Do you still use an on-site filtering appliance?

Sending devices home isn’t anything new, many schools started their journey to 1:1 years ago. But for those admins whose current circumstances have forced you to escalate that initiative, let’s talk about common challenges and important things you should definitely take into consideration.

  • Network Performance
  • Fault Tolerance
  • MiTM SSL Decryption
  • Authentication
  • Off-Site Filtering

Network Performance – Anytime the network slows or completely goes down, you’re the first person to hear about it. Ultimately, you want optimal performance with the least number of headaches (and support tickets). So, when choosing a content filter it’s imperative that you select a solution capable of handling whatever device and user count you throw at it. Start by measuring where you’re at today. Great questions to ask are:

  • How much bandwidth am I currently using?
  • Does my UTM or content filter appliance have limitations on how much it’s able to inspect?
  • How long are my maintenance windows? (Does installing new updates require taking the network down?)
  • How many students and devices will be on this same network next year? And the year after that?
  • Are devices going home and do you want to filter them when they leave campus? (more about this later)

Once you have these answered, you’ll want to then consider the following: 

Fault Tolerance – We’ve all been there. It’s your monthly maintenance window and you’re patching/rebooting your servers. It’s been a year since you last updated the firmware on your content filter appliance and your boss really wants that new and exciting feature the sales guy has been talking about. You have a running ping going on one screen and your finger on the button to apply that patch. The ping stops and you anxiously wait for what feels like the longest 2 minutes of your life. Your heart rate slows as you rationalize in your head that, “Maybe it just needs another minute or so…”, but it never comes back.  Which means tomorrow morning is going to be an early one.

Literally writing that brought back nightmares for me, but it’s true.  We live and learn from those experiences. The thing about fault tolerance is that it’s multifaceted and one school’s acceptable fault tolerance is not the same as another’s. So, what should you consider?

  • How long can my network be down before it negatively impacts the learning environment? Is one hour acceptable? One day?
  • Am I comfortable having a single point of failure? “If the content filter goes down, we go down”
  • If we’re proxying traffic back to campus for offsite filtering, what happens if the internet goes down? Or the power?

When it comes to anything you place between your network and the internet, there are many things to be cognizant of. At the end of the day, you’re the only one who knows what your school’s tolerance is. And it’s you that has to tell teachers that an RMA on that appliance is 1 to 2 business days.

MITM SSL Decryption – It goes without saying that MITM SSL Decryption is a very process-intensive task. In some cases, it can even affect overall network performance. “Remember that time you accidentally added a CDN to your decryption list?” Yeah. 

What’s worse is when you reach the limit of what your current hardware can handle and you have to pick and choose which domains go into your MITM list. Or even worse than that, you have MITM completely turned off!

If you’re looking to effectively report, filter, or perform many student safety functions in 2020, you’ll need to inspect the HTTPS traffic. Questions you’ll want to ask yourself are:

  • What level of visibility do your school and stakeholders need to achieve?
  • Does your student safety team need insight on the services you provide to your students?
  • How granular do you need to be able to filter a site or domain? (Do you want to block a specific page on a domain?)

Authentication – Now that you have your content filter narrowed down, deciding how you want to handle authentication is next. Chances are, your users already have some form of network identification whether it’s from a domain controller, Google, Azure, or a mix. This is extremely important to get right because it affects your users’ experience each and every day. So what should you keep in mind, especially when comparing an appliance with a cloud solution?

  • Does your appliance require Active Directory? If so, that’s yet another on-prem server the school needs to maintain uptime for.
  • Are there options for persons who don’t have credentials, such as Guests or BYOD?
  • How will authentication work when offsite?
  • Are there single sign-on options available? How can this be made easy for those too young to authenticate to a device?

All of the above components directly relate to this one final point. 

Off-Site Filtering – With your school needing to send these 1:1 devices home, how do you plan on ensuring those students have a safe internet experience no matter where they’re at? You’re going to need a solution. Almost every content filter available offers an off-site filtering experience, but what makes them different? A lot actually. The questions you should be asking are:

  • Do users need to have a different policy when not on campus?
  • Should staff or other groups of users be filtered at all? How does that turn on and off?
  • Do parents want some level of at home control? Reporting?
  • Can my on-premise appliance handle the volume of traffic coming from off-site?
  • What happens if my appliance goes down? Do my devices fail-open? Or fail-closed?

There’s really so much that goes into a thorough due diligence of a content filter for your school and only you will know if one solution is a better fit than another for your use case. But with Securly it’s simple:

  • 100% cloud – Hosted and distributed throughout multiple Amazon AWS Clusters
  • Ultimate scalability – Responds immediately to increased demand.
  • MITM done right – Out of the box, turn key SSL Decryption.
  • Deployed in minutes 
  • Fault-tolerant – No single point of failure or reliant on services on-prem
  • Authentication is a breeze – User Injection and SSO options for zero-touch authentication

Leave a Reply