06-12-2017 09:32 AM
We are a K-12 school district. SSL decryption is not in the cards, at least for the time being. From what I read, enabling safe search enforcement in URL filtering profile will not work properly without having implemented SSL decryption
If that's correct, is a DNS proxy the way to go, as described here:
https://support.google.com/websearch/answer/186669?hl=en
Thanks
06-14-2017 02:22 PM
If possible, you should make those changes on your internal DNS server - so that any requests for those domains get pointed to the safe-search IP address.
Your other option(s) are: point your internal DNS servers to use the firewall's DNS proxy address as their upstream DNS server, and/or point your clients DNS entries directly at the firewall's DNS proxy address.
The reason there aren't any hits to the DNS proxy is that nobody (internal DNS and/or client/endpoint) is pointed at the DNS proxy for DNS resolution.
06-12-2017 10:16 AM
Because most search engines encrypt their search results, you must enable SSL forward proxy decryption so that the firewall can inspect the search traffic and detect the safe search settings.
I don't think DNS Proxy will resolve this challenge for you, at least not based on my own experience.
I hope this helps.
06-12-2017 11:30 AM
Hi Willian,
I might be wrong, but I don't see us implementing SSL decryption anytime soon, due to a number of factors. Could you please elaborate a little, when you say that in your experience DNS-Proxy route is not going to resolve this?
We are not looking for a fool-proof solution at this time, more like at having something in place, rather than nothing.
Did you find user were able to circumvent this easily, or it just plain didn't work?
Thanks,
Luca
06-12-2017 02:26 PM
What are you trying to protect from in your K-12 network?
06-12-2017 02:38 PM
In short, we are trying to avoid kids getting inappropriate results from google search. This was sparked from one complaint at an elementary site, even though we are blocking adult categories with URL filtering.
In my mind this is about enforcing a browser setting, and as such should be handled on the device side (GPO, MDM, etc). Nevertheless, I've being asked if anything could be accomplished with our PA firewall.
06-12-2017 02:50 PM
So..."Content Filtering" should be able to get you what you need (URL Profiles.) However I thought I heard not doing SSL decryption you can bypass that filtering control by using Google's translation services.
Let me do some searching real quick.
06-12-2017 03:10 PM
Yes, if you're unable to use SSL decryption in order to enforce safe-search and if you don't have an endpoint-specific solution (GPO/MDM), then I would recommend leveraging google's DNS-based safe-search configuration as you posted in your original question.
06-12-2017 03:14 PM
We are already doing URL filtering for the usual inappropriate categories. Somehow this kid managed to get explicit pics on the browser, supposedly by using search function. Unfortunately this was reported as an anecdote, without any technical details. I took at face value.
If I click on the link you provided I get:
06-12-2017 03:17 PM
Hi,
So, the DNS Proxy solution should be working OK? I'm going to setup a test site, and see what I come up with.
06-12-2017 03:20 PM
sorry it had an extra space https://live.paloaltonetworks.com/t5/Management-Articles/How-to-Block-Alert-Category-of-a-Website-th...
06-12-2017 03:23 PM
It's a good first step. The DNS-based solution should enforce "safe search" - meaning Google will be providing filtered search results.
This would address the case where your student searched for inappropriate content via the google search engine and google was the one displaying the inappropriate content.
Students are resourceful, though - so there will be additional steps that you need to take, such as blocking access to proxy websites, blocking VPN applications, etc.
06-12-2017 03:25 PM
Thanks for fixing it. Yes, we already have security profiles in place. Mind you this is the first report of this nature that I've seen in a couple of years, so I'd say this is not a common occurrence.
06-12-2017 03:28 PM
Blocking outbound DNS from students would also need to be blocked, or else they'll just point their DNS queries to an external resolver.
Without SSL decryption though, you'll be chasing this a lot. A student forced to use google safe search may decide Bing is just fine for them (or DuckDuckGo, or Yandex, or... etc.). Longer term I'd recommend looking into the decryption end. You'll get a lot better enforcement if you can trigger on every request rather than just the requests in clear text.
06-12-2017 03:32 PM
Yes, they are resourceful, you have to admire that. We're not seeing much in terms of VPNs at elementary sites. It's a different story at secondary ones. 🙂 Might just start another thread on how you guys manage to stop all VPNs, when PA only detects unknown-tcp, unknown-udp, or ipsec-esp-udp traffic...
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!
