topic Re: Force Safe Search without SSL decryption in General Topics

Force Safe Search without SSL decryption

LucaMarchiori — Mon, 12 Jun 2017 16:32:54 GMT

We are a K-12 school district. SSL decryption is not in the cards, at least for the time being. From what I read, enabling safe search enforcement in URL filtering profile will not work properly without having implemented SSL decryption

If that's correct, is a DNS proxy the way to go, as described here:

https://support.google.com/websearch/answer/186669?hl=en

Thanks

Re: Force Safe Search without SSL decryption

acc6d0b3610eec313831f7900fdbd235 — Mon, 12 Jun 2017 17:16:14 GMT

@LucaMarchiori

Because most search engines encrypt their search results, you must enable SSL forward proxy decryption so that the firewall can inspect the search traffic and detect the safe search settings.

https://www.paloaltonetworks.com/documentation/60/pan-os/newfeaturesguide/content-inspection-features/url-filtering-safe-search-enforcement

https://www.paloaltonetworks.com/documentation/61/pan-os/pan-os/url-filtering/safe-search-enforcement.html

https://researchcenter.paloaltonetworks.com/2015/01/firewall-pro-tip-enforce-safe-search-without-blocking-search-results/

I don't think DNS Proxy will resolve this challenge for you, at least not based on my own experience.

I hope this helps.

Re: Force Safe Search without SSL decryption

LucaMarchiori — Mon, 12 Jun 2017 18:30:30 GMT

Hi Willian,

I might be wrong, but I don't see us implementing SSL decryption anytime soon, due to a number of factors. Could you please elaborate a little, when you say that in your experience DNS-Proxy route is not going to resolve this?

We are not looking for a fool-proof solution at this time, more like at having something in place, rather than nothing.

Did you find user were able to circumvent this easily, or it just plain didn't work?

Thanks,

Luca

Re: Force Safe Search without SSL decryption

Brandon_Wertz — Mon, 12 Jun 2017 21:26:30 GMT

What are you trying to protect from in your K-12 network?

Re: Force Safe Search without SSL decryption

LucaMarchiori — Mon, 12 Jun 2017 21:38:58 GMT

In short, we are trying to avoid kids getting inappropriate results from google search. This was sparked from one complaint at an elementary site, even though we are blocking adult categories with URL filtering.

In my mind this is about enforcing a browser setting, and as such should be handled on the device side (GPO, MDM, etc). Nevertheless, I've being asked if anything could be accomplished with our PA firewall.

Re: Force Safe Search without SSL decryption

Brandon_Wertz — Mon, 12 Jun 2017 21:50:01 GMT

So..."Content Filtering" should be able to get you what you need (URL Profiles.) However I thought I heard not doing SSL decryption you can bypass that filtering control by using Google's translation services.

Let me do some searching real quick.

Re: Force Safe Search without SSL decryption

Brandon_Wertz — Mon, 12 Jun 2017 21:52:47 GMT

https://live.paloaltonetworks.com/t5/Management-Articles/How-to-Block-Alert-Category-of-a-Website-that-is-Embedded-in-a/ta-p/62409

Re: Force Safe Search without SSL decryption

jvalentine — Mon, 12 Jun 2017 22:10:15 GMT

Yes, if you're unable to use SSL decryption in order to enforce safe-search and if you don't have an endpoint-specific solution (GPO/MDM), then I would recommend leveraging google's DNS-based safe-search configuration as you posted in your original question.

Re: Force Safe Search without SSL decryption

LucaMarchiori — Mon, 12 Jun 2017 22:14:53 GMT

We are already doing URL filtering for the usual inappropriate categories. Somehow this kid managed to get explicit pics on the browser, supposedly by using search function. Unfortunately this was reported as an anecdote, without any technical details. I took at face value.

If I click on the link you provided I get:

An invalid set of parameters has been specified in the url.

Return to my original page

Re: Force Safe Search without SSL decryption

LucaMarchiori — Mon, 12 Jun 2017 22:17:28 GMT

Hi,

So, the DNS Proxy solution should be working OK? I'm going to setup a test site, and see what I come up with.

Re: Force Safe Search without SSL decryption

Brandon_Wertz — Mon, 12 Jun 2017 22:20:04 GMT

sorry it had an extra space https://live.paloaltonetworks.com/t5/Management-Articles/How-to-Block-Alert-Category-of-a-Website-that-is-Embedded-in-a/ta-p/62409

Re: Force Safe Search without SSL decryption

jvalentine — Mon, 12 Jun 2017 22:23:12 GMT

It's a good first step. The DNS-based solution should enforce "safe search" - meaning Google will be providing filtered search results.

This would address the case where your student searched for inappropriate content via the google search engine and google was the one displaying the inappropriate content.

Students are resourceful, though - so there will be additional steps that you need to take, such as blocking access to proxy websites, blocking VPN applications, etc.

Re: Force Safe Search without SSL decryption

LucaMarchiori — Mon, 12 Jun 2017 22:25:25 GMT

Thanks for fixing it. Yes, we already have security profiles in place. Mind you this is the first report of this nature that I've seen in a couple of years, so I'd say this is not a common occurrence.

Re: Force Safe Search without SSL decryption

gwesson — Mon, 12 Jun 2017 22:28:59 GMT

Blocking outbound DNS from students would also need to be blocked, or else they'll just point their DNS queries to an external resolver.

Without SSL decryption though, you'll be chasing this a lot. A student forced to use google safe search may decide Bing is just fine for them (or DuckDuckGo, or Yandex, or... etc.). Longer term I'd recommend looking into the decryption end. You'll get a lot better enforcement if you can trigger on every request rather than just the requests in clear text.

Re: Force Safe Search without SSL decryption

LucaMarchiori — Mon, 12 Jun 2017 22:32:27 GMT

Yes, they are resourceful, you have to admire that. We're not seeing much in terms of VPNs at elementary sites. It's a different story at secondary ones. 🙂 Might just start another thread on how you guys manage to stop all VPNs, when PA only detects unknown-tcp, unknown-udp, or ipsec-esp-udp traffic...

Re: Force Safe Search without SSL decryption

LucaMarchiori — Mon, 12 Jun 2017 22:34:36 GMT

Couldn't one block the "search" category though, and allow google as an exception?

I agree this is not the ideal way to control this. We are not looking for ideal, at this point.

Re: Force Safe Search without SSL decryption

LucaMarchiori — Mon, 12 Jun 2017 22:38:33 GMT

Personally I wonder about the extra load imposed by SSL decryption, at least on our PA-500 devices (with memory upgrade). They are already soo slow, I'd hate to see them becoming even slower, if that is possible.

Re: Force Safe Search without SSL decryption

gwesson — Mon, 12 Jun 2017 22:38:31 GMT

> Couldn't one block the "search" category though, and allow google as an exception?

Probably not, because like Google the services are much more than just search. You could cover many examples, but someone logged into live.com to view their hotmail account would likely be able to do a bing search from inside their email. The user isn't on a search site, and they didn't make a new connection to bing.

I'd say start with the DNS method you linked in the first post on this thread, and push for decryption as a more full solution later.

Cheers

Re: Force Safe Search without SSL decryption

DarinSutton — Mon, 12 Jun 2017 22:40:10 GMT

so technically SSL decryption is not required to turn on SAFE SEARCH

that being said if the browser returns search results(most do) inside ssl then yes you need a decryption policy

otherwise you can enable safe search directly on the PC....GPO

meanwhile there are some PAN alternatives

https://www.paloaltonetworks.com/documentation/61/pan-os/pan-os/url-filtering/safe-search-enforcement.html

another thing Ive done for K-12 is blacklist everything and then only whitelist approved sites

if google search is approved then you need to find a control for that site

Re: Force Safe Search without SSL decryption

LucaMarchiori — Tue, 13 Jun 2017 21:34:55 GMT

I've setup a DNS Proxy at one of the primary sites. I created a bunch of static entries for google.ca, *.google.ca, etc pointing to 216.239.38.120. As interface I assigned the proxy to the LAN interface.

If I test on a windows client, after running ipconfig /flushdns, client still gets an answer from one of our internal DNS server (at the DC), not from the local PA proxy.

show dns-proxy statistics all confirmed that the proxy received zero requests. I think I'm missing something else. Do I need to setup a proxy rule? I thought only a DNS proxy and some static entries were needed for this to work.