Students put Web filtering to the test by committing violations

When it comes to the Internet, pupils often know more than their teachers. Web filtering products and blocking websites can help prevent students from committing Web filter violations, visiting unapproved websites or creating proxy websites.

It is no easy task trying to run information security for a school or educational authority. Not only do you have the usual problems of viruses, spyware and spam, but you also have a population of users with the skills – and motivation – to evade any barriers put in their way.

Most students are now equipped with high-powered computers and Internet access at home, so it is easy for them to trawl the Web for the tools and information they need to break their school's security. For the teachers and staff responsible for providing a safe learning environment, it is a growing problem with serious consequences if they lose the battle.

Alex Bushby, who runs IT security at the William Hulme's Grammar School in Manchester, says the children have ample opportunity and skills. "We face a stiff challenge from some of the students trying to by-pass the Web filters. They spend time at home on their computers and find what they need. It was getting to a point where we considered banning USB pen drives," he says.

One of the biggest problems is students finding, or even building, anonymous proxy websites. The proxy sites look innocuous to the school's Web filter and so are not blocked, but once the students arrive on the proxy they can use it as a jumping-off point to where they really want to go – YouTube, Myspace or somewhere more sinister.

"It is easy for them. They just go on Google and look for 'proxy sites' and they can find lists of rapidly-created proxy websites that won't be blacklisted yet," says Bushby.

Relief may be at hand, though, with a new weapon he has recently installed from Scottish security company Bloxx. The Web filtering appliance supplements a database of banned sites with a technology called True-View which works by analysing the content of each page on the fly. So far, Bushby says he has been impressed by the product's ability to spot dodgy websites even if they have not yet been blacklisted.

He combines that with software from NetSupport which allows a teacher or supervisor to view the content of any of the 30 PC screens operating in the school library. "At the click of a mouse, they can lock a screen and keyboard," he says. They also have security cameras so they can see who is sitting at which machine.

Over at Warwickshire County Council, Chris Page is responsible for delivering security to the country's primary and secondary schools, and says the kids are always trying to push the boundaries. He has encountered the problems of anonymous proxies, but says the children are just as likely to try using Terminal Services or a Socks proxy to by-pass the system.

He places his security in the hands of Websense for Web filtering and Policy Central Enterprise from Forensic Software to monitor what is happening at any one time. The software runs on virtual servers under VMWare.

Policy Central allows his team to capture screen shots when they think there is a policy violation. "We can monitor the whole system quite successfully like that. In primary schools especially, they don't have the time to implement these systems," says Page.

He makes the point that in education, the ability to detect and block inappropriate traffic is getting more complicated. "It was a lot easier before when we'd just block certain things, but with Web 2.0 it is more about behaviour – we can now detect bullying or suicidal behaviour," he says. "We have a grading system – levels 1 to 5 – where 5 means police involvement, and level 3 is quite serious that the school needs to know about."

By implementing Web filtering and the monitoring system they have managed to reduce the number of incidents of grade 3 or higher from around 60 a week to just a couple.

Some of the incidents are indicative of deeper problems that are beyond the scope of technology alone. In one case, a young girl in a primary school was writing to an adult outside the school in terms that suggested she was in danger. Another child's written work focused heavily on bullying, and logs showed they had been visiting websites that discussed the subject. "In those cases, we were able to alert the head teacher and get the child some support," says Page.

The Policy Central Enterprise software sits on local machines and monitors what is keyed on the keyboard and displayed on the screen, comparing it to a list of keywords and wildcards. The system also allows the user to add new terms, as Page explains: "If you suspect that Paul Arrowsmith is being bullied, you can add the word 'Arrowsmith' to the list to snapshot any screen that contains it. It is then date-stamped with date and time, the person's name who is logged on and the machine."

With Active Directory in operation, it means that Page's team can put anyone suspected of bad behaviour, or on the receiving end of it, into a group where they will be more closely monitored.

He says there is no problem about privacy being infringed. "We had meetings with everyone before it started with schools, parents, unions and the police. And when a person logs in they get a banner telling them the system is monitored. We tell them that any violation of the Acceptable Usage Policy will he tracked and recorded. It is not that we are recording everything – it just takes a snapshot when it sees a violation."

In addition, the schools can decide themselves whether or not to put the Policy Central client on a machine, and may decide not to have it on the office administration machines, for instance. "It's up to the school how they deploy it, but the head teacher has to sign the form and say they understand what the issues are and that they are happy for us to deploy it," says Page.


Read more on Web application security