Table of Contents

 

• Introduction

1. Controlling Search Engine Access
   1. Defining Sanctioned Search Engines
      1. Block the Predefined Search-Engines Category
      2. Add the Custom URL Category to the URL Filtering Profile
2. Enforcing Search Engine Safety
   1. Option #1 – Safe Search Enforcement via the Firewall
      1. Enable Safe Search Enforcement
   2. Option #2 – Safe Search Enforcement via DNS
      1. Local DNS Server Configuration
      2. DNS Security Policy Rule-set
3. Enforcement via the Firewall and DNS – A Real-world Example
   1. Requirements
   2. Configuration Steps

• Appendix
  • DNS Proxy
    • Sample Configuration
  • YouTube
    • Sample Configuration
  • SSL Decryption
    • Sample Configuration

 

 

 

Introduction

 

The Children’s Internet Protection Act (CIPA), is a federal law enacted by the United States’ Congress in December 2000 to address concerns about access in schools and libraries to the internet and other information. The complete list of requirements that schools and libraries must meet in order to be CIPA compliant are defined at www.fcc.gov. Specific to content filtering, schools and libraries subject to CIPA cannot receive the discounts offered by the “E-Rate” program (discounts that make access to the internet affordable to schools and libraries) unless they certify that they have certain internet safety measures in place. These include measures to block or filter pictures that: (a) are obscene, (b) contain child pornography, or (c) when computers with internet access are used by minors, are harmful to minors.

 

As the vast majority of search engines can serve up content that is encrypted over SSL, this presents a challenge for enforcing CIPA compliance by network/security administrators. Fortunately, Palo Alto Networks offers multiple recommendations to enforce search engine safety. This document highlights each recommendation in detail, with caveats to each, as well as highlights the recommended process for enabling this capability.

 

1 – Controlling Search Engine Access

 

Prerequisites

 

This article assumes that your Palo Alto Networks firewall has a valid PAN-DB URL Filtering license, and a URL Filtering Profile is already applied to your current security policy rule-set.

 

Defining Sanctioned Search Engines

 

As a first step to ensuring search engine safety, allowing all URLs that match the predefined search-engines category should be avoided. This is due to the fact that not all search engines can be adequately controlled. It is recommended that a list of sanctioned search engines be defined by the organization and controlled via custom URL categories. This limits the end user’s ability to search for content in an evasive manner and provides a more manageable solution for administrators. At the time of this writing, the following search engines are supported by Palo Alto Networks for enhanced safe search functionality:

 

• Bing
• Google
• Yahoo

 

For additional information on each search engine mentioned above, please review the technical documentation for your associated PAN-OS version.

 

 

 

Block the Predefined Search-Engines Category

 

1. Navigate to Objects -> Security Profiles -> URL Filtering
2. Create or edit an existing profile, and set the search-engines category to block

    

3. Click OK

 

Create a Custom URL Category

 

1. Navigate to Objects -> Custom Objects -> URL Category -> Add
2. Create a Custom URL Category for each sanctioned search engine
   • Administrators can enter multiple ccTLD country sud-domains (i.e. google.es) based on organizational requirements, but this example specifies .com only

       

3. Click OK
   • For additional details on custom URLs and wildcard entries, see the technical documentation for your current OS version.

 

 

Add the Custom URL Category to the URL Filtering Profile

 

1. Navigate to Objects -> Security Profiles -> URL Filtering
2. Edit the existing profile where the predefined search-engines category was set to block in the previous step
3. Set the custom sanctioned search engine URL categories to alert

    

4. Click OK
5. Commit the configuration

 

 

2 – Enforcing Search Engine Safety

 

Prerequisites

 

This article assumes that your Palo Alto Networks firewall has a valid PAN-DB URL Filtering license, and a URL Filtering Profile containing the custom URL configuration from 1 – Controlling Safe Search Access is applied to your security policy rule-set. This article also assumes that PKI is already in place and the appropriate SSL certificates are deployed to firewalls end user machines. If you are unable to deploy certificates to end user machines, see Option #2 below.

 

Option #1 – Safe Search Enforcement via the Firewall

 

Enforcing the strictest search settings via the firewall requires that all sessions are decrypted, providing the benefits of alerts, reporting, additional visibility into user activity, content, threats, file types, etc. However, with the requirement to decrypt comes certain caveats around controlling sanctioned search engines of which administrators should be aware. For example:

 

• Google’s Quick Search capability does not function in certain cases
• Google’s Ok Google capability does not function in certain cases
• Google’s Chrome browser uses proprietary encryption protocol, called Quic, which must be disabled in order to decrypt traffic
• Bing does not adhere to the SSL standard; thus, the recommendation is to block the Bing application over SSL
  • If any of these are issues in your organization, see Option #2 or Option #3

 

Enable Safe Search Enforcement

 

1. Navigate to Policies -> Security -> Add, and create a security rule that blocks the Quic application, as this will force Google Chrome to revert back to standard SSL and subsequently permit decryption 
2. Navigate to Objects -> Security Profiles -> URL Filtering -> edit the URL Filtering Profile -> URL Filtering Settings -> enable Safe Search Enforcement

    

3. Click OK
4. Navigate to Policies -> Decryption -> Add, and create a decryption rule that decrypts traffic that matches the custom sanctioned search engine URL categories created in 1 – Controlling Search Engine Access

    

5. Navigate to Device -> Response Pages -> URL Filtering Safe Search Block Page
   1. If the predefined (default) response page is not modified and the configuration is committed, users will be presented with a block page when attempting to perform searches without having the strictest settings in the search engine settings enabled
   2. Palo Alto Networks also supports transparent enforcement of searches via a script that can be added to the response page, thus allowing enforcement without any end user interaction
      1. Navigate to Device -> Response Pages -> URL Filtering Safe Search Block Page -> Export the Predefined response page
      2. Navigate to the transparent safe search section of the technical documentation for your PAN-OS version and copy the transparent safe search script
      3. Open the downloaded predefined response page in a text editor and replace the content with the transparent safe search script
      4. Navigate to Device -> Response Pages -> URL Filtering Safe Search Block Page -> Import the edited response page
   3. Transparent enforcement is typically the preferred option because it does not require any action on the end user’s part
   4. For more information, see the PAN-OS technical documentation for your current software version

6. Commit the configuration

 

 

 

Option #2 – Safe Search Enforcement via DNS

 

Enforcing the strictest search settings via DNS leverages CNAME entries on local DNS servers in conjunction with a security policy rule-set on the firewall to tightly control DNS traffic. This also means that SSL decryption is NOT required, which could be advantageous for organizations that are unable to install certificates on end user machines. However, there are specific caveats this option. For example:

 

• Yahoo does not offer a CNAME option, thus Option #1 is required for organizations that require Yahoo as a sanctioned search engine
• Not decrypting traffic means that administrators will NOT have the benefits of alerts, reporting, additional visibility into user activity, content, threats, file types, etc. for search engine traffic

 

Local DNS Server Configuration

 

1. Consult your DNS server documentation for details on how to create CNAME entries
   1. Here is an example for Windows
   2. Here is an example for Bind
2. Consult each search engine provider’s documentation for CNAME requirements
   1. Google – See Lock SafeSearch by making changes to your router (advanced)
   2. Bing – See Map at a network level

 

DNS Security Policy Rule-set

 

1. Navigate to Policies -> Security -> Add, and create a security policy rule-set allowing DNS queries from local DNS servers out to the internet, and queries from internal hosts to local DNS servers
   1. Create a rule allowing DNS traffic from internal hosts to local DNS servers
      1. If the servers and internal hosts are in the same zone, then a rule may not be required
   2. Create a rule allowing DNS traffic from local DNS servers out to the internet
   3. Create a rule denying all other DNS traffic

        

2. Commit the configuration

 

 

 

3 – Enforcement via the Firewall and DNS – A Real-world Example

 

As there are caveats for both Option #1 and Option #2 in the previous section, it may be necessary to leverage a combination of both methods based on organizational needs to provide the best enforcement while also providing the most flexibility to end users. The following example was taken from a real-world customer scenario. The following represents a list of their requirements and the subsequent configuration necessary to meet those requirements. Again, the following sections assume that PKI is already in place and the appropriate SSL certificates are deployed to firewalls and end user machines.

 

Requirements

 

• The sanctioned search engine list should only be to US ccTLDs, and include the following:
  • Bing
  • Google
  • Yahoo
• Reporting/alerting on key words is not a requirement, assuming that explicit searches are prevented in the first place
• Inspection of search engine content for threats is not a requirement, assuming the primary goal is to be CIPA compliant
• All Google functionality (i.e. Quick Search, Ok Google, ) must work without issue

 

 

 

Configuration Steps

 

1. Navigate to Objects -> Security Profiles -> URL Filtering
2. Create or edit an existing profile, and set the search-engines category to block 
3. Click OK
4. Navigate to Objects -> Custom Objects -> URL Category -> Add
5. Create a Custom URL Category for each sanctioned search engine  
6. Click OK
7. Navigate to Objects -> Security Profiles -> URL Filtering
8. Edit the existing profile where the predefined search-engines category was set to block in step 2
9. Set the custom sanctioned search engine URL categories to alert 
10. Within the profile, navigate to URL Filtering Settings -> enable Safe Search Enforcement 
11. Click OK
12. Create CNAME entries for Bing and Google based on your DNS server documentation.
    1. Google – See Lock SafeSearch by making changes to your router (advanced)
    2. Bing – See Map at a network level
13. Navigate to Policies -> Security -> Add, and create a security rule that blocks the Quic application  
14. Navigate to Policies -> Security -> Add, and create a security policy rule-set allowing DNS queries from local DNS servers out to the Internet, and queries from internal hosts to local DNS servers
    1. 1. Create a rule allowing DNS traffic from internal hosts to local DNS servers
          1. If the servers and internal hosts are in the same zone, then a rule may not be required
       2. Create a rule allowing DNS traffic from local DNS servers out to the internet
       3. Create a rule denying all other DNS traffic

           

     

15. Navigate to Policies -> Decryption à-> Add, and create a decryption rule that decrypts traffic that matches the Yahoo custom sanctioned search engine URL category created in step 5
    1. Note – We are only decrypting Yahoo traffic because we will be leveraging the DNS method for Bing and Google

         

16. Navigate to Device -> Response Pages -> URL Filtering Safe Search Block Page -> Export the Predefined response page
17. Navigate to the transparent safe search section of the technical documentation for your PAN-OS version and copy the transparent safe search script
18. Open the downloaded predefined response page in a text editor and replace the content with the transparent safe search script
19. Navigate to Device -> Response Pages -> URL Filtering Safe Search Block Page -> Import the edited response page
20. Commit the configuration

 

Appendix

 

DNS Proxy

 

In some environments (i.e. public cloud), it may be required to leverage public DNS. The Palo Alto Networks DNS Proxy feature allows administrators to create static entries for certain requirements, like the DNS CNAME method for Safe Search enforcement.

 

Sample Configuration

 

1. Navigate to Objects -> Addresses -> Add, and create an object for each DNS server  
2. Navigate to Objects -> Addresses -> Add, and create an object for each trusted network gateway  
   1. For example, if your internal Trust-L3 network is 10.234.234.0/24, and the gateway (firewall) is 10.234.234.1/32, then you would want to create an object referencing the gateway address

        

3. Navigate to Objects -> Address Groups -> Add, create an object, and add each DNS server address object 
4. Navigate to Policies -> Security -> Add, and create a security policy rule-set allowing DNS queries from the Trust-L3 network gateway (firewall) to the public DNS servers previously defined
   1. Create a rule allowing DNS traffic from the gateway of internal hosts (firewall) to public DNS servers
   2. Create a rule denying all other DNS traffic

       

5. Ensure that the DNS server IP for all clients on the Trust-L3 network is the IP address of the firewall (10.234.234.1 in the example above)
6. Navigate to Network -> DNS Proxy -> Add, and create a new DNS Proxy profile, enable it, and reference the interface of the Trust-L3 zone and the public DNS servers

    

7. Within the profile, navigate to Static Entries, and add static entries for sanctioned search engines
   1. Perform an NSLOOKUP for the safe search FQDNs in question

8. Commit the configuration

 

 

YouTube

 

As YouTube is owned by Google, it offers the same methods of safe search enforcement, with the following caveats:

 

• Transparent Safe Search Enforcement is not currently supported on the firewall. This means that if the firewall is leveraged to enforce searches, users will be presented with a response page and have to manually change the settings prior to performing a search.
• The DNS CNAME method is supported. However, some organizations consider what is filtered as a result of this method to be too restrictive, even though YouTube offers both youtube.com and restrictmoderate.youtube.com options.

 

Sample Configuration

 

DNS Method

 

1. Consult your DNS server documentation for details on how to create CNAME entries
2. Consult the YouTube documentation for CNAME requirements – See Option 1: DNS
3. Navigate to Policies -> Security -> Add, and create a security policy rule-set allowing DNS queries from local DNS servers out to the internet, and queries from internal hosts to local DNS servers
   1. Create a rule allowing DNS traffic from internal hosts to local DNS servers
      1. If the servers and internal hosts are in the same zone, then a rule may not be required
   2. Create a rule allowing DNS traffic from local DNS servers out to the internet
   3. Create a rule denying all other DNS traffic

        

4. Commit the configuration

 

Firewall Method

 

1. Navigate to Objects -> Custom Objects -> URL Category -> Add
2. Create a Custom URL Category for YouTube

    

3. Click OK
4. Navigate to Objects -> Security Profiles -> URL Filtering -> edit the existing profile in use in the organization -> URL Filtering Settings -> enable Safe Search Enforcement

    

5. Click OK
6. Navigate to Policies -> Security -> Add, and create a security rule that blocks the Quic application  
7. Navigate to Policies -> Decryption -> Add, and create a decryption rule that decrypts traffic that matches the custom YouTube URL category created in step 2

    

8. Navigate to Device -> Response Pages -> URL Filtering Safe Search Block Page
   1. Either the predefined or transparent response pages can be used, the result will be the same (response page requiring manually changes on the end user’s part)
9. Commit the configuration 

SSL Decryption

 

It is highly recommended to build and leverage a PKI when deploying SSL certificates to be used for decryption. However, Palo Alto Networks gives administrators the ability to create self-signed certificates, which can be used for initial testing.

 

Sample Configuration

 

1. Navigate to Device -> Certificate Management -> Certificates -> Generate, to create a certificate
   1. Enter a Certificate Name
   2. Enter the management IP address of the firewall for the Common Name
   3. Check the Certificate Authority checkbox

       

2. Click Generate
3. From the Device -> Certificate Management -> Certificates page, click on the certificate that was just generated
   1. Check the Forward Trust Certificate, Forward Untrust Certificate, and Trusted Root CA checkboxes  
4. Click OK
5. The certificate can now be exported via the Export option from the Device -> Certificate Management -> Certificates page, and imported into test devices