“We provide flexibility to the school principals to customize their lists of blocked or allowed sites,” Fairfax County Public Schools' Maribeth Luftglass says.
Oct 15 2009

Keeping the Web Safe for All

As the desire to use more online information in instruction grows, K–12 tech shops aim to use filtering tools as precision web tuners.

Keeping the Web Safe for All

Windows 7: Securing Removable Drives

SonicWall UTM

Unified Threat Management

Kaplan's Online Future

When it comes to schools and the Internet, just about everyone has something to say about web filtering.

“Getting appropriate content to students, teachers and administrators is a challenge,” says Karen Billings, vice president of the Education Division for the Software and Information Industry Association. “But keeping schools safe is the hurdle; that's very much the rationale behind filtering.”

But what's appropriate is subjective, points out Maribeth Luftglass, assistant superintendent and CIO for Fairfax County (Va.) Public Schools. Among the regulations, organizations and individuals making demands are the school and district administrators, individual teachers and media center chiefs, parents and community leaders, and the Children's Internet Protection Act.

“We believe we have a good balanced approach: Each school is provided with a standard level of protection and the ability to modify it based upon their instructional needs,” says Luftglass.

Plus, this all takes place in the context of a learning environment, says Linda Sharp, director for the Consortium for School Networking's Cyber Security for the Digital District and Crisis Preparedness projects. That factor raises some unique challenges, she says: “How do you allow for education that involves technology and online learning while still protecting students? How do you make students aware of copyright laws and issues, or help them identify and exhibit good online behavior? How to do you protect them not only from inappropriate sites but from other online safety risks, such as cyberbullying?”

The Data Dynamic

Looking more broadly at networking, the trend in districts nationwide is to provide increased broadband and access to online content, says Billings, pointing to a survey SIIA did in the spring in which 500 K–20 educators (47 percent from K–12) rated their schools' IT capabilities. At the top, garnering 87 percent, providing high-speed broadband access for communication, administrative and instructional needs tied with deploying security tools to protect student data and privacy. Growth in filtering use and the evolution of filtering tools runs parallel with those trends, she notes. But the caveat is that schools want tools that they can use more granularly.

“You just can't say YouTube, Facebook and Google are bad and block all of them, all of the time, anymore,” Billings says. “The challenge that these folks face is in making the subtle distinctions. Some sites police themselves, but what teachers and students want is practical curriculum and homework help.”

For Fairfax County Public Schools, that has meant making filtering services an integral component of the overall network infrastructure, which supports nearly 170,000 students and more than 22,000 employees at 196 schools and education centers. The district, whose facilities are linked via a 10-gigabit-per-second backbone network, has two Internet circuits. The primary circuit, a 600-megabit-per-second node from UUNET, is located in the FCPS Network Operations Center, and a backup 45Mbps node from Sprint is located in a separate administrative building.  

The enterprise network services, housed centrally at the NOC, include the district's Websense filtering environment. The network funnels enterprise web traffic to the NOC and through a Cisco ASA 5580-20 firewall. From the ASA, web traffic passes through an F5 Networks load balancer to one of six Websense filtering servers. The filtering servers block or allow access accordingly. Separate servers house the Websense database (which stores records of requests, denials and other traffic details), the management server and the reporting server.

“Technically, we find the environment to be scalable and reliable,” Luftglass says. “We have standardized the servers in terms of their hardware, so that if there is failure, we can quickly recover via our spare-parts inventory.”

Web as Advocate

Luftglass also uses the web to provide extensive information about FCPS' use of technology to protect users online and to explain why it sometimes bans certain types of access. These posts also explain the policies the school district expects its users – from the youngest schoolchildren to veteran classroom teachers and administrators – to live by while online.

“We provide flexibility to the school principals to customize their lists of blocked or allowed sites to meet the instructional need of each individual school,” she says. “A school can submit a request to our service desk or work via their on-site technology support specialist to get their particular block/allow list modified.” 

Admittedly, savvy users will make it their mission to evade and bypass filters and gateways – a problem that both Luftglass and Sharp say occurs with regularity.

It's this fact that makes filtering not just a technology issue, but a training and awareness issue, she contends. “Students can get around almost all filtering in their schools if they want to,” says Sharp. “In fact, many are bringing devices such as smartphones into schools and have no filters. So we need to concentrate less on locking them out of sites and more on where they should go and why they should filter themselves.”

Looking down the road, Billings posits the idea of the “librarian in the sky.” By this, she means the increased use by schools of targeted content within domains that filtering tools have vetted as useful and secure based on knowledge of the content providers and reviews of the content. In the not-too-distant future, Billings says, this type of filtering will let districts, schools and users build their own online reference libraries.


A Variety of Filtering Approaches

  • Mesa County Valley School District: This Colorado Junction, Colo., district uses M86 Security's R3000 Internet Filter and Enterprise Reporter tool to manage web controls for its 23,000 students, 3,000 employees and 5,000 workstations.
  • Pennsylvania Cyber Charter School: This K–12 online school, based in Midland, Pa., uses Net Nanny to police the traffic of its 8,000 students.
  • Clintondale Community School District: This district near Detroit, with 2,300 students and 500 faculty and staff, has deployed a Fortinet FortiGate appliance and a FortiAnalyzer to monitor web use and block sites on its no-go list.
  • Heritage Christian School: This school in Kissimmee, Fla., opted for a unified threat management approach, using WatchGuard Firebox to help it provide secure web access for 600 students and 50 staff members.


Fairfax County's Web Filtering Tips

Maribeth Luftglass, CIO for Fairfax County Public Schools, offers some best practices for keeping your district's online access humming:

  • Maintain a specific list of the types of websites that must be blocked, but also set guidelines describing material considered inappropriate. “This will help you adapt as new technologies emerge and other technologies change.”
  • Think about scalability of the tools you select, especially if your district is large. “Initially, the size of the ASA firewall was an issue, but after tweaking the configuration and upgrading the throughput, performance increased dramatically.”
  • Use a load balancer between your firewall and filtering servers. “We typically experience between 500Mbps and 550Mbps of web traffic daily, so without a load balancer, this amount of traffic could overwhelm and degrade the performance of the filtering servers.”
  • Deploy dedicated servers for the different components of your filtering application. “Having dedicated servers allows us to better troubleshoot and isolate issues if they do arise.”
Photo credit: Michael JN Bowles