Hi Rob,

Weve recently reviewed our firewall and filtering here and I looked again at enabling SSL decrypt, and talked to a few other network managers from other educational establishments about that specifically when they were kind enough to let me visit them to see their filtering solution in action. We ended up renewing our current platform (Sonicwall) and adding improved reporting (Fastvue) but we decided not to enable SSL Decryption / inspection.

 

We dont use it here and I made the choice not to enable it this time round, partially because of issues with trust on BYOD devices and also because more and more sites are doing end-to-end checks of their certificate chain to detect MitM attacks, which is essentially what were doing if we enable SSL interception on the firewall. If your exclusion list for sites that cant work with your SSL decrypt solution starts to closely resemble the top 100 list of sites your users visit then I feel that the usefulness of SSL decryption is questionable. I know that not everyone will agree with that of course, but its my current thinking. Were also part of eduroam, and I dont think that running SSL intercept schemes at all, let alone one that will give device errors, is compatible with the aims of eduroam.

 

We filter sites by URL rather more than by content, which again is a judgement call, using our filtering service (Sonicwalls advanced v4 filter fwiw, which looks at the content itself). Its going to be interesting to see where we are in 5 years time, as I can only see the use of SSL on the Internet increasing, and if we get a hard requirement to capture and analyse traffic content when that becomes impossible or at least unreliable, then I dont know where we go next. My current feelings are that if we work within the guidelines of KCSIE (which even with the guidelines at the UK Safer Internet site doesnt mandate 100% content inspection) and were aware of the risks, then were ok.

 

Interestingly enough, one of the sites I visited during my assessment of other schools and colleges filtering locally was a private school that had the independent schools inspection inspectors in during my visit, and apparently they made a point about overly restrictive filtering driving students onto 3g/4g too, so this is perhaps something that inspectors are thinking about in general?

 

Kind Regards,

Rob

 

Robert Moir, MBCS.

IT Infrastructure Manager

Luton Sixth Form College

 

t: 01582 432518, f: 01582 877501, e: [log in to unmask]

 

 

From: Jisc RSC-Eastern Technical [mailto:[log in to unmask]] On Behalf Of Rob Petto
Sent: 17 January 2017 09:52
To: [log in to unmask]
Subject: Web filtering and BYOD

 

All,

 

Wondering if you can give me some assistance…

 

Here at CWA we currently use SSL decrypt and inspect functionality on our internet filtering. This allows the content of secure websites to be content filtered as well as the normal insecure websites and we know this is robust.

 

The problem that we have is that for BYOD devices, users receive certificate warnings on their devices when browsing to secure websites unless they download and install a trusted root certificate for the web filter. We’ve looked at a few approaches to make this as simple as possible including MDM but all of these still seem to be a step too far for our students, particularly the lower level students and this is proving a real blocker to BYOD.

 

So, the big question is how do other colleges handle this situation?  Do you use SSL decrypt and insect on you BYOD networks, if so, how do you handle the certificate deployment to BYOD users?  Or do you choose not to filer the content of secure websites?

 

We also have quite a heavy handed approach to filtering of content, both on college devices and BYOD (assuming they manage to connect!). Id be interested in how others handle this. It does cause us a number of issues due to the range of our provision and the sensitivity of our filter. We were subject to a discrete Ofsted visit in relation to Prevent around a year ago (one day, not a real Ofsted) when they were trying to frame how they would inspect Prevent and one of the inspector’s comments were ‘why do you block so much when they all have 3g/4g phones in their pockets and internet access at home’.

 

I’m considering loosening the reins a little, but would appreciate if anyone would share (email me direct if you would prefer) your approach to this.

 

Thanks in advance…

 

Robert Petto

Head of Funding and Exams

College of West Anglia

01553 815383 ext 2383

cwa.ac.uk

*************************************************************

This email and any files transmitted with it are confidential and intended solely for the use of the individual or entity to whom they are addressed. If you have received this email in error you must take no action based on them - nor must you copy or show them to anyone. Please notify the College of West Anglia via email to [log in to unmask].

This email contains the views of the sender and may not be representative of the views of The College of West Anglia.

This footnote confirms this email has been scanned by Microsoft Exchange Online Protection for SPAM and MalWare.

*************************************************************