Safe Web Browsing For Schools

My son goes to a small Catholic school and the only thing they have to filter web traffic is a server firewall (they use SonicWall).  It does filter the majority of sites that the shouldn't go to but what it does not do is filter the descriptions the show up when you search something and it does not filter the images.  If they ratchet it up a bit it will do a better job of filtering but then it prevents some drivers from updating,

I know there are third party filters like SmoothWall but I am wondering if there is a browser version that would be designed for schools prevent the content from even getting to the search page or images page.  I have tried Google SafeSearch but it is marginal at best.

Any help would be much appreciated.
Bob SchneiderCo-OwnerAsked:
Who is Participating?

[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Most webfilters will have the abillty to filter Google, Bing etc search results. Most also provide the ability to force Safesearch. I'm fairly confident that SmoothWall does have this functionality. I know for a fact that Lightspeed and iBoss both support this level of filtering.

If the search results aren't being filtered then it's likely down to one of two things. Either the filter settings have not be configured in a restrictive enough fashion or SSL is coming into play.

Recently Google have taken to attempting to redirect to Because this is an encrypted connection there's no way to filter the content of the page intelligently without either forcing the client back to the http version of the page or setting up SSL interception. As of June this year, Google are going to be removing the http version of their site and forcing everyone to use SSL, at this point SSL interception will be the only way of filtering these pages.

What happens with SSL interception, is the webfilter will decrypt the traffic from Google, filter the page, and then re-encrypt with it's own certificate and pass the page onto the client. The problem with this is that the certificate needs to be deployed as a trusted cert for all clients using the connection. Because of this added complexity, many schools have not implemented SSL interception and hence can't filter Google searches.

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
Bob SchneiderCo-OwnerAuthor Commented:
Wow, that's awesome info.  Thanks!
btanExec ConsultantCommented:
indeed SSL traffic will "blind" the network sensor if it does not "open" up (some sensor has SSL card/software based to decrypt and DPI-SSL feature available in SonicOS 5.6) to conduct the deep inspection. That is usually the second layer check as the first layer check is on browser. This include browser proxy lockdown to a proxy (content filter, in your case likely sonicewall) for filter on blacklist and restricted content check prior to internet or external n/w access. So filtering at browser does make sense too as the first layer.

There are some option such as
a) K9 (free and can have "NightGuard" for timing restriction) -

Another way of looking at lockdown per se, just to expand the discussion (not only look at HHP/HTTPS traffic), DNS inspection is essential too as some can tunnel traffic through such protocol ..

b) NxFilter (freeware , enforces use on safe-search against Google, Bing, Yahoo search engines and Youtube. URL keyword filtering and lockdown proxy too. Can extend categorise if use licenced Komodia DB )
The most tricky part would be forcing filtering on your users without too much hassle. If you go with a web-proxy based filtering product you need to setup all the browsers pointing your web-filter as their proxy server. To make things easier you can use so called ‘transparent proxy’ setup so that you don’t need to setup all the browsers one by one. But with the transparent proxy setup you have a problem for HTTPS filtering as it is breaking the browser restriction for ‘man in the middle attack’. Your browser will not send HTTPS request to your proxy if you try to redirect the traffic transparently. And plus this transparent proxy setup is quite challenging even for a seasoned systems engineer.
If you go with a dns-filter ...... to setup your DHCP server using NxFilter as the DNS server for its clients.

c) OpenDNS (cloud services, close to filtering but does the intercept with DNS configured to point to them, route traffic through them to filter first off hence for interest only, may not be really suited in your env if that is not allowed for such services...) -
Bob SchneiderCo-OwnerAuthor Commented:
Great info.  This helped us dramatically.
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Web Browsers

From novice to tech pro — start learning today.