Filter Administration Guide
The Maine School and Library Network (MSLN) provides website filtering services to member sites for CIPA compliance. Sites receiving e-rate funding are required to be CIPA compliant. In addition to providing filtering, member sites must also provide a means to bypass filtering for adults. Managing a website filtering system can require a significant investment. In order to assist member sites in lowering costs, MSLN provides a centralized CIPA compliant filtering system powered by Secure Computing®, Corp.
Member sites by default have a minimum filter turned on (configured to block pornography, criminal skills, drugs, gambling, and proxy bypassers), however access and customization of the filter is then given over to the site's TC who is solely responsible for what is blocked and not blocked, including the above categories. All requests for websites to be unblocked or blocked must be passed on to the person controlling the filter: your site's TC.
This guide provides a visual overview of the MSLN website filtering system and its administration. It is strongly recommended that every Filter Administrator take the time to work through this document. We have made every effort to keep it as short as possible.
Contents
- Introduction
- 1. Getting Started
- 2. Assigning Overrides
- 3. Introduction to Advanced Administration
- 4. Managing Filters
- 5. Applying Filters
- 6. Creating Filter Categories
- 7. Global Blocks and Exceptions
- 8. Writing Address Matching Rules
- Appendix 1: Filter Management Behind a Firewall
Getting Started
By default, each MSLN site is setup with a default filter. When attempting to access a website that is filtered, the user will see a block page similar to the following:
Notice the Temporarily bypass filtering link. Clicking this link will present the user with the following page:
Using a Filter Override user account the user can bypass filtering. Next we will look at how to assign Filter Override accounts using the Filter Administration website.
The Filter Administration website is located at http://filter.msln.net/. See below:
To sign into the Filter Administration website click the MSLN Filter Server Interface link. You will see the following page:
Enter your Filter Account information to log in. Note that your Filter Account is a separate user account provided to you by MSLN to manage filtering for your site.
Due to limitations in the filtering system, each network can only be controlled by one user account. For this reason, it is recommended that each site delegate a Filter Administrator that is responsible for filtering.
If you do not know, or have forgotten, your Filter Account username and password, please contact MSLN for assistance.
Once signed in, you will be presented with the following page:
This is the Default Administration Page. It allows you to give out Filter Override user accounts to staff at your site. For more control, there is also an Advanced Administration Page that will be discussed in the sections that follow.
When signing in to the Filter Administration website for the first time, you should update your account information and change your password. To do this, click on the Change My Profile link from the menu on the left. You will be presented with the following page:
Here you should verify that your email address is correct. If you need to make a change, click the Save button on the bottom of the screen to save the updated address.
To change your account password, click the Change Logon button. You will be presented with the following page:
The Name field is your username; Full name is how we identify you in our system. Please do not change these two values. To change your password simply type it in both the Password and Retype password fields, then click Save.
You should now test your changes by clicking the Log Off link at the top of the page and signing in again using your new password.
Assigning Overrides
To allow users to bypass filtering you must create Filter Override accounts. These user accounts are created using Filter Administration website.
To manage Override Accounts click the Assign Overrides link from the menu on the left. You will see a page similar to the following:
To create an Override Account click on the Add button.
In the Override name field enter the username for the Override Account, then enter the desired password in both the Override password and Retype override password fields.
Additionally you can setup the Override Account to notify you by email when it is used by placing a check in the Notify me when this user overrides filtering checkbox. This is useful to see if a user's account has been stolen, but most of our Filter Administrators do not wish to be notified about every override. Notification can be limited by placing a check in the Only if user overrides filtering checkbox and selecting an occurrence within a set time.
To create the account click the Save button.
You can now use the created override account to Temporarily Bypass Filtering for a computer. Keep in mind that filter overrides work on a per-IP-address basis. This means that if someone performs a 15 minutes override on a computer, but leaves it after 5 minutes, there will be no filtering for an additional 10 minutes. In addition, if a host is behind a Firewall with a shared public IP address, then the override will apply to every host behind that firewall. For this reason MSLN does not recommend using Override Accounts in combination with Firewalls.
Introduction to Advanced Administration
Managing a Filter can be a full-time role. For this reason MSLN does not enabled the Advanced Administration unless requested by the site. To enable Advanced Administration on your Filter Account contact MSLN.
After your account has been setup to use Advanced Administration you will be presented with more menu options. See below:
Managing Filters
In addition to Assign Overrides and Change My Profile, you will now see 4 new links: Define Filters, Assign Filters, Create Custom Lists, and Choose Redirect Page. These links will be discussed in the following sections.
The first link, Define Filters, allows you to create or modify filter policy for your site (see below). When your Filter Account is created a set of pre-defined filters are copied to your account. These filters will appear in the Filters: list. Note that these filters are templates provided for you by MSLN. You may modify them, delete them, or add new filters without affecting other users on the system.
To edit an existing filter, select the filter from the list, then clicking on the Change button. Similarly, you can delete a filter by selecting it, then clicking the Remove button. The Copy button is reserved for use by MSLN. To add a new filter click the Add button:
Enter a name for the filter in the Filter name: field. Below you will see that there are two lists. The first list is the Block list. This list will contain filter categories of sites that you may wish to block, warn, or monitor. The second list is the Allow, or Exceptions, list. This list will contain categories of sites that you may wish to allow. It is only necessary to allow an exception for sites that are being blocked by a category from the Block list. Block categories are generally broad, for example, The Pornography category may block any site that has the word sex in its name. Exceptions are generally more specific. For example, you may be trying to access a website for Essex University. Because Essex contains the word sex it would be blocked by your Block category, in this case we would add Essex as an exception.
In the Block list, you are able to select Block, Warn, Monitor, or Don't Block for each category. Selecting Block will prevent users using this filter to be able to access the site. Warn will present an intermediate warning page, but still allow the user to access the site. Monitor will not provide a notice to the user, but will send an email to the Filter Administrator when such a site is accessed. By default, each category is set for Don't Block, which omits the category from the filter.
Exceptions only have two options: Allow or Don't Allow.
In the categories list you will see entries in bold type. Entries in bold were created by another user in the filter system, while other entries are provided and maintained by the software vendor. As a general rule it is best to avoid categories in bold as they may be malformed. Exceptions to this are categories that begin with AA-MSLN. These categories are created by MSLN when several sites are requesting a specific site to be blocked.
To save your new filter, or save your modifications on an existing filter, click the Save button.
Applying Filters
For a filter to be applied to your network you must first assign it. If no filter is assigned then it will use a default minimum filter controlled by MSLN. It is recommended that sites use at least a Typical School Filter for any location that will have computers accessible by minors.
To assign a filter use the Assign Filters link.
On the Assign Filters page you will need to select the IP Addresses tab.
By default no IP address ranges are defined. To assign a filter you must define a range of IP addresses that the filter will be applied to. To do this, click the Add button.
You will be presented with a form to create a new range. The Zone field will tell you what ranges of IP addresses are allocated to you. The addresses you define in your From and To: fields must be within a range listed under your zones.
It is possible to define different filters for different ranges of IP addresses. For example, you may wish to keep staff machines on the first 10 IP addresses of your network. Here you could define a range of the first 10 addresses to have the No Filter filter assigned, and create a second range for the remaining addresses to have Typical School Filter applied. In this example we will only use one range that covers all IP addresses allocated to our account.
After defining the starting and stopping address for a range simply set a Description and a Default filter, this will be the filter applied to the range. Then click Save at the bottom of the page.
You may notice that the range form has an area to specify filter changes based on a schedule. This functionality is beyond the scope of this document, but is fairly strait-forward.
After creating a new range it will appear in your IP address range listing.
The filter is now active for the range defined.
Creating Filter Categories
The default filter categories provided by the software vendor may not be specific enough to your needs. Using the filter administration tool you can create custom categories to block or allow specific websites.
To define a custom category go to the Define Filters page and select the Custom Categories tab.
When a custom category is created, every user on the filter system (in other words, every MSLN project member site) can see and make use of it.
You should avoid using custom categories that are not defined by you as they may change and block or allow sites that you do not wish.
To create a new custom category click on the Add button.
Here we see the custom category form. You should name it in a way that describes your location. Next we must define whether this category will be a Block category or an Exception category.
Finally, we define the addresses to include in the category and click the Save button at the bottom of the page.
See Writing Address Matching Rules for details on how to write addresses for blocks and exceptions.
Once a category is created it will appear in the listing of custom categories.
Future changes can be made to the category by selecting the category and using the Change button.
Before a category will be used in a filter you must modify a filter and make the category active. See Managing Filters for details.
Global Blocks and Exceptions
There are three areas a site can be blocked or allowed as an exception. The first is in the vendor maintained categories, these rules have the lowest priority and appear in normal text when managing a filter. The next priority is given to custom categories, or categories that appear in bold text when managing a filter. Rules in custom categories will override rules that exist in vendor provided categories.
The third area a site can be blocked or allowed as an exception is the Custom List. Blocks or Exceptions in this area will override any rule that exists in both vendor provided or custom categories and are applied to all addresses regardless of whether or not a filter is applied to the site.
Custom Lists will still be applied to ranges that use the No Filter filter. For this reason it is not recommended that custom lists are used unless your intension is to globally block or allow an address for all IP addresses delegated to your user account.
To define your custom lists select Create Custom Lists from the menu. Here you will see two tabs, one for your Block List, and one for your Allow List.
Click Save to save any changes. Address rules for Custom Lists follow the same format as used for defining custom categories.
MSLN strongly recommends using Custom Categories rather than Custom Lists.
Writing Address Matching Rules
There are many ways supported by the system to write an address when defining a block or exception. You should create one address per line, and avoid redundant rules.
WARNING: Redundant address matching rules can cancel each other out, making it difficult to troubleshoot why a rule is not being matched.
The most effective way to block a website is generally by using the website domain name. For example, if we wish to block out the website http://www.hotnsportystuff.com/ we could write the full URL for our rule. This may not be effective, however, as it will only block out that exact address. A more effective method is to use two rules, one that blocks the domain, and one blocking every subdomain under it.
For example:
hotnsportystuff.com
*.hotnsportystuff.com
The reason for two rules is simple. Since the filter system takes address rules literally, using the first line does not block http://www.hotnsportystuff.com/ since it has "www." pre-appended to the address. Using only the second rule will block everything.hotnsportystuff.com, including http://www.hotnsportystuff.com/ but not http://hotnsportystuff.com/. Using the two rules together you can effectively block or allow any domain.
In some cases websites can be accessed directly by IP address, rather than using a domain name. To block or allow a site based on IP address, simply enter the IP addresses used by the server (one per line), including the protocol. Note that IP address matching rules must include the protocol (e.g. http or https).
Example:
http://192.168.1.2/
https://192.168.1.2/
If you are having difficulty determining the IP addresses used by a specific Website, MSLN may be able to assist you.
Filter Management Behind a Firewall
If your school is behind a firewall that performs Network Address Translation (NAT) then using the Filter Override will not work. Filter overrides are done on a per-IP-address basis. Since all web requests for sites using a NAT firewall are seen as coming from a single IP address, an override on any host in your network will result in a filter override for all hosts behind your firewall.
If your firewall supports X-Forwarded-For HTTP headers, however, we can assign you a private address range to use internally, and setup our filter system to make use of these headers. This allows for override functionality.
If your firewall supports this functionality please contact MSLN and we will coordinate to get this functionality setup for your site.