Skip to end of metadata
Go to start of metadata

You are viewing an old version of this page. View the current version.

Compare with Current View Page History

« Previous Version 20 Next »

Description

Securus NET (“NET”) describes our market leading Safeguarding network level platform providing coverage for
any device connected to the network.

NET resides at network level, to provide multi-platform safeguarding coverage for ALL devices connected to
your establishment by Wi-Fi or other. This includes students’ own devices as part of BYOD schemes such as
iOS, Chromebooks & Android tablets, and smart phones. Securus NET offers a unique solution that can
generate evidential screenshots on any device without the need to install software onto the device. NET will
detect inappropriate or concerning activity on the network, enabling your staff to respond, educate and
transform behaviour.

NET, once installed, sits as the effective middleman on the network. Authenticated machines using the
network would communicate through the NET proxy service. Packets are subject to analysis where words and
phrases are matched against the proprietary dictionary of terms.

Any library matches will result in an ‘event call’ where the software uses packet information to call on the
website to produce the capture image. Packet information regarding date / time and machine information will
be sent along with the capture. It can be installed alongside existing hardware running web services or to a
virtual instance or dedicated server.

Please refer to the Installation section below for product requirements.

NET consists of three core components:

  • NET Server

    • Acts as a ‘proxy’ server for traffic to/from the internet

    • Inspects network traffic based upon different criteria such as IP address and Op Sys

    • Must be a dedicated physical or virtual server

    • Uses existing installed ‘Certificate’ on the device for secure traffic inspection

  • Library

    • Custom library capable of being updated by adding new words

    • Support for multiple custom libraries, e.g. Sixth Form v Senior School v Junior School

  • Captive Portal

    • Acts as a ‘Log On’ to authenticate the individual user

    • 3 methods currently supported – AD, Google & Radius

    • Support for SSO

    • Reauthentication is required after 55 minutes of login or 5 minutes of no activity.

Notable Features

  • Capture creation by inspecting network packets and ‘re-creating’ the web page, including images

  • Website and Application Whitelisting

  • No end client

  • Perfect for BYOD environments in transparent mode

  • Decryption for SSL / encrypted pages

  • Text highlights within content images

  • Multiple term detection, up to 10 phrases per capture

  • Event date / time stamps

  • Source IP address

  • Identifies usernames via A/D integration with a captive portal or Google SSO

  • Supports multiple custom libraries

  • Able to define which computers traffic is subject to scanning

  • Different scanning profiles for groups / computers

Requirements

Securus NET can be installed from an ISO on to a dedicated virtual machine or physical hardware.
Alternatively, we can provide a preinstalled device which will reside between the switch and existing web
services. The ISO, installation is a straightforward process and is detailed further on in this document. The operating
system and NET components are contained within the ISO making for easy installation.

Captures will broadcast to the cloud directly; no captures will be stored locally on the NET server. Chaining of
proxies can be configured within NET in cases where the school are subject to an ISP level proxy. You can
segregate devices on the network to define which devices go to which proxies. You can also exclude certain
devices from analysis including BYOD scenarios or machines already installed with XT (Windows &
Chromebook client model).

Mobile Device Requirements

  • iOS 13 or higher

  • Android 4.4.2 or higher

Installation Types

EXPLICIT - NET can be used as an explicit proxy / additional proxy with a single ethernet connection.

TRANSPARENT - NET can be configured as a transparent proxy with 2 ethernet connections. This may
be preferable for sites using separate networks for Guest connections and BYOD. No proxy settings
are required on the monitored devices as traffic is directed through NET. Essentially all network traffic
directly connects to the NET Server.

Recommended Server Spec

  • Up to 800 Connections

    • 4 core processor

    • 8GB RAM

    • Minimal storage space 60GB (Captures held in our cloud service)

    • No operating system required

    • NIC/Dual Network Card (Transparent only)

    • Generation 1 VM (if using HyperV)

  • Up to 2500 Connections

    • 8 core processor

    • 12GB RAM

    • Minimal storage space 60GB (Captures held in our cloud service)

    • No operating system required

    • NIC/Dual Network Card (Transparent only)

    • Generation 1 VM (if using HyperV)

  • Over 2500 Connections

    • Server specification outlined in each case and before implementation

Network Questions / Guidelines

Note that the following serves as a guideline and is subject to specific network configuration and is irrespective of device type.

  1. What devices do you want to monitor, and how many?

  2. Are the devices always at the school or do they go home with students?

  3. Are the devices assigned 1:1 or are they shared between students?

  4. Are the devices managed by an MDM or G Suite?

  5. Do you want to monitor Staff & Students or just Students?

  6. Do you have other proxies in use (onsite or ISP)?

    1. If so, how many?

    2. How are these proxies deployed, explicitly or transparently?

  7. Do you use VLAN’s across your network?

    1. If so, do you want all VLAN’s to be monitored by NET?

  8. Are you aware that Securus NET uses a ‘captive portal’ style login before a user can access the internet?

  9. Are you aware that Securus NET requires a custom certificate to be installed onto the device for it to be monitored?

We can provide a pre-configured device at a competitive price to suit for easy installation to the network with this device meeting with recommended specification.

Please note that captures will broadcast to our highly secure cloud environment. Captures only occur in cases
where a library term has been detected over the network. If you require an entirely on-site solution (Securus
NET & Securus XT servers), please contact us directly on 03301241750 to discuss viability and options.

Trials

On site NET server installed to hardware or virtual machine.

Some schools will want to test Securus NET with a full installation to evaluate the install process and
how NET will work in their network. We recommend for these types of trials that an Explicit installation
(on a virtual machine) be employed. This is currently the quickest configuration method where
device management is in use. Once the server is installed, the device management software can enforce
the Securus NET proxy information and install our certificate.

Explicit vs Transparent


Explicit – Using an opt in type proxy setup


This is the simplest setup as no change to the existing network configuration is required. The NET
instance is added to the network as you would any other server.
An explicit setup is better suited for testing purposes and small-scale deployments.


Transparent – In line proxy to the internet


Change to the network configuration is required as the NET instance will need to sit between the
firewall and the core switch. Suitable for large scale deployments and BYOD scenarios.

Maintenance

Updates

We manage a central NET instance (NET Controller) which pushes base library changes and software updates to live NET servers via a VPN tunnel.

Updates to the operating system such as security patches are also automatic.

FAQ’s

What authentication methods are used and how does it identify users?

Securus NET uses a Captive Portal style login, similar to what you would see when connecting to a public WiFi hotspot at a coffee shop or airport. The Captive Portal can be pointed to the schools Active Directory allowing users to log inw ith their usual Windows login credentials.

The Network Access Controller (NAC) keeps a cache of which IP’s it has recorded. When a new device connects with an unrecognised IP, it will ask the NAC what the username is for this user. Once they authenticate through the Captive Portal the user and IP will be recorded.

Reauthentication will be required after the 55 minute temporary authentication cookie stored on the devices browser cache has expired and after 3 minutes of inactivity. Securus NET will attempt to re-authenticate the user if the inactivity timer is triggered before the authentication cookie has expired, ensuring the same user is logged in throughout the lesson without multiple prompts to re-authenticate.

Once the lesson is over, and the device has been inactive for 3 minutes, the Captive Portal will again trigger to allow a new class to use the devices.

Securus NET can also forgo the Captive Portal option and instead authenticate a user by using the devices IP address, MAC address or device hostname. Instead of a username, captures will instead display the IP/MAC/Hostname address as the username.


Can NET integrate with SSO?

NET supports RADIUS and Google SSO.


Can I track activity within games?

This depends upon the protocol that the game uses. If game uses ‘http’ or ‘encrypted http’ then the answer is
Yes. Overall, this is game dependent as it may have its own propriety protocol.

Can NET analyse encrypted sites or logged in sessions?

NET has access to all session information for that user. NET supports SSL inspection. NET essentially replaces the websites certificate with its own and thus can inspect traffic between the client and the website.

Will NET monitor encrypted applications?

As most applications use end to end and propriety encryption, we are unable to inspect these sessions.

How does NET work when a school is already using a proxy?

NET supports proxy chaining through the UI and can be a set as a transparent or explicit proxy.

Can NET have language packs added to it, so it can capture in these languages?

Yes, UTF8 supported. Unicode is a standard for representing a great variety of characters from many languages. Please enquire should you have requirements for non-English libraries.

Our school uses a shared login for our pupils, will NET still monitor activity?

Securus NET would continue to work regardless, however captures will populate for the same user account. It is possible to differentiate between users via the IP or station name.

Will antivirus conflict in anyway?

No as there is nothing installed to end devices. Anti-virus will not impact the performance or functionality of NET.

Is Office 365 monitored?

Some web-based mail clients will be supported. Office 365 uses JSON and as such is not currently inspected. If they use fat client, then the answer is no. A fat client is anything that is installed to a device locally.

What doesn’t NET monitor?

·         Local applications

·         Dynamically loading websites such as Twitter / comment threads

·         Video content

How long will a NET capture take to reach the server?

Assuming reasonable network performance and availability, captures should not take any longer than 15 mins to reach the Securus console for viewing.

Will NET affect my network speed?

The effect is minimal, and you are unlikely to perceive any actual difference in usability.

Where will the NET appliance sit on my network?

Typically, between the firewall and the core switch.

Will NET monitor off site?

As the appliance resides at the site traffic will not pass through the NET server if the device is away from the premises.

Deployment Topology

Off Premises Deployment

  


On Premises Explicit

  


On Premises Transparent

  

 

Related Documents

Captive Portal

Securus NET Installation Guide

  • No labels