Cybersecurity Forum

This forum is for all security enthusiasts to discuss Fortinet's latest & evolving technologies and to connect & network with peers in the cybersecurity hemisphere. Share and learn on a broad range of topics like best practices, use cases, integrations and more. For support specific questions/resources, please visit the Support Forum or the Knowledge Base.

AndrHann
New Contributor III

Safe searching images

Hi all

I am supporting a school with a FortiGate which has been working really well for blocking access to undesirable content. There have been issues lately where students have been finding questionable content on Google and Bing by searching for images. We are also having some issues with YouTube content.

Is the "Search Engines" section under the web filter the place where I can block this type of content? If so can anyone explain the settings or point me to a document relating to this? I want to know what exactly 'Enforce Safe Search' and 'Restrict YouTube Access' does? What is the difference between 'Strict' and 'Moderate' YouTube restrictions?

Any tips around this topic would be great.

Thanks,

Andre

4 REPLIES 4
krahemat_FTNT

Andre,

Enabling the safe search option within the URL filtering profile causes all web searches either Google, BING, Yahoo or others to only allow non-explicit results to to be provided to the user.  If the user were to search for explicit material.  This would include any results returned from images from the results.

 

With restrict Youtube access you are preventing users from accessing a wide variety of content available to the user.  Setting this option allows the filter to only allows the YouTube educational content to be allowed and the restriction level you wish.  I have included the following documents,  I hope they do help.

 

http://cookbook.fortinet.com/blocking-adultmature-content-google-safesearch/

http://docs.fortinet.com/uploaded/files/1664/setting-up-YouTube-for-Education.pdf

 

Regards,

 

Karim

AndrHann

Thanks Karim

That makes a lot of sense. I've done some testing and can see that safe search only works with deep packet inspection enabled. We don't use DPI due to the large amount of BYOD devices in the school. I have come up with another plan that will hopefully work. The plan is as follows:

- Disable 'Search Engines and Portals' in web filtering.
- Add 'google.co.nz' and 'bing.com' to a custom 'allow' web category. This will force all used to only use those search engines.
- Create an entry in the internal DNS server for google and bing, pointing to the safe search IP addresses for both search engines.
- Sit back and hope I haven't broken anything.

Can anyone see any issues with this approach?

Andre

thedude78

Andre,

The Issue I could see here is that once you create a zone on your internal DNS servers for Google.co.nz and bing.com your DNS server will consider itself authoritative for those domains, and any hosts, or subdomains associated with them.  So if for instance someone tries to go to mail.google.co.nz  to check their gmail account they will not be able to resolve that host .  I am not sure if this will impact you as I am unfamiliar with what hosts/applications you might run into issues with.  Gmail might not be impacted but it is an example to consider.

The other issue might be if IP addresses change within Google's or Microsoft's environment you could end up with users unable to search until you resolve the issue.

Dan

krahemat_FTNT

Andre,

Dan is correct regarding DNS records internally being resolved and being authoritative for the domains.  Another key issue, I need to point out is SSL inspection.  Google and possibly other search engines have gone the route of encrypting the browser sessions for privacy reasons.  This will essentially allow the user to search explicit image content on the web.  If you employ SSL deep inspection and with the enforcement of the Safe Search feature, you would be able to block results with explicit image content.

I understand the BYOD issue, however this is more of a user policy and enforcement issue.  Since the school is providing internet access to its students, the school will put in controls in place i.e. web filtering, network monitoring and as such to ensure students are not violating policies that may harm the school or the students.  So, now the school management team will have to look at the issue and propose the solution to fully enforce URL filtering with SSL inspection or risk the students searching explicit image content.

The other side of the coin is the students may use their own internet access tethered to device with mobile data allowing the user to use the internet unfiltered.  At this point the school has no liability as the school's network infrastructure was not used.

 

Karim