooele County School District
    92 Lodestone Way Tooele, UT 84074
    Office: 435-833-1900 ext. 1148
    Fax: 435-833-1912
    Email: jlangston@tooeleschools.org
    ------------------------------



  • 12.  RE: Content Filtering Recommendations

    Posted 09-20-2018 07:34
    Independent boarding school (think of a really small college). We use iBoss. It's the second school I've installed the appliance. Not sure I understand what the complaints are about it from others. Filters well, occasionally some incorrectly filtered sites, but the email link works well and it takes a minute or less to whitelist a site. Integrates with AD, LDAP, etc. No client needed. No complaints here.

    Our Fortinet experience was miserable. Possibly an under-sized appliance, possibly a configuration  or firmware issue, but we could never get it resolved so we abandoned it. Any time we enabled features on the appliance we would experience extremely high processor and memory use. Fortinet sent us replacement hardware twice, multiple patches, clean configs, etc. However, the issue recurred every single time. Too many others lover their Fortinet experience for me to believe it's a major issue, but it simply didn't work for us.

    I guess my insight is to get something on a trial basis (we did a pilot of Palo Alto for six months). See what works and then commit. That old saying about how your mileage may vary is incredibly accurate.

    ------------------------------
    Ryan Bennett, CETL
    Director of Technology, Peddie School

    ------------------------------