Web Filtering in UCDSB

TECHNOLOGY, REALITY AND VISION

WEB FILTERING IN THE UCDSB

WHERE WE’VE BEEN

• Since 2005, major push to get ubiquitous technology• 6000+ new Dell computer

rolled into classrooms in 4 years.

• MS Office and Assistive Tech on every PC

• 100% wifi coverage in all school and admin building classrooms and meeting rooms (700 WAPs)

• Only school district in Ontario with this level of coverage wide open to students and staff – Board managed or personal devices.

RATIONALE FOR WEB FILTERING

• Appropriateness of content for age and context• Protection of Board against

legal liability• Protection of scarce network

bandwidth• Protection of Board network,

data and IT resources from sources of malware and viruses.

HISTORY OF FILTERING

• WebSense was Board web filter prior to 2004• Fortinet installed as integrated IDS, AV, Antispam,

Web Filter and Firewall in 2004, saving $50k per year.• 2006 Active Directory rolled out• 2008 AD integration with web filtering tested• 2009 Initial Identity Aware web filtering rolled out

(see Sept 25 memo) with intention of relaxing policies. Service catalog published at same time,• 2010 Further relaxation in staff policies rolled out• 2011 Planned relaxation of student/guest policies.

A LITTLE SECURITY PRIMER

• Authentication• Authorization• Access control• Non-Repudiation• General architectural

principle – no unauthenticated users on our network.

IDENTITY AWARE WEB FILTERING

Active Directory

Website

A “User” makes a request for a website through a board-owned or guest device using their browser

The web filtering service on our Fortinet device receives the request and queries AD to see what ‘group’ the user belongs to.

Fortinet system queries classification system to determine what category the requested page belongs to

Fortinet system then determines if the user is entitled to receive the requested page based upon their filtering profile

If the user’s filtering profile allows the page, the Fortinet system requests the page from the web server and returns it.

SOME STATS

• Fortinet system monitors and classifies ~ 20+ Billion pages• UCDSB ~ 30,000

registered “users” in AD, approximately 10,000 Board owned computers at about 100 sites.• 2,000,000 individual page

requests per day

THE GROUNDSWELL AGAINST FILTERING

BYOD AND IDEVICES – A WRINKLE

• In 2006, ITS embarked on a mission to cover 100% of Board sites with wide open wifi for student and staff use.

• Installed Nevis NAC system so students and staff could bring non-board-owned devices into the network:• Eliminated need for users to buy

Windows XP Pro for personal devices• Eliminated need for ITS to spend time

and budget to license these devices, join them to domain and monitor patch/virus status

• Included sophisiticated hacking detection tools and ‘endpoint integrity scan’ to ensure devices weren’t bringing viruses or malware onto network.

• Requires “captive portal” user authentication.

MANAGING DEVICES & PEOPLE

GOING FORWARD CHALLENGES

• Available network bandwidth• New WAN in 2013• Revisit school network backbone and switching• Next gen wifi – bandwidth + coverage metrics

• Extending identity infrastructure• New captive portal technology to compensate

for lack of LDAP support in iDevices to identify users

• Possible new technology to identify Board and guest ‘other devices’

• Automated sponsored guest AD account provisioning/deprovisioning

• IP address infrastructure• Not enough IP addresses to accommodate

move from 10,000 to 20 or 30,000 devices• Without new IP addressing scheme, proliferation

of guest devices may make it impossible for some Board owned PCs to get an IP during the day.

• Products• We cannot predict outcomes of vendor

competitions – products tend to be very proprietary and not very interoperable in early phases of tech adoption

NEXT STEPS

• Staff filtering policies further relaxed in Dec 2010.• New IT Governance structure: Academic cabinet

meets in January, will review proposal to relax student web filtering on Board-Managed and Guest Devices.• Relaxation on student policies starting Feb 2011 to…• Baseline bandwidth consumption and monitor for

change• Investigate solutions for:

• Captive portal authentication on iDevices• Sponsored guest.