Description
Securus NET (“NET”) describes our market leading Safeguarding network level platform providing coverage for any device connected to the network.
NET resides at the network level, to provide multi-platform safeguarding coverage for ALL devices connected to your establishment by Wi-Fi. This includes students’ own devices as part of BYOD schemes such as iOS, Chromebooks & Android tablets or smart phones.
Securus NET offers a unique solution that can generate evidential screenshots on any device without the need to install software onto the device. NET will detect inappropriate or concerning activity on the network, enabling your staff to respond, educate and transform behaviour.
NET, once installed, sits as the effective middleman on the network. Authenticated machines using the network would communicate through the NET proxy service. Packets are subject to analysis where words and phrases are matched against the proprietary dictionary of terms.
Any library matches will result in an ‘event call’ where the software uses packet information to call on the website to produce the capture image. Packet information regarding date, time and device information will be sent along with the capture. It can be installed to a virtual instance (explicit mode) or onto a dedicated server (transparent and explicit modes).
Please refer to the Installation Guide for product requirements.
Securus NET consists of three core components:
The NET Server
Acts as a proxy server for traffic to and from the internet.
Inspects network traffic based upon different criteria such as IP address and Op Sys.
Must be a dedicated physical or virtual server.
Requires our certificate to be installed on the device for secure traffic inspection.
Library
NET uses a default library, similar to how the Windows XT client works. Phrases in the default library can also be excluded.
Support for custom library entries upon request.
Captive Portal
Acts as a ‘Log On’ to authenticate the individual user during session start.
Two authentication methods currently supported in Active Directory and Google SSO.
Support for SSO with RADIUS.
Reauthentication is required after 55 minutes of login and 3 minutes of no activity.
Notable Features
Capture creation by inspecting network packets and ‘re-creating’ the web page, including images.
Website and Application Whitelisting.
No end client required.
Perfect for BYOD environments in transparent mode.
Decryption for SSL / encrypted pages.
Text highlights within content images.
Multiple term detection, up to 10 phrases per capture.
Event date and time stamps.
Source IP address.
Identifies usernames via Active Directory integration with a captive portal or Google SSO.
Able to define which computers traffic is subject to scanning via IP pools.
Requirements
Securus NET can be installed from an ISO on to a dedicated virtual machine or physical hardware.
Alternatively, we can provide a preinstalled device which will reside between the switch and existing web
services. The ISO, installation is a straightforward process and is detailed further on in this document. The operating
system and NET components are contained within the ISO making for easy installation.
Captures will broadcast to the cloud directly; no captures will be stored locally on the NET server. Chaining of
proxies can be configured within NET in cases where the school are subject to an ISP level proxy. You can
segregate devices on the network to define which devices go to which proxies. You can also exclude certain
devices from analysis including BYOD scenarios or machines already installed with XT (Windows &
Chromebook client model).
Mobile Device Requirements
iOS 13 or higher
Android 4.4.2 or higher
Installation Types
Explicit
Our default NET configuration, NET can be used as an explicit proxy additional proxy with a single ethernet connection. Other onsite explicit proxies can be chained within the NET configuration to ensure existing web filters are still in place when devices are using Securus NET as their main proxy.
Transparent
NET can be installed onto hardware with two ethernet connections and configured as a transparent proxy. This would be the default configuration for BYOD sites where devices cannot be managed centrally via MDM.
No proxy settings are required on the monitored devices as traffic is directed through NET, our certificate is still required to be installed onto devices for monitoring to work, however.
Recommended Server Spec
Up to 800 Connections
4 core processor
8GB RAM
Minimal storage space 60GB (Captures held in our cloud service)
No operating system required
NIC/Dual Network Card (Transparent only)
Generation 1 VM (if using HyperV)
Up to 2500 Connections
8 core processor
12GB RAM
Minimal storage space 60GB (Captures held in our cloud service)
No operating system required
NIC/Dual Network Card (Transparent only)
Generation 1 VM (if using HyperV)
Over 2500 Connections
Server specification outlined in each case and before implementation
Network Questions / Guidelines
Note that the following serves as a guideline and is subject to specific network configuration and is irrespective of device type.
What devices do you want to monitor, and how many?
Are the devices always at the school or do they go home with students?
Are the devices assigned 1:1 or are they shared between students?
Are the devices managed by an MDM or G Suite?
Do you want to monitor Staff & Students or just Students?
Do you have other proxies in use (onsite or ISP)?
If so, how many?
How are these proxies deployed, explicitly or transparently?
Do you use VLAN’s across your network?
If so, do you want all VLAN’s to be monitored by NET?
Are you aware that Securus NET uses a ‘captive portal’ style login before a user can access the internet?
Are you aware that Securus NET requires a custom certificate to be installed onto the device for it to be monitored?
We can provide a pre-configured device at a competitive price to suit for easy installation to the network with this device meeting with recommended specification.
Please note that captures will broadcast to our highly secure cloud environment. Captures only occur in cases
where a library term has been detected over the network.
Trials
On site NET server installed to hardware or virtual machine.
Some schools will want to test Securus NET with a full installation to evaluate the install process and how NET will work in their network. We recommend for these types of trials that an Explicit installation (on a virtual machine) be employed. This is currently the quickest configuration method where device management is in use. Once the server is installed, the device management software can enforce the Securus NET proxy information and install our certificate.
Explicit vs Transparent
Explicit – Using an opt in type proxy setup
This is the simplest setup as no change to the existing network configuration is required. The NET instance is added to the network as you would any other server. An explicit setup is better suited for testing purposes and small-scale deployments.
Transparent – In line proxy to the internet
Change to the network configuration is required as the NET instance will need to sit between the firewall and the core switch. Suitable for large scale deployments and BYOD scenarios.
Maintenance
Updates
We manage a central NET instance (NET Controller) which pushes base library changes and software updates to live NET servers via a VPN tunnel.
Updates to the operating system such as security patches are also automatic.
FAQ’s
What authentication methods are used and how does it identify users?
Securus NET uses a Captive Portal style login, similar to what you would see when connecting to a public WiFi hotspot at a coffee shop or airport. The Captive Portal can be pointed to the schools Active Directory allowing users to log in with their usual Windows login credentials.
The Network Access Controller (NAC) keeps a cache of which IP’s it has recorded. When a new device connects with an unrecognised IP, it will ask the NAC what the username is for this user. Once they authenticate through the Captive Portal the user and IP will be recorded.
Reauthentication will be required after the 55 minute temporary authentication cookie stored on the devices browser cache has expired and after 3 minutes of inactivity. Securus NET will attempt to re-authenticate the user if the inactivity timer is triggered before the authentication cookie has expired, ensuring the same user is logged in throughout the lesson without multiple prompts to re-authenticate.
Once the lesson is over, and the device has been inactive for 3 minutes, the Captive Portal will again trigger to allow a new class to use the devices.
Securus NET can also forgo the Captive Portal option and instead authenticate a user by using the devices IP address, MAC address or device hostname. Instead of a username, captures will instead display the IP/MAC/Hostname address as the username.
Can NET integrate with SSO?
NET supports RADIUS and Google SSO.
Can I track activity within games?
This depends upon the protocol that the game uses. If game uses ‘http’ or ‘encrypted http’ then the answer is yes. Overall, this is game dependent as it may have its own propriety protocol.
Can NET analyse encrypted sites or logged in sessions?
NET has access to all session information for that user. NET supports SSL inspection. NET essentially replaces the websites certificate with its own and thus can inspect traffic between the client and the website.
Will NET monitor encrypted applications?
As most applications use end to end and propriety encryption, we are unable to inspect these sessions.
How does NET work when a school is already using a proxy?
NET supports proxy chaining through the UI and can be a set as a transparent or explicit proxy.
Can NET have language packs added to it, so it can capture in these languages?
Yes, UTF8 supported. Unicode is a standard for representing a great variety of characters from many languages. Please enquire should you have requirements for non-English libraries.
Our school uses a shared login for our pupils, will NET still monitor activity?
Securus NET would continue to work regardless, however captures will populate for the same user account. It is possible to differentiate between users via the IP or station name.
Will antivirus conflict in anyway?
No as there is nothing installed to end devices. Anti-virus will not impact the performance or functionality of NET.
Is Office 365 monitored?
Some web-based mail clients will be supported. Office 365 uses JSON and as such is not currently inspected. If they use fat client, then the answer is no. A fat client is anything that is installed to a device locally.
What doesn’t NET monitor?
Locally installed applications.
Dynamically loading websites such as Twitter / comment threads.
Video content.
How long will a NET capture take to reach the server?
Assuming reasonable network performance and availability, captures should not take any longer than 15 mins to reach the Securus console for viewing.
Will NET affect my network speed?
The effect is minimal, and you are unlikely to perceive any actual difference in usability.
Where will the NET appliance sit on my network?
Typically, between the firewall and the core switch.
Will NET monitor off site?
As the appliance resides at the site traffic will not pass through the NET server if the device is away from the premises.
Deployment Topology
Off Premises Deployment
On Premises Explicit
On Premises Transparent
