Web Filter 2

Cloud Filter

Cloud or On-Premise

Our Web Filter is available as a Cloud Filter or an on-premise Rocket Web Filter. Both solutions provide safety, reporting, and compliance. 

About On-Premise

Our on-premise solution involves a Rocket appliance (or multiple Rocket appliances) on your network, usually running as a transparent bridge. This solution provides filtering for all devices on your school network and any off-network mobile devices that have an agent/extension installed.

This solution includes:

  • -Rocket appliance(s) on your network
  • -Web Filter management via Launch dashboard
  • -Mobile filtering agents/extensions for all school devices

About Cloud

Our Cloud Filter solution is a hardware-free solution with all traffic routed through our secure, fast cloud infrastructure for filtering. This solution provides filtering for all devices that have an agent/extension installed as well as any designated guest/BYOD traffic.

This solution includes:

  • -Dedicated tier in our cloud datacenter
  • -Web Filter management of that tier via Launch Dashboard
  • -Cloud DNS filter for any agentless devices on the network
  • -Mobile filtering agents/extensions for all school devices

Cloud vs On-Prem Features

Both solutions provide the customer with great flexibility to deal with today’s internet access needs. Either deployment method can provide:

 

Feature On-Prem Cloud Notes
On/off-site filtering for every OS
Trusted MITM proxy/SSL decryption
Customizable proxies
Web Zones
URL Patterns
Custom Rule Sets
Custom access pages
Local database category changes
Detailed reporting
Lockouts
Overrides
File extension blocking
Blocked keywords
Data privacy
Traffic By… reports
Guaranteed categories (bandwidth controls)
Bandwidth reports
Inspectors In On-Prem solution, IP or username-based Inspectors are available. In Cloud Filter, only username based Inspectors are available.
Full detail URL reporting via Advanced Reporting Appliance

Benefits

On Premise

On-premise Web Filter installs are the traditional model for implementing the Lightspeed Systems Web Filter. Benefits of this deployment model include certain features that can only be implemented as an inline model.

Benefits of an on-premise Rocket Web Filter deployment:

  • -Local control of hardware
  • -More authentication source options
  • -Bandwidth controls
  • -Traffic and bandwidth reports

Cloud

Cloud filtering provides customers with a hardware-free implementation of the Lightspeed Systems Web Filter. Cloud filtering solutions are implemented through a combination of agent-based filtering for supported devices and DNS based filtering for devices without agents (BYOD/guest devices or uncommon operating systems).  

Benefits of a Cloud Filter deployment:

  • -Faster implementation
  • -No equipment to maintain on premise
  • -No hardware to purchase
  • -Greater flexibility as the your demands change

Authentication

The sources you use to authenticate users against and the methods you use to authenticate them are critical parts of your filtering strategy. The options vary between an on-premise Rocket solution and a Cloud Filter solution.

Authentication Sources

Auth Source Works with on-prem Rocket Works with Cloud Filter Notes
Active Directory  AD cliets can sink with Azure AD/0365 for unified identity via the AAD Connect Tool
O365 O365 auth source doesn’t support authenticated proxy
Google/GAFE GAFE auth source doesn’t support authenticated proxy
LDAP
Apple Open Directory
IMAP Server
Local Database
Novell eDirectory

 

Authentication Methods

Method On-Prem Cloud Notes
Radius
Captive Portal/Web Auth
DCUA
Device User Agents/LMA Mac, Win, Chrome

Filtering Mobile Devices


The Lightspeed Systems Rocket Web Filter and Cloud Filter solutions both include the ability to filter mobile devices on and off the network. Our mobile filtering solutions communicate with the Rocket Web Filter or Cloud Filter to evaluate traffic, enforce policies, and report on activity. A solution for every device:

  • -Mac OS
  • -Windows
  • -iOS
  • -Chrome
  • -Android
  • -Linux

Cloud vs On-Prem Mobile Device Filtering

We offer web filtering solutions with hardware on-premises at the district or entirely in the cloud. Both solutions are able to filter all network devices and mobile devices on or off the network. How Mobile Filtering Works with an On-Premise Rocket The mobile filtering agent or extension communicates Internet-browser requests from the remote computer to a Rocket appliance at the district. In turn, the Rocket references the URL requests with its content database and rule sets and either allows the request to be processed or sends a blocking and redirect message to the user. In this way acceptable use policies are consistently enforced for users alternately attached to the local network and working remotely. It works from any location, with any type of Internet connection, without the need for a VPN. How Mobile Filtering Works in the Cloud The mobile filtering agent or extension communicates Internet-browser requests from the remote computer to the district’s Cloud Filter. In turn, the Cloud Filter references the URL requests with its content database and rule sets either allows the request to be processed or sends a blocking and redirect message to the user. In this way acceptable use policies are consistently enforced for users alternately attached to the local network and working remotely. It works from any location, with any type of Internet connection, without the need for a VPN.

Mobile filtering features

Lightspeed Systems can filter every device type with our Rocket Web Filter and our Cloud Filter --- but the specific features vary, depending on what the manufacturer allows. A solution for every device:
  • -Mac OS X 10.XX+: Use Mac Mobile Filter agent + user agent
  • -Windows 7+: Use Windows Mobile Filter agent + LMA
  • -iOS 9+: Use Mobile Filter for iOS app
  • -Other iOS: Global Proxy
  • -Chrome: Use Chrome mobile filter extension + Chrome user extension
  • -Android: Use the Browser for Android
  • -Linux: Use Linux mobile filter agent + user agent
  • -Other/BYOD/Guest: With an on-premise Rocket, we filter any network traffic as it goes through the filter (even if an agent is not installed); with a Cloud Filter, our DNS cloud filter allows you to filter and ensure CIPA compliance on devices without an agent.
The following chart identifies which features are offered by each OS-specific mobile filtering agent/extension. Unless otherwise noted, each of these features is supported for both a Rocket Web Filter implementation or a Cloud Filter implementation.
Feature MF Chrome MF iOS MF Mac MF Win Android MF
Force Registration
Block on Fail
Block Page
Custom Block Page
Transparent Authentication
Sever Fail Over **
SSL Filtering
Built-in SSL Decryption
Proxy for SSL Descryption Not needed, extension provides SSL decryption *
Auto Tier Binding
Filter Image Search Thumbnails
Force Safe Search (Google, Yahoo, Bing)
Google DNS Redirect
Block Google+Youtube HTTPS
Disable Google Auto-Complete
**-All versions support server fail over, but the Chrome Mobile Filter will only failover properly on service failures.

DNS Filtering

BYOD filtering is included with our Cloud Filter. BYOD Filtering provides filtering by changing the DNS responses for devices so that traffic that should be blocked is given a false DNS response that instead of directing the end user to the desired website they are redirected to the cloud filters server in order to provide a block message. Traffic that should be allowed is provided the real DNS information for accessing the website. The benefits of DNS based BYOD filtering include ease and speed of implementation as well as automatic support for any device accessing the network (i.e., devices on which a mobile filtering agent/client/extension are not or cannot be installed). DNS based BYOD filtering has limited support for advanced functions and minimal reporting. A common cloud-based solution will utilize agents where they are an option and use DNS based BYOD filtering as the fallback solution.  

BYOD Filtering offers:

  • -Support for any device on a customer’s network
  • -Basic CIPA compliance
  • -High-level reports on sites/categories allowed and blocked
  • -Custom allow/block category-based decisions

BYOD Filtering does not offer:

  • -Detailed reports
  • -User authentication
  • -Web Zones
  • -Off-network filtering
  • -Proxy/SSL decryption
  • -User-based policies or user-based reporting
  • -Override users – planned for future development
  • -Ability to deliver a custom access page for each customer – coming soon!
  • -Support for Google/YouTube safety mode – coming soon!

DNS Cloud Filter

The DNS Cloud Filter is a feature of the Lighspeed Cloud Filter. The purpose of the DNS Filter is to provide schools with a CIPA compliant way to filter BYOD/Guest devices or unique devices that cannot support one of Lightspeed’s filtering agents.

You can access the DNS Cloud Filter by clicking the appropriate tile from your Launch dashboard.

dns1

From the DNS Cloud Filter menu, you will be able to obtain setup information, configure settings, and view reports.

Note: Any change you make to DNS Cloud Filter settings, categories, or reports will take approximately 15 minutes to take affect on your clients. 

The DNS Cloud Filter menu is broken down into several sections:

Snapshot Reports

1. At the top you will see the snapshot report. This report identifies how many categories and how many websites have been blocked or allowed in the past 7 days.

dns2

Hovering your mouse over any of the categories will open up a tooltip that will compare the current 7 day period to the previous 7 day period.

dns3

Clicking on the More button in between the two categories will bring up the Cloud DNS Reports menu.

dns4

Snapshot Reports

The Cloud DNS Reports menu allows you to run detailed reports on your Cloud DNS filtered devices.

dns5

You can run four distinct reports: Blocked Categories, Allowed Categories, Blocked Websites, and Allowed Websites. Simply click the corresponding tile to navigate to that report.

dns6

You can adjust the report date range by clicking the dropdown menu. The menu defaults to Today, but also allows you to select Yesterday, Last 7 Days, and Last 30 Days as options.

dns7

You can search for specific categories or websites by utilizing the Search box in the top left.

dns8

Setup

The Cloud DNS Setup menu can be found right under the Snapshot Reports. From here, you can setup your DNS servers and assign IP ranges to filter.

dns9

The DNS Servers field identifies the IP addresses of our DNS Servers. These addresses will be automatically set by Lightspeed Systems. The DNS addresses assigned will vary by region.

dns10

The IP Ranges to Filter field allows you to identify which IPs to filter.

Enter a name in the IP Ranges Name field, the start IP in the IP Start field, and the end IP in the IP End field. Click Add to add the IP Range.

dns11

Once an IP Range has been added, you will see it added at the bottom.

dns12

To delete an IP Range, simply click the “x” to the right.

dns13

Normally Blocked/Allowed Categories

You will find a list of Normally Blocked Categories under the Setup menu. These categories determine which kinds of websites are automatically blocked by the DNS filter. The categories are divided by topics, such as “adult”, “forums, chat, email”, “security”, and “violence.” These categories are normally blocked by Lightspeed Systems due to their inappropriate content.

dns14

Under the Normally Blocked Categories, you will find a list of Normally Allowed Categories. These include normally allowed and safe topics, such as “Advertising”, “Business and work”, “Education”, and “Family Life.”

dns17

It will be up to you to determine which categories you want to block or allow for your students. You can manually block or allow a category by clicking the button to the right. Red, left-aligned buttons (dns15) indicate a blocked category. Green, right-aligned buttons (dns16) indicate an unblocked category.

You can easily block or unblock all categories within each Normally Blocked Category and Normally Allowed Category section. Simply click Allow All or Block All next to the section title and all categories within that section will automatically be allowed or blocked.

dns18

Best Practices

Customers need to configure their BYOD devices and guest networks with this DNS. Customers should use a separate DNS for users that have user agents installed.

You can learn more about Lightspeed’s database categories in this Web Filter article.

Mobile Filtering and SSL Decryption

SSL Filtering vs SSL Decryption

SSL Filtering is the ability to see, make allow/block decisions, and report on https domains. (E.g., seeing that a user is attempting to visit https://www.google.com.)

SSL Decryption is the ability to see the full details of the activity on those secure sites. (E.g., seeing the specific google search terms entered.)

As more of the Web moves to https, decrypting SSL traffic becomes more important to our customers who want visibility into student activity. However, as more providers limit or restrict decryption with their services and devices, this also becomes increasingly challenging. We do and will continue to provide the most powerful filtering solutions across all platforms and offer SSL decryption across platforms, as well as solutions to the issues that can come with it.

iOS Filtering

The best choice for filtering iOS devices is our Web Filter for iOS app. This uses the latest Apple Filter Provider extensions to examine, filter, and report on network traffic from an iOS device. This requires iOS 9.3 or greater.

The Web Filter for iOS:

  • -Filters all TCP traffic for all browsers
  • -Offers seamless user identification
  • -Works on-site or off-site
  • -Works with our Rocket Web Filter or Cloud Filter

iOS Filtering & SSL Decryption

The Web Filter for iOS app provides SSL filtering but does not decrypt SSL traffic. This is a restriction from Apple, not a limitation of our Web Filter for iOS.

If your reason for wanting to decrypt SSL is visibility into search terms, you could redirect google.com to http://www.bing.com or another non-https search site (Google and Yahoo have moved to entirely secure search; at this time, bing still offers unsecure search at http://www.bing.com). This is certainly a temporary fix, as bing is also moving toward encrypted search as well.

iOS Filtering & SSL Decryption with a Proxy

If full decryption SSL traffic for iOS devices is a requirement, that can be accomplished with a trusted man-in-the-middle proxy solution, which Lightspeed Systems provides. It’s a great solution that combines full visibility and reporting with speed and access and it is available across mobile platforms and with either our Rocket Web Filter or Cloud Filter solution. (Learn more about the man-in-the-middle proxy in our SSL, Explained white paper.)

Many customers are able to use an authenticated man-in-the-middle proxy for their iOS and other devices without issue. But some customers encounter authentication issues with iOS devices.

  • a. If you’re using GAFE as an authentication source – Google has publicly stated that they do not support GAFE accounts for authenticated proxy.
  • b. For other authentication sources, an Apple bug sometimes manifests. This most often manifests as multiple requests to enter credentials (in some cases, every few seconds) – regardless of how or where they are hard-coded in the device; regardless of the MDM in use; and regardless of the filter being used. This issue is an Apple limitation and has been observed on a variety of iOS versions (from iOS 5 through iOS 9.x) and is highly discussed in Apple forums. Sometimes it appears to be fixed with an Apple release, but it manifests in the next iOS release or in the next batch of devices.

At this time, our solution for customers who require SSL decryption and either use GAFE as an authentication source or experience this Apple proxy authentication bug is to create an open proxy (that does not require authentication). This solves the authentication issue, but creates some new ones:

1. Security

This obviously creates a security weakness on your network, as you’ll have an open proxy running which can be accessed and used maliciously. If you accept these risks as a trade-off of decrypting the iOS SSL traffic, we recommend setting Proxy Security to “Restrict access to iOS and ChromeOS” or “Authenticate external users” rather than “Open Proxy.”

If you choose “Restrict access to iOS and ChromeOS” – this will limit unauthorized access to the proxy, mitigating but not eliminating security issues. In addition, it will not allow you to use that proxy for any Windows devices you have running on your network.

If you choose “Authenticate external users” – this will allow open access to network users, but require external users to authenticate. This will mitigate security issues, but will not eliminate the repeated requests to authenticate, but will limit that to when the device is off the school network.

2. Lack of username in reporting

Allowing access to your Proxy server without authentication gets around GAFE directory restrictions and the Apple bug of repeated requests to authenticate, but obviously it leaves you with unauthenticated users. Whether those are just iOS and Chrome devices or just on-network devices, unauthenticated users by definition do not have a user name tied to them. Therefore, you’ll be able to see specific Google search terms (since it is using the proxy to decrypt that SSL traffic) but you will not be able to see a username associated with that activity on your Web Filter report.

If you’re in a one-to-one environment, you’ll be able to use the reported IP in your Web Filter reports to identify the user based on other district records. If you’re using shared devices, you’d have to combine that information with time/class schedules. And if the devices are off-campus and not authenticated, you’ll see the IP of the home (or other location) where the user is connecting and may not be able to tie that to a specific user.

For enhanced security and visibility, you could couple your open/partially-open proxy with Captive Portal/Web Authentication. The limitation of this is that if you have multiple users in one place, all activity on that external IP will be tied to the first user who web authenticates.

MacOS Mobile Filtering

Mac OS filtering is provided via our Mac mobile filtering agent. Coupled with our Mac User Agent, this provides user identification, filter policy enforcement, and robust reporting whether the device is on or off-network.

MacOS Mobile Filtering & SSL Decryption with a Proxy

If you are using the Mac Filter agent and require SSL decryption, you can utilize a man-in-the-middle proxy to decrypt SSL traffic.

Windows Mobile Filtering

Windows device filtering is provided by our Windows Mobile Filter agent.

On Windows devices, you can combine our Windows Mobile Filter agent and our LMA (for user identification) for user identification, filter policy enforcement, and robust reporting whether the device is on or off the network.

Windows Mobile Filtering & SSL Decryption with a Proxy

If you’re using the Windows Mobile Filter and require SSL decryption, you can utilize a man-in-the-middle proxy to decrypt SSL.

Chromebook Mobile Filter

Mobile filtering on Chromebook is provided by our Chrome filtering extensions and our chrome user extension for user identification. These extensions are easily deployed through the Google Admin Console, like any other extensions.

We have two filtering extension and which one you use depends on if and how you use SSL certificates:

No SSL certificates → Chrome Mobile Filter Extension

Self-Signed certificates → Chrome Mobile Filter Extension

Certificate Authority (CA) Signed certificates → Chrome S-Mobile Filter Extension

Chromebook Mobile Filtering & SSL Decryption

Both Chrome mobile filter extensions offer SSL decryption without the need for a man-in-the-middle proxy.

Android Mobile Filtering

Android filtering is provided via our Android browser replacement mobile filtering agent. This provides user identification, filter policy enforcement, and robust reporting whether the device is on or off-network.

Android Mobile Filtering & SSL Decryption with a Proxy

If you are using the Android Filter agent and require SSL decryption, you can utilize a man-in-the-middle proxy to decrypt SSL traffic.

Linux Mobile Filtering

Linux filtering is provided via our Linux mobile filtering agent. This provides user identification, filter policy enforcement, and robust reporting whether the device is on or off-network.

Linux Mobile Filtering & SSL Decryption with a Proxy

If you are using the Linux Filter agent and require SSL decryption, you can utilize a man-in-the-middle proxy to decrypt SSL traffic.

Cloud Filter FAQ

Where is the Cloud hosted?

Our Cloud Filter is hosted in our datacenter.

Will the Cloud Filter count for my CIPA compliance needs?

Yes, the Cloud Filter will ensure CIPA compliance for all devices on your network (even BYOD/guest devices) and for school-owned devices when they leave your network.

Who can access the Cloud Filter?

Each district is provided a unique URL for their Cloud Filter tier, and only designated district administrators are able to log in to access the filtering controls and reporting data.

Is my data stored separately?

Yes.

Is the Cloud secure?

Yes.

Can I use the Cloud for trusted man in the middle proxy and SSL decryption?

Yes. See details below.

So the Cloud Filter is a DNS redirect?

No. DNS filtering is just a part of our Cloud Filter, provided to ensure safety, appropriate use of network resources, and CIPA compliance on guest networks, BYOD devices, or devices that can’t have an agent installed. For most devices, an installed mobile filtering agent will provide more comprehensive and granular policies and reporting than our cloud DNS feature.