sonicwall

Monitoring Web Searches to Prevent Radicalisation and Extremism

by

Scott Glew

Scott Glew

Fastvue Reporter is used in hundreds of schools and educational institutions throughout world, and a popular use case, especially in the United Kingdom, is to monitor Internet searches and web activity to help identify students that may be at risk of radicalization and extremism, violence or abuse, and other online safety issues.

We've seen a dramatic increase in this use case after The Prevent Duty legislation was published in July 2015, and again with the September 2016 changes to the Keeping Children Safe in Education (KCSiE) policies.

The September 2016 changes include a new paragraph highlighting the need for appropriate filters and monitoring systems to be put in place. They also strengthened the wording from 'should consider' to 'should ensure':

"Governing bodies and proprietors should be doing all that they reasonably can to limit children’s exposure to the above risks from the school or college’s IT system. As part of this process, governing bodies and proprietors should ensure their school or college has appropriate filters and monitoring systems in place."

If you are not receiving clear, timely alerts when a student's online behaviour steps into 'at risk' territory, then you are not doing 'all you reasonably can' to safeguard students. Furthermore, if you only have one person receiving alerts and reports, they can quickly become 'alert blind' and fail to follow up potential issues.

Fortunately, Fastvue Reporter makes sense of the web traffic flowing through your firewall (no need to install local agents on student devices), and can distribute alerts and reports to the right people such as teachers, principals, student counselors when specific search terms are used, or websites accessed.

Alerting On Search Terms

Below is a Fastvue alert email that has been sent to year 10 teachers identifying a student at risk of extremism and radicalization:

Extremist Searches Alert Email in Fastvue Reporter for SonicWALL

To receive these alerts, there are just three steps to follow.

1. Enable HTTPS Inspection (DPI SSL)

First of all, you'll need to enable HTTPS inspection on your firewall. Why? The world's most used search engine, google.com, strictly enforces HTTPS for all searches. This means your firewall knows there is traffic to https://www.google.com, but not what the full URLs or search terms are (e.g. https://www.google.com/?q=**My+Search+Term**).

Fortunately, most modern firewalls and UTMs include HTTPS Inspection as part of their feature set. SonicWALL calls this DPI SSL (Deep Packet Inspection of SSL traffic). When you enable this feature, the full URL including the search term will be logged and sent to Fastvue Reporter.

Note: DPI SSL / HTTPS Inspection requires some deployment effort due to certificates and client trust issues. Apply it to a sub-set of your network, and test the end user experience across all critical applications and devices before doing a full roll out. One common issue is that Chrome and Android devices may not function correctly unless these domains are excluded from HTTPS inspection.

2. Create an Alert for Extremist Searches

Fastvue Reporter now ships with this Alert by default. The steps below will take you through the process of creating such an alert, and can be applied to creating similar alerts on other search topics.

Coming up with an effective list of keywords is a difficult and time consuming task. So to make things easier, we have included a list of keywords, along with another list of 'exclude' keywords below.

To create your alert:

  1. In Fastvue Reporter, go to Settings | Alerts

  2. Click New Alert, name the alert Extremist Searches and click OK

    Add Alert for Extremist Searches

  3. In the Alert Criteria section, select: Category 'Equal to' Search Engines and Portals AND Search Term 'Contains'

[Paste in keywords from this text file] AND Search Term 'Does not contain' [ Extremist Searches Alert Criteria

  • In the Alert Properties section, leave the defaults (Name = Extremist Searches, Alert key = User, Priority = High)

    Extremist Searches Alert Properties

  •  In the Alert Evidence section, ensure the User, Search Term, and Origin Domain fields are set as columns along with any other columns you would like to see such as Source IP, Department etc.

    Extremist Searches Alert Evidence

  • In the Alert Notification section, enter the email addresses of the people or distribution lists that should receive these alerts via email.

    Tip: To avoid the 'Alert Blindness' issue mentioned previously where a single person receives all alerts, it is a good idea to add a department filter to the criteria section in the alert, and email the alerts to person responsible for that department. You can then duplicate the alert (using the Duplicate button in the header for each alert) and change the department and email addresses for each one.

  • Click Save Alert

  • Click the toggle switch to enable the alert.

    Enabling The Extremist Searches Alert

Test Your Alert

Now that you've added your alert, head to your favourite search engine (if you don't have HTTPS Inspection applied yet, use a search engine that works over http such as bing.com), and search for one of the keywords such as 'isis' or 'explosive'.

Go to the Alerts tab in Fastvue Reporter and you should see the resulting alert.

Extremist Searches Alerts Tab

Reporting on Extremist Search Terms

Sending real-time alerts when extremist searches occur is a great first step, however it's important to note that alerts are purged after 48 hours. If you need to retrieve information about extremist searches prior to the last 48 hours, you will need to run a report.

User Overview Reports contain a 'Search Terms' section at the bottom of the 'Productivity' section of the report. However this shows all searches made by a specific user, and you probably don't want to open hundreds of user reports to investigate whether any extremist searches were made.

Fortunately, you can run an Activity Report that lists all 'extremist searches' made by anyone on your network, along with the username.

To do this:

  1. Go to Reports and click Activity Report
  2. Create the same filter you used in the alert Category 'Equal to' Search Engines and Portals AND Search Term 'Contains' [Paste in keywords from this text file] AND Search Term 'Does not contain' [Paste in keywords from this text file] Tip: it is a good idea to click the Save Filter button (next to the Add Filter button) and save the filter as 'Extremist Searches'. That way, whenever you need to run this report in the future, you can simply select the Load Filter button (next to Save Filter) and select the 'Extremist Searches' filter.
  3. Select your date range and click Run Report, or Schedule Report to run it automatically every day, week or month. Scheduling also gives you the option to rename the report.

Extremist Searches Activity Report

Keeping Children Safe in Education (KCSiE) - Appropriate Monitoring Requirements

The KCSiE policies outline a number of requirements to help define what is considered 'Appropriate' monitoring for schools.

Requirement How SonicWALL and Fastvue Reporter can help
Assign appropriate responsibility for analysing the logfile information. These reports can often be difficult to understand and may require specialism to analyse. Although configuring Fastvue Reporter to consume log data from SonicWALL is a job for the IT department, the reports and alerts are designed to be easily consumed by non-technical staff members such as teachers, principals, counsellors, department heads and HR teams. Distributing reports and alerts to the people responsible for various departments or classes is easily achieved with Fastvue Reporter.
The logfile information should be able to identify an individual user (or group as appropriate) for effective intervention. When SonicWALL is configured to authenticate users by integrating your directory via LDAP or AD SSO, it will log the authenticated username with their web traffic. Fastvue Reporter then matches the traffic back to a user, department, office or company configured in Active Directory and can display this information in your reports and alerts.
Logs need to be regularly reviewed, interpreted and alerts prioritised for intervention Filtering reports and alerts by AD groups or departments, and sending them to the managers of those departments is a great way to ensure the information is actually reviewed and acted upon. If you configure all reports and alerts to be sent to a select few people, they may soon develop 'alert blindness' and stop reviewing the information. Split and distribute the load as best you can using the filters interface in Fastvue Reporter.
Information held by the school that indicates potential harm, must be acted upon As above. If you are delivering relevant information to the right people, and distributing the load, then the information has the best chance of being reviewed and acted upon.
Be aware of any limitations of the logfile information Fastvue Reporter understands and works around the limitations in SonicWALL's log data so that you don't have to. The best information is simply presented in a clear, easy to understand format.That said, you should be aware of the following limitations:
  • HTTPS can certainly limit what can be identified in your log data, and therefore in Fastvue Reporter. Ensure you have HTTPS Inspection (DPI SSL) enabled.
  • SonicWALL does not log referrer URLs, so it is difficult to map a 'background' site such as an image served via a CDN or advertising server to the 'real site' a user was visiting. We've been informed that this will be addressed in a firmware release in early 2017.

|

Further Information

More information on Appropriate Monitoring for Schools can be found via the resources below:

We hope this information helps you in your endeavours to keep children safe online, and adhere to government policies in your school. If you have any questions or issues, please leave a comment below.

To find out how Fastvue Reporter third-party monitoring solutions are helping schools worldwide, visit Safeguarding Students.

Take Fastvue Reporter for a test drive

Download our FREE 30-day trial, or schedule a demo and we'll show you how it works.

  • Share this story
    facebook
    twitter
    linkedIn

Monitoring Internet Usage to Safeguard Students in Schools

This article explains how schools can safeguard students by monitoring internet usage to detect at-risk behaviour and access to inappropriate content.
Fastvue

How to Enable Dark Mode in Fortinet FortiGate (FortiOS 7.0)

This article describes how to enable dark mode in Fortinet FortiGate FortiOS 7.0.
Fortinet