Opening Up YouTube at School
- By Dian Schaffhauser
Banning YouTube at school is the easy choice for administrators. First, there's the matter of blocking questionable content that students may gain access to, thereby breaching the Children's Internet Protection Act (CIPA). Second, a slew of products are available to automate the blocking work. A 2008 Gartner report positions no fewer than five companies as leaders in the category of content monitoring and filtering and data loss prevention, with many other vendors aspiring to that quadrant.
What's more difficult is granting access to the social networking site or others like it when a case can be made for its use. That was the dilemma faced by Garfield Heights City School District in northeast Ohio. The IT staff was getting requests from teachers and others to open up access to banned sites specifically for educational or work purposes.
The Biggest Challenge
"The biggest challenge we're presented with right now is how to take advantage of all the things the Internet has to offer without compromising our students' security or giving them access to things that are inappropriate," says Shari Bailey, director of technology for the 4,200 student district. "Plain, straight filtering is keeping [users] from doing things."
That filtering is maintained by the district's Internet service provider, the Lakeshore Northeast Ohio Computer Association (LNOCA). LNOCA, a member of the Ohio Education Computer Network (OECN), provides technology services to K-12 schools in Ohio. Those services, fed through a fiber connection to the district, include financial and payroll applications, a web-based gradebook, and other administrative systems. The district itself handles email, management of network equipment, computer support, and antivirus measures.
Bailey knew that bypass proxies were in use by students at Garfield's middle school and high school; but she had no easy way to determine how much traffic was being generated around filter avoidance. Nor was there a simple method to find out who was misusing the Internet. As she explains, if an assistant principal wanted to determine whether there was a reason for possible restriction or punishment of a student, a member of the IT staff would look at the student's user account to see if there were files that shouldn't have been downloaded and scan through the browser history on the computer where that person had been working. "We could get some information, see when they logged on last, and where they were visiting," she says. But that often required a physical visit to the computer in question, a practice that wasn't efficient for the small team.
Gaining Eyes to the Network
In November 2007 Bailey attended an Ohio School Board Association Conference. One of the vendors exhibited an appliance from Cymphonix called Network Composer. The device allowed more granular control over Internet access, which intrigued her. Bailey arranged for an online demo of the technology, and then installed a 30-day trial unit. By spring 2008, the district had made its purchase.
Network Composer provides multiple forms of web protection. Internet content filtering allows the user to do URL categorization, keyword scanning, and content analysis. Web traffic filtering monitors HTTPS traffic and does secure socket layer (SSL) certificate verification. Filter avoidance controls, which are updated daily, prevent access to proxy anonymizers. Content shaping and prioritization functions let the user set bandwidth limits or pass-through priorities for websites and applications. Internet threat controls counter spyware and other malware. And reporting -- both real-time and historic -- gives the administrator multiple views into what's being accessed on the network and by whom.
Bailey declined to name the price the district paid for the appliance, but Cymphonix reseller Virtual Graffiti lists a price of $9,995 for the DC40X, the model purchased by Garfield Heights. The purchase also requires an annual system maintenance agreement, which includes application signatures; filtering updates for spyware, anti-virus, and web content; firmware releases; and tech support. A 1,000-node maintenance agreement is $5,995, according to the reseller's site.
When the district deployed Network Composer, the implementation was done by a local Cymphonix rep, which also provided a first level of training. That was augmented with additional training from Cymphonix. But, says Bailey, with a graphical interface, "it was very easy to learn." Set-up was simple, and when problems have surfaced with the appliance, she adds, the company's tech support has made a remote connection to diagnose the problems.
The appliance sits between the district and its service provider and is accessed through a browser. When a teacher or staff member needs a site unblocked, he or she submits a request to IT, which reviews the site and determines whether to allow it. But, insists Bailey, "We're not the Internet police. We don't sit logged into Cymphonix waiting for somebody to do something wrong."
"The solution became the eyes of our network," says Bailey. "We simply didn’t have time to manually monitor all user activity and maintain blacklists on a daily basis. Now when our network slows down, I can quickly pull up the Cymphonix dashboard to determine what has been downloaded or uploaded and discipline users if necessary. It's given us information we didn't have before." Because Network Composer integrates with Microsoft Active Directory, which the district runs, IT staff can do searches on traffic by user or node.
"Schools have many huge financial challenges," Bailey says. "We have to do things better, faster, more efficiently, and this lets us do that."
Bailey acknowledges that the school's setup still has vulnerabilities. Last week, she and her team battled a virus outbreak on about 50 machines in the district. Determining that it was probably introduced locally through a USB thumb drive, the virus, which was more annoying than damaging, exposed some unpatched computers on the network.
Had it come through the Internet browser connection, the anti-virus solution provided by LNOCA would have caught it, says Bailey. If it had gotten past that and made it to the district's network, then Cymphonix would have stopped it. "We need tools of the trade to manage our network better, because not having your computer work is even less acceptable now than it was a couple of years ago."
Dian Schaffhauser is a writer who covers technology and business for a number of publications. Contact her at firstname.lastname@example.org.