Securus NET Handbook

Securus NET (“NET”) describes our market leading Safeguarding network level platform providing coverage for any device connected to the network.

NET resides at the network level, to provide multi-platform safeguarding coverage for ALL devices connected to your establishment by Wi-Fi. This includes students’ own devices as part of BYOD schemes such as iOS, Chromebooks & Android tablets or smart phones.

Securus NET offers a unique solution that can generate capture images on any device without the need to install software onto it. NET will detect inappropriate or concerning activity on the network, enabling your staff to respond, educate and transform behaviour.

NET, once installed, sits as the effective middleman on the network. Authenticated machines using the network would communicate through the NET proxy service. Packets are subject to analysis where words and phrases are matched against the proprietary dictionary of terms.

Any library matches will result in an ‘event call’ where the software uses packet information to call on the website to produce the capture image. Packet information regarding date, time and device information will be sent along with the capture. It can be installed to a virtual instance (explicit mode) or onto a dedicated server (transparent and explicit modes).

Please refer to the Installation Guide for product requirements.

Securus NET consists of three core components:

• The NET Server

  • Acts as a proxy server for traffic to and from the internet.

  • Inspects network traffic based upon different criteria such as IP address and Op Sys.

  • Must be a dedicated physical or virtual server.

  • Requires our certificate to be installed on the device for secure traffic inspection.

• Library

  • NET uses a default library, similar to how the Windows XT client works. Phrases in the default library can also be excluded.

  • Support for custom library entries upon request.

• Captive Portal

  • Acts as a ‘Log On’ to authenticate the individual user during session start.

  • Two authentication methods currently supported in Active Directory, Google and Azure SSO.

  • Support for SSO with RADIUS.

  • Reauthentication is required after 55 minutes of login and 3 minutes of no activity.

  • Other authentication methods are available if the use of the captive portal is not required.

• Capture creation by inspecting network packets and ‘re-creating’ the web page, including images.

• Website and Application allow listing.

• No end client required.

• Perfect for BYOD environments in transparent mode.

• Decryption for SSL / encrypted pages.

• Text highlights within content images.

• Multiple term detection, up to 10 phrases per capture.

• Event date and time stamps.

• Source IP address.

• Identifies usernames via Active Directory integration with a captive portal, Google or Azure SSO.

• Able to define which computers traffic is subject to scanning via IP pools.

Securus NET can be installed from an ISO on to a dedicated virtual machine or physical hardware. Alternatively, we can provide a preinstalled device which will reside between the switch and existing web services. The ISO, installation is a straightforward process and is detailed further on in this document. The operating system and NET components are contained within the ISO making for easy installation.

Captures will broadcast to the cloud directly; no captures will be stored locally on the NET server. Chaining of proxies can be configured within NET in cases where the school are subject to an upstream or ISP level proxy. You can segregate devices on the network to define which devices go to which proxies. You can also exclude certain devices from analysis including BYOD scenarios or machines already installed with XT (Windows & Chromebook client model).

The NET ISO does not work with UEFI boot so, in cases where NET is being installed onto hardware, Legacy Boot must be an option.

Mobile Device Requirements

• iOS 13 or higher

• Android 4.4.2 or higher

Explicit

Our default NET configuration, NET can be used as an explicit proxy additional proxy with a single ethernet connection. Other onsite explicit proxies can be chained within the NET configuration to ensure existing web filters are still in place when devices are using Securus NET as their main proxy.

Transparent

NET can be installed onto hardware with two ethernet connections and configured as a transparent proxy. This would be the default configuration for BYOD sites where devices cannot be managed centrally via MDM.

No proxy settings are required on the monitored devices as traffic is directed through NET, our certificate is still required to be installed onto devices for monitoring to work, however.

Recommended Server Spec

• Up to 800 Connections

  • 4 core processor

  • 8GB RAM

  • Minimal storage space 60GB (No captures or user data is stored on the device)

  • No operating system required

  • NIC/Dual Network Card (Transparent only)

  • Generation 1 VM (if using HyperV, explicit only)

• Up to 2500 Connections

  • 8 core processor

  • 12GB RAM

  • Minimal storage space 60GB (No captures or user data is stored on the device)

  • No operating system required

  • NIC/Dual Network Card (Transparent only)

  • Generation 1 VM (if using HyperV, explicit only)

• Over 2500 Connections

  • Server specification outlined in each case and before implementation

Network Questions / Guidelines

To help us get an understanding of your network and how you would like to employ NET, we have some questions that I would be grateful if you could answer. For context, Securus NET monitors network traffic of devices by using a proxy to capture packet data. NET is designed to be used on devices such as iPads or Android devices where an agent or client cannot be installed.

NET can be installed as an explicit proxy to a virtual machine which is our default installation method and suitable for most network environments. NET can also be installed as a transparent proxy to dedicated hardware which is better suited to BYOD environments.

In either configuration, a certificate will need to be installed onto the device for packet decryption and we have several methods for user authentication to be able to provide usernames to captures. One method is by using a captive portal, this works the same way as a public WiFi login would at a coffee shop and is necessary to provide a username to generated captures. The captive portal links to your onsite Active Directory and users will login using those details.

1. How many iPad/Mac/Android devices are you wanting to monitor?

2. Are the devices always at the school or do they go home with students?

3. Are the devices assigned 1:1 or are they shared between students?

4. Are the devices managed by an MDM or Google Workplace?

5. Do you want to monitor Staff & Students or just Students?

6. Do you have other proxies in use (onsite or ISP)?

   1. If so, how many?

   2. How are these proxies deployed, explicitly or transparently?

7. Do you use VLANs across your network?

   1. If so, which VLANs do you wish to be monitored by NET?

8. To monitor your iPad/Mac/Android devices we can use a ‘captive portal’ style login before a user can access the internet? Is this acceptable?

9. To monitor your iPad/Mac/Android devices a custom certificate will need to be installed onto the device for it to be monitored? Is this acceptable?

10. If in use, are you able to provide Securus with a PAC file?  

Securus NET can use the following authentication methods:

1. LDAP

   • This method will use LDAP, integrating with your Active Directory. Users will need to login with their Active Directory details via the captive portal. This will also provide their Active Directory username for the capture information.

2. Google

   • This method will use Google’s SSO authentication within the Captive Portal.

     This is best for 1:1 device assignments as Google’s authentication will usually keep the same user logged in once they have authenticated with a device. With Google SSO enabled, the captive portal will redirect to the Google login page and will log the user into their Google account via browser session. Securus NET will grab these details from the browser session and use the domain and username for captures.

     Users will need to log out of any Google account sessions manually and left idle for more than 3 minutes (configurable) to force re-authentication for a new user in shared device environments.

3. Azure

   • This method will use Azure SSO authenticaton within the Captive Portal.
     Similar to Google, this is best for 1:1 devices and users will need to sign out from Microsoft within their browser sessions to allow a new user to sign in with shared device environments.

4. MAC as username

   • This method will hide the Captive Portal (no login necessary) and will attempt to use the devices MAC address as the username for captures.

5. Hostname as username

   • This method will hide the Captive Portal (no login necessary) and will attempt to use hostname of the device as the username on captures.

6. Radius

   • Similar to option 1, this enables the Captive Portal with LDAP authentication and also enables Radius support. Once this option is selected, the server will look for and accept Radius network packets that are pushed to it.

7. None

   • This option will disable the Captive Portal entirely and will display the devices IP address as the username instead.

The Captive Portal style login is similar to what you would see when connecting to a public WiFi hotspot at a coffee shop or airport. The Captive Portal will point to the schools Active Directory, allowing users to log in with their usual Windows login credentials.

The Network Access Controller (NAC) keeps a cache of which IP’s it has recorded. When a new device connects with an unrecognised IP, it will ask the NAC what the username is for this user. Once they authenticate through the Captive Portal the user and IP will be recorded.

Reauthentication will be required after the 55 minute temporary authentication cookie stored on the devices browser cache has expired and after 3 minutes of inactivity. Securus NET will attempt to re-authenticate the user if the inactivity timer is triggered before the authentication cookie has expired, ensuring the same user is logged in throughout the lesson without multiple prompts to re-authenticate.

Once the lesson is over, and the device has been inactive for 3 minutes, the Captive Portal will again trigger to allow a new class to use the devices. These values can be adjusted to suit the needs of the school.

Below shows several examples of what captures will look like with the different authentication methods available.

Captive Portal login with LDAP

Open

Captures will use the username taken from Active Directory after login.

IP Address

Open

With no authentication method select, the devices IP address will be displayed as the username.

MAC Address

The MAC address of the device is used for the username when MAC authentication is selected during install.

Hostname

Hostname authentication will display the hostname of the device as the username.

Below is an example of a full screen NET capture.

Note that this is a recreation of the web page based on the information taken from the network packets.

On site NET server installed to hardware or virtual machine.

Some schools will want to test Securus NET with a full installation to evaluate the install process and how NET will work in their network. We recommend for these types of trials that an Explicit installation (on a virtual machine) be employed. This is currently the quickest configuration method where device management is in use. Once the server is installed, the device management software can enforce the Securus NET proxy information and install our certificate.

Explicit vs Transparent

Explicit – Using an opt in type proxy setup

This is the simplest setup as no change to the existing network configuration is required. The NET instance is added to the network as you would any other server. An explicit setup is better suited for testing purposes and small-scale deployments.

Transparent – In line proxy to the internet

Change to the network configuration is required as the NET instance will need to sit between the firewall and the core switch. Suitable for large scale deployments and BYOD scenarios.

Updates

We manage a central NET instance (NET Controller) which pushes base library changes and software updates to live NET servers via a VPN tunnel.

Updates to the operating system such as security patches are also automatic.

Can NET integrate with SSO?

NET supports RADIUS and Google SSO.

Can I track activity within games?

This depends upon the protocol that the game uses. If game uses ‘http’ or ‘encrypted http’ then the answer is yes. Overall, this is game dependent as it may have its own propriety protocol.

Can NET analyse encrypted sites or logged in sessions?

NET has access to all session information for that user. NET supports SSL inspection. NET essentially replaces the websites certificate with its own and thus can inspect traffic between the client and the website.

Will NET monitor encrypted applications?

As most applications use end to end and propriety encryption, we are unable to inspect these sessions.

How does NET work when a school is already using a proxy?

NET supports proxy chaining through the UI and can be a set as a transparent or explicit proxy.

Can NET have language packs added to it, so it can capture in these languages?

Yes, UTF8 supported. Unicode is a standard for representing a great variety of characters from many languages. Please enquire should you have requirements for non-English libraries.

Our school uses a shared login for our pupils, will NET still monitor activity?

Securus NET would continue to work regardless, however captures will populate for the same user account. It is possible to differentiate between users via the IP or station name.

Will antivirus conflict in anyway?

No as there is nothing installed to end devices. Anti-virus will not impact the performance or functionality of NET.

Is Office 365 monitored?

Some web-based mail clients will be supported. Office 365 uses JSON and as such is not currently inspected. If they use fat client, then the answer is no. A fat client is anything that is installed to a device locally.

What doesn’t NET monitor?

• Most installed applications.

• Dynamically loading websites such as Twitter / comment threads.

• Video content.

How long will a NET capture take to reach the server?

Assuming reasonable network performance and availability, captures should not take any longer than 15 mins to reach the Securus console for viewing.

Will NET affect my network speed?

The effect is minimal, and you are unlikely to perceive any actual difference in usability.

Where will the NET appliance sit on my network?

Typically, between the firewall and the core switch.

Will NET monitor off site?

As the appliance resides at the site traffic will not pass through the NET server if the device is away from the premises.

Document number/reference: SEC-KB-NET-002

Classification Level: Public

Related Labels:

Related Articles

https://securus-software.atlassian.net/wiki/spaces/SSKB/pages/393408

https://securus-software.atlassian.net/wiki/spaces/SSKB/pages/197052