Securus NET Handbook

Securus NET (“NET”) describes our market leading Safeguarding network level platform providing coverage for any device connected to the network.

NET resides at the network level, to provide multi-platform safeguarding coverage for ALL devices connected to your establishment by Wi-Fi. This includes students’ own devices as part of BYOD schemes such as iOS, Chromebooks & Android tablets or smart phones.

Securus NET offers a unique solution that can generate capture images on any device without the need to install software onto it. NET will detect inappropriate or concerning activity on the network, enabling your staff to respond, educate and transform behaviour.

NET, once installed, sits as the effective middleman on the network. Authenticated machines using the network would communicate through the NET proxy service. Packets are subject to analysis where words and phrases are matched against the proprietary dictionary of terms.

Any library matches will result in an ‘event call’ where the software uses packet information to call on the website to produce the capture image. Packet information regarding date, time and device information will be sent along with the capture. It can be installed to a virtual machine or onto a dedicated hardware in the explicit configuration, however a VM would be preferable.

Securus NET consists of three core components:

• The NET Server

  • Acts as a proxy server for traffic to and from the internet.

  • Inspects network traffic based upon different criteria such as IP address and Op Sys.

  • Must be a dedicated physical or virtual server.

  • Requires our certificate to be installed on the device for secure traffic inspection.

• Library

  • NET uses a default library, similar to how the Windows XT client works. Phrases in the default library can also be excluded.

  • Support for custom library entries upon request.

• Captive Portal

  • Acts as a ‘Log On’ to authenticate the individual user during session start.

  • Several authentication methods currently supported including Onsite Active Directory (LDAP), Google and Azure SSO, device hostname, device IP address or device MAC address.

  • Support for SSO with RADIUS.

  • Reauthentication is required after 55 minutes of login and 3 minutes of no activity when using the captive portal with LDAP integration.

• Capture creation by inspecting network packets and ‘re-creating’ the web page, including images. The capture is sent as an image for viewing in the standard Securus cloud console, exactly the same as captures from Windows devices.

• Website and Application allow listing.

• No end client required.

• Perfect for BYOD environments with use of a PAC file.

• Decryption for SSL / encrypted pages.

• Text highlights within capture images.

• Multiple term detection, up to 10 phrases per capture.

• Event date and time stamps.

• Source IP address.

• Identifies usernames via Active Directory integration with a captive portal, Google or Azure SSO.

• Able to define which computers traffic is subject to scanning via IP pools.

Securus NET can be installed from an ISO on to a dedicated Virtual Machine (VM) or physical hardware, however a VM is preferable.

The ISO installation is a straightforward process and is detailed in our Install Guide. The operating system and NET components are contained within the ISO making for easy installation.

Captures will broadcast to the cloud directly; no captures will be stored locally on the NET server. Chaining of proxies can be configured within NET in cases where the school are subject to an upstream or ISP level proxy. You can segregate devices on the network to define which devices go to which proxies. You can also exclude certain devices from analysis including BYOD scenarios or machines already installed with XT (Windows & Chromebook client model).

Mobile Device Requirements

• iOS 13 or higher

• Android 4.4.2 or higher

Explicit

Our default NET configuration, NET can be used as an explicit proxy additional proxy with a single ethernet connection. Other onsite explicit proxies can be chained within the NET configuration to ensure existing web filters are still in place when devices are using Securus NET as their main proxy.

BYOD

Installing for a BYOD environment is almost the same as for an explicit setup, except in this configuration, the PAC file is used to provide proxy information to the device.

BYOD users will need to download the SSL certificate by using the generated QR code on the onboarding page. Users will then need to define the PAC file location (also displayed on the onboarding page) in the WiFi profile to get the proxy information and to be monitored by Securus NET.

Recommended Server Spec

• Up to 800 Connections

  • 4 core processor

  • 8GB RAM

  • 200GB Storage (No captures or user data is stored on the device)

  • No operating system required

  • UEFI Boot Enabled

  • Generation 2 VM if using HyperV

• Up to 2500 Connections

  • 8 core processor

  • 12GB RAM

  • 200GB Storage (No captures or user data is stored on the device)

  • No operating system required

  • UEFI Boot Enabled

  • Generation 2 VM if using HyperV

• Over 2500 Connections

  • Server specification outlined in each case and before implementation

Network Questions / Guidelines

To help us get an understanding of your network and how you would like to employ NET, we have some questions that I would be grateful if you could answer. For context, Securus NET monitors network traffic of devices by using a proxy to capture packet data. NET is designed to be used on devices such as iPads or Android devices where an agent or client cannot be installed.

NET can be installed as an explicit proxy to a virtual machine which is our default installation method and suitable for most network environments. NET can also be utilised in explicit mode to monitor devices in a BYOD scenario by modifying the WiFi profile to add the proxy PAC file location.

In either configuration, a certificate will need to be installed onto the device for packet decryption and we have several methods for user authentication to be able to provide usernames to captures. One method is by using a captive portal, this works the same way as a public WiFi login would at a coffee shop and is necessary to provide a username to generated captures. The captive portal links to your onsite Active Directory and users will login using those details.

1. How many iPad, Mac, or Android devices do you wish to monitor?

2. Are these devices school owned, or do they go home with users?

3. Are the devices assigned 1:1 or are they shared between users?

4. Are the devices managed by an MDM (Meraki, Mosyle, JAMF, etc)?

5. Do you want to monitor Staff & Students or just Students?

6. Do you have other proxies in use (onsite or ISP)?

   1. If so, how many?

   2. How are these proxies deployed, explicitly or transparently?

   3. Do any of the proxies require authentication?

7. Do you use VLANs across your network?

   1. If so, which VLANs do you wish to be monitored by NET?

8. To identify users on iPad, Mac, or Android devices, we can use a ‘captive portal’ style login before a user can access the internet (other methods are available). Is this acceptable?

9. To monitor your iPad, Mac, or Android devices, a custom certificate will need to be installed onto the device for it to be monitored. Is this acceptable?

10. What iOS version are the iPads running?

Securus NET can use the following authentication methods:

1. LDAP

   • This method will use LDAP, integrating with your Active Directory. Users will need to login with their Active Directory details via the captive portal. This will also provide their Active Directory username for the capture information.

2. Google

   • This method will use Google’s SSO authentication within the Captive Portal.

     This is best for 1:1 device assignments as Google’s authentication will usually keep the same user logged in once they have authenticated with a device. With Google SSO enabled, the captive portal will redirect to the Google login page and will log the user into their Google account via browser session. Securus NET will grab these details from the browser session and use the domain and username for captures.

     Users will need to log out of any Google account sessions manually and left idle for more than 3 minutes (configurable) to force re-authentication for a new user in shared device environments.

3. Azure

   • This method will use Azure SSO authenticaton within the Captive Portal.
     Similar to Google, this is best for 1:1 devices and users will need to sign out from Microsoft within their browser sessions to allow a new user to sign in with shared device environments.

4. Hostname as username

   • This method will hide the Captive Portal (no login necessary) and will attempt to use hostname of the device as the username on captures. This option requires some pre-requisites, please contact support for advice.

5. Radius

   • Similar to option 1, this enables the Captive Portal with LDAP authentication and also enables Radius support. Once this option is selected, the server will look for and accept Radius network packets that are pushed to it.

6. None

   • This option will disable the Captive Portal entirely and will display the devices IP address as the username instead.

The Captive Portal style login is similar to what you would see when connecting to a public WiFi hotspot at a coffee shop or airport. The Captive Portal will point to the schools Active Directory, allowing users to log in with their usual Windows login credentials.

The Network Access Controller (NAC) keeps a cache of which IP’s it has recorded. When a new device connects with an unrecognised IP, it will ask the NAC what the username is for this user. Once they authenticate through the Captive Portal the user and IP will be recorded.

Reauthentication will be required after the 55 minute temporary authentication cookie stored on the devices browser cache has expired and after 3 minutes of inactivity. Securus NET will attempt to re-authenticate the user if the inactivity timer is triggered before the authentication cookie has expired, ensuring the same user is logged in throughout the lesson without multiple prompts to re-authenticate.

Once the lesson is over, and the device has been inactive for 3 minutes, the Captive Portal will again trigger to allow a new class to use the devices.

These values can be adjusted to suit the needs of the school.

Below shows several examples of what captures will look like with the different authentication methods available.

Captive Portal login with LDAP

Open

Captures will use the username taken from Active Directory after login.

IP Address

Open

With no authentication method select, the devices IP address will be displayed as the username.

MAC Address

The MAC address of the device is used for the username when MAC authentication is selected during install.

Hostname

Hostname authentication will display the hostname of the device as the username.

Below is an example of a full screen NET capture.

Note that this is a recreation of the web page based on the information taken from the network packets.

On site NET server installed to hardware or virtual machine.

Some schools will want to test Securus NET with a full installation to evaluate the install process and how NET will work in their network. We recommend for these types of trials that an Explicit installation (on a virtual machine) be employed. This is currently the quickest configuration method where device management is in use. Once the server is installed, the device management software can enforce the Securus NET proxy information and install our certificate.

Explicit – Using an opt in type proxy setup

This is the simplest setup as no change to the existing network configuration is required. The NET instance is added to the network as you would any other server. An explicit setup is well suited to small deployments and BYOD environments.

Updates

We manage a central NET instance (NET Controller) which pushes base library changes and software updates to live NET servers via a VPN tunnel.

Updates to the operating system such as security patches are also automatic.

Can NET integrate with SSO?

NET supports RADIUS and Google SSO.

Can I track activity within games?

This depends upon the protocol that the game uses. If game uses ‘http’ or ‘encrypted http’ then the answer is yes. Overall, this is game dependent as it may have its own propriety protocol.

Can NET analyse encrypted sites or logged in sessions?

NET has access to all session information for that user. NET supports SSL inspection. NET essentially replaces the websites certificate with its own and thus can inspect traffic between the client and the website.

Will NET monitor encrypted applications?

As most applications use end to end and propriety encryption, we are unable to inspect these sessions.

How does NET work when a school is already using a proxy?

NET supports proxy chaining within the config. In this scenario, NET would come first and then any subsequent upstream proxies, such as filtering, would come after.

Can NET have language packs added to it, so it can capture in these languages?

Yes, UTF8 supported. Unicode is a standard for representing a great variety of characters from many languages. Please enquire should you have requirements for non-English libraries.

Our school uses a shared login for our pupils, will NET still monitor activity?

Securus NET would continue to work regardless, however captures will populate for the same user account. It is possible to differentiate between users via the IP or station name.

Will antivirus conflict in anyway?

No as there is nothing installed to end devices. Anti-virus will not impact the performance or functionality of NET.

Is Office 365 monitored?

Some web-based mail clients will be supported. Office 365 uses JSON and as such is not currently inspected. If they use fat client, then the answer is no. A fat client is anything that is installed to a device locally.

What doesn’t NET monitor?

• Most installed applications.

• Dynamically loading websites such as Twitter / comment threads.

• Video content.

How long will a NET capture take to reach the server?

Assuming reasonable network performance and availability, captures should not take any longer than 15 mins to reach the Securus console for viewing.

Will NET affect my network speed?

The effect is minimal, and you are unlikely to perceive any actual difference in usability.

Where will the NET appliance sit on my network?

Typically, between the firewall and the core switch.

Will NET monitor off site?

No, as the appliance resides at on site, traffic will not pass through the NET server if the device is away from the premises.

Document number/reference: SEC-KB-NET-002

Classification Level: Public

Related Articles