Considerations when Proxying & Filtering Https traffic

To provide secure sessions between your users and websites that have sensitive information or require authentication, HTTPS encrypts web content between the website server and the user’s browser. While the traffic between the two is encrypted during a HTTPS session, the content that is delivered is just as likely to be infected with viruses or other malware as content from non-encrypted sites. As the traffic is secured and encrypted between the client and website the proxy/filter/firewall is unable to inspect the traffic.  To scan encrypted content, it must first be decrypted, then scanned, then re-encrypted for delivery to the requesting end user’s browser.

Doing this maintains the privacy of the encrypted content, as the process is done automatically without human eyes viewing the content. However, because the traffic has been decrypted, the original site certificate cannot be used by the browser to authenticate the connection, so the original certificate is replaced by one generated by the proxy/filter/firewall. This replaces the original certificate, which requires that you download and install the generated certificate authority into your users’ browsers, which can be done centrally using Active Directory Group Policy Objects for domain joined clients.

Probably the largest example of a secure website used in education is the google search engine.  By default Google will redirect users to a secure version of the site, if you are not decrypting as explained above then the searches & results within the search engine are invisible to the proxy/filter/firewall and therefore cannot be filtered or inspected.  Particularly with the general introduction of multiple client device types within education we strongly recommend implementing an appropriate solution that can manage secure web traffic effectively and efficiently across all internal networks and devices.  There are a number of considerations when implementing an appropriate solution such as the ability to decrypt and scan as above, the associated performance overhead, certificate management on client devices, impact on users and the fact some secure websites just will not work when decrypting & Scanning (after all you are simulating a ‘Man in the Middle Attack’!)

For a number of years now we have been working closely with Sophos and have implemented a large number of their Security Gateway products to predominately perform the Web Filtering and Firewall roles within educational sites.  The security gateway’s utilise high spec hardware and can perform the decrypt & scan method but also has other functions for managing Https traffic.  The added advantage though is the combination of the functions available and the flexibility of configuration, this allows us to implement a secure solution that satisfies the requirements of each differing site.

Anti-bullying Week – Supporting schools with e-safety and Ofsted best practice

In light of Ofsted’s 2014 e-safety briefing and inspection framework, Impero considers:

  • Why is it important to support pupils and staff facing e-safety issues?
  • What mechanisms should a school have in place to facilitate this?
  • How can schools improve learning in line with Ofsted’s framework

Facilitating Ofsted best practice

Ofsted identifies key areas for inspection, including the behaviour and safety of pupils; the learning and achievement of pupils; the quality of teaching, learning and leadership; and a strong focus on moral, social and cultural development. Born in the classroom, Impero Education Pro has been specially developed in direct response to Ofsted best practice, e-safety concerns, and the changing demands of modern education.

Improve the behaviour and safety of pupils

Research carried out by Impero suggests that adopting a managed approach to technology is better than blocking access altogether. Ofsted shares this view of accountability. Allowing access encourages students to learn how to navigate the web safely and take responsibility for their own behaviour, whilst monitoring ensures tutors are in control of their classroom and prepared to act, if required. With Education Pro, acceptable use policies can be displayed to reinforce the school’s rules for acceptable use.

Monitor progress and check pupils’ understanding

Ofsted are keen to see that tutors undertake effective methods to track pupils’ progress, both throughout lessons and over time. Monitoring on-screen activity provides a quick view of student progress against a session’s learning objectives. The functionality to set exams in a controlled digital environment, receiving live feedback throughout, also helps tutors to monitor progress; this quick snapshot means tutors can alter tasks, tailoring them to the specific abilities of each individual. Electronic exams are automatically marked and can be saved, and the results of quick questions are instantly presented in a pie chart, enabling tutors to evaluate learning from a centralised record over time.

Capture, document and report evidence

Ofsted judge behaviour based on evidence documented over time to determine whether schools manage behaviour effectively. Using Education Pro, schools can record a complete log of all network activity, including any inappropriate behaviour or misuse, to be used as evidence. Video recordings and screen shots can be used to prove misconduct, and the Confide system stores all reports from concerned students, to help schools analyse change practice.

Engage learning and increase communication

Low level class disruption is also considered by Ofsted during inspections. Live thumbnails of student screens provides a bird’s-eye-view of classrooms and computer suites to ensure technology resources are being used appropriately. Tutors can discreetly send a message to a misbehaving student to prevent disruptive behaviour from escalating, or check their understanding from afar. Conversations can be created for selected groups of students to aid collaborative learning and group discussions.

Prevent and tackle discriminatory and derogatory language

The effectiveness of a school’s actions to prevent discriminatory language is also highlighted by Ofsted. Impero Education Pro’s key word abuse libraries scan for terms, phrases and acronyms to help identify abusive or concerning use of language. Schools can actively monitor for localised trends specific to the school, recognising patterns, such as gang-related terminology, or equally, a student at potential risk.

Ofsted and e-safety

Young people are becoming more deeply engaged with technology at an earlier age than ever before. In Ofsted’s 2014 briefing ‘Inspecting e-safety in schools’, it was reported the time spent online by children aged 12-15 had risen from 14.9 hours a week in 2011 to 17.1 hours in 2012. The briefing also documents that 28% of Key Stage 3 and 4 students had been deliberately targeted, threatened or humiliated by an individual or group through the use of mobile phones or technology; for over a quarter of these students, this abuse was classed as ongoing. These statistics prove that as technology becomes more accessible to young people from an earlier age, the potential for associated online risks is magnified.

The Ofsted briefing also refers to research executed by Ofcom, which reports that 83% of young people aged 8-11 and 93% aged 12-15 feel confident that they know how to remain safe online. So, if this is true, why should schools still be concerned with e-safety? It is important to consider that although young people may feel confident staying safe whilst navigating the web, this confidence is not necessarily teamed with due caution.

Supporting pupils and staff when dealing with e-safety

E-safety has always been held at the core of Impero’s software products for education, and in recent years the classroom management software company has developed a specialism in the field of e-safety. The latest developments to the e-safety functionality available in Education Pro and Classroom Manager enables teachers, students, and schools as a whole, to manage e-safety in line with best practice.

Ofsted believes in ‘the promotion of safe practices and a culture of safety, including e-safety’. It categorises e-safety risks into the three following areas: content, conduct and contact. And with 40% of Key Stage 3 and 4 students admitting to witnessing a ‘sexting’ incident and 40% of the same group not considering topless images inappropriate, recognising these areas has never been so vital.

Ofsted’s three areas of risk


  • Content: ‘being exposed to illegal, inappropriate or harmful material.’
  • Conduct: ‘being subjected to harmful online interaction with other users.’
  • Contact: ‘personal online behaviour that increases the likelihood of, or causes, harm.’

Impero’s work with the Internet Watch Foundation (IWF), the Anti-Bullying Alliance (ABA), Beat, and partnership schools has also raised these e-safety areas of risk. This research revealed that young people have easier access to potentially harmful material, such as ‘pro-ana’ websites (websites encouraging the eating disorder anorexia). This first-hand information has helped with the development of keyword detection libraries based on bullying, grooming and concerning behaviour. The software cleverly highlights when a user has typed a word, phrase or acronym that may suggest exposure to potential risk, whilst the glossary of key word definitions means educators don’t need to be experts in 21st Century slang to identify a risk.

In Impero’s recent e-safety survey conducted through Facebook (link), it was discovered that an alarming 35% of students had circumnavigated online blocks designed to prohibit access to websites of an inappropriate nature. As an alternative, monitoring helps schools to take a managed approach to technology, as opposed to locked-down. Students can be entrusted with access to resources, whilst monitoring of activity fuels a change in behaviour, deterring misuse in the first instance. E-safety risks are not unique to the internet, however, so Impero’s key word detection monitors everything on a school’s network, and the logviewer keeps a centralised record of this. 

Effective reporting channels

Ofsted’s briefing goes on to highlight a sexting survey conducted by South West grid for Learning (SWGfL) which revealed that 74% of 11-16 year olds would prefer to report issues to their friends rather than a ‘trusted adult’. For this reason, Ofsted encourages robust reporting channels. It can be difficult for vulnerable young people to speak up if they are being bullied, feel threatened, or if an issue is worrying them. This is reinforced in Ofsted’s briefing, which reports that pupils with special educational needs are 16% more likely to be victims of online abuse, and those from lower socio-economic backgrounds are also 12% more likely to be bullied online.

Available in the latest version of Education Pro, the Confide button provides an anonymous method of disclosure to give vulnerable students a voice. It enables pupils to report any concerns they may have about themselves or another student, with the choice to remain anonymous if they wish. The option to include staff photographs shown on the Confide system provides a personalised feel, without the need for face-to-face communication, encouraging students to share their concerns with an adult they trust in a way that’s comfortable for them.

A whole school approach to e-safety

Ofsted promote ‘a whole school approach’ to e-safety and this is mirrored in the functionality of Education Pro. The real-time monitoring enables educators to deal with issues as and when they occur, helping them to be both reactive and proactive in the ways they deal with e-safety issues. Education Pro also helps schools to pick up on trends that may be localised to that specific school, such as racist language in an ethnically diverse establishment. This information can then be recognised and used to inform the school’s acceptable use policies. Monitoring staff’s activity on the network helps professional boundaries to be established, educating staff to support their students.

How Impero’s Classroom Management Software can support schools with e-safety and Ofsted best practice

website editedit edit

The ‘Heartbleed’ and what it means to our customers

It has recently emerged that a major security flaw at the heart of the internet could be exposing internet users’ personal information and passwords to hackers. It is not clear how much damage the bug may have caused, but it is one of the largest security issues facing the internet so far.Heartbleed

The bug exists in a piece of open source software called OpenSSL which is designed to encrypt communications between a user’s computer and a web server.

This issue got the name Heartbleed as it affects an extension to a Secure Sockets Layer called the Heartbeat. This is one of the more extensively used encryption tools online and believed to be used by about two-thirds of all websites,  amounting to about half a million sites. If a website has a padlock symbol in the browser then it is likely that it is utilising SSL.

The bug is believed to be that serious a website has been established for it: This website outlines all aspects of the problem for anyone who may have concerns over there personal and private information.

The issue was uncovered by Google Security and Codenomicon who said it was created by a programming error. OpenSSL is open source, therefore, researchers were able to investigate the code in great detail which highlighted the issues. This is a very difficult task to carry out as code can be very complex and it can be time-consuming to locate such problems.

Virtue Technologies do not consider our customer UTMs to be at risk at this time as the relevant attack surface of the UTMs is not directly available from the internet on the standard SSL port. The exploit predominantly targets web servers rather than end-user environments.

However, Sophos released an update which included a fix for this vulnerability and as a precaution we have deployed this to all our UTM customers.

In the following video Elastica’s CTO Dr Zulfikar Ramzan walks through the mechanics of the Heartbeat (Heartbleed) flaw (at a high level), how an attacker can exploit it, and its underlying ramifications;



The Internet: Where’s your data?

It is widely known the Internet is a global resource operating everywhere, in our homes, schools, workplaces and our pockets. In fact, it can be accessed from almost every place on earth – and even locations further out into space. But what about the data being accessed? Where is that stored and who is accessing it.

When looking at this, the results are interesting.

Let’s start by investigating the users. Who they are and where they are. The world’s population is now centric towards the East in locations such as India and China, with the Western world a bit behind. This is confirmed online also with China represented by about 568 million Internet users from a population of 1.3bn, and India represented by 153 million users from a population of 1.2bn. These highly populated ‘developing’ countries have had a massive uptake on Internet usage, but they still have a way to go. On the other side of the coin however, the USA has 255m Internet users from a population of 316 million.

From this it is clear the majority of web use is in the Far East. So what are they all doing? Where is the data that they all consume each and every day?

Well, this is where it gets very interesting.

Brazil (yes Brazil) has the third largest number of Internet hosts, with 26 million. In second place is Japan with 64 million hosts. However, leading the pack by a country mile is our old friends the USA with a whopping 505 million Internet hosts. That’s more hosts, providing services to the internet than the USA has people.

This clearly shows that the USA is still very much at the forefront of web services. I don’t know for sure, but I would estimate that most of these hosts are owned by companies located in Northern California.

So what does all this mean. Well, put simply – I have absolutely no idea – other than:

  • Yes, it’s an interesting fact.
  •  Yes, the USA is still the Daddy. If you make the link between web hosting and innovation, the bulk of the web is still being developed by our friends in San Francisco Bay area.
  • The bulk of consumers are from the Far East and they are consuming services from the USA.

So, does it really matter? Well I think it does in the long-term. Countries, companies and consumers are increasingly nervous about data being stored in other countries. Whether they are worried about other governments ‘having a peak’ or issues relating to the export of data.

People increasingly want their data stored in their own country. Blackberry have suffered problems with this issue in the past when their storage of BBM data caused large scale problems in the UAE, Saudi Arabia and India, with some counties blocking all users from using BBM in protest.

This is an increasingly important consideration for our education customers. As schools look at using web hosted teaching and administration solutions, they are thinking about where their data will actually be stored.

The good news is that providers are getting smart to this, with several providers now ‘guaranteeing’ that their data will be stored in a certain region and not others. Microsoft, for example, are transparent in where Office 365 data is stored and will ensure that is stays in a region that is appropriate to you. For information, UK customers have their data stored in the EU and the backup data centres are based in Holland and Ireland.

Staying Safe On-Line

We all do loads of ‘stuff’ on-line, we book holidays, read the news, chat to our friends and even buy our groceries. Sadly, it also seems that every day there is another online company gets hacked and compromising it’s customer’s username and passwords.

So what’s the answer, should we just stop using the web? Well realistically, that just isn’t going to happen is it, especially as the Internet is cram packed full of educational tools and resources. internet use in schools is on the up and whilst there are mechanisms in place to protect users from the obvious, there will always be potential threats on the internet.

The following is my top tips to a safe on-line life:

Dodgy emails

Responding or opening emails from people you don’t know is always a risk. Be very careful with emails offering you something free, or emails that want you to click a link. Never respond to an email from your bank asking you to re-validate your user-name, password or bank details. If a bank sends you an email, they normally have a security validation with in the email, for example they will tell you the last part of your postcode in the email (something that can not be faked).

There is a whole range of what I call the ‘zip file emails’. These emails appear to be from people you mitt just deal with, such as Fedex, the Inland Revenue or your bank. They all have a zip file attached. Sadly, opening the zip file will likely bring yo a word of pain.

Use your instinct, if an email looks dodgy then it probably is. Just delete it.

‘Keep me signed in’

We all click the button on login to a site to ‘keep me logged in’, with so many passwords these days it just makes our life so easy. Never, ever, click this button on a shared PC, for example a PC in a classroom or library. Only use this function on your own PC – and even then, just think about the data that on the site.

It wouldn’t be great if some else sat at a PC after you and revisited the sites you were on… as you? Imagine what they could do on your Facebook account, or worse.

Keep your software up to date

Many internet threats exploit weaknesses or holes in software coding. Software vendors continually update their software to keep it secure, so make sure you keep ‘auto-update’ enabled. It might be a bit of a pain to re-boot your PC when Microsoft send you a security patch, but it will keep you safe – so just do it. It’s also important to make sure your virus signatures are up-to date, so once again keep them up-to date.

Naughty Content

If you went to a large city on holiday, there would be areas you would avoid. You would stick to the respectable areas and avoid the less-desirable parts. Guess what, the web is just the same! As soon as you go looking for free software, downloading music or movies or other porn you are entering the Internet’s Ghetto. A place where any website you visit may contain a hidden surprise such as a virus or a trojan. My best advice, stay away.

Clearly, our Internet solutions include a robust content filtering solution to manage this situation, but users with mobile devices will always use the internet away from the site.

Don’t give your Bank details away

Easier said than done, especially when you are shopping. However, once again try to stick to respectable sites. One tip is to use paypal, or a similar payment site. Using a payment site means that the end supplier never has your card details, just giving you that added level of protection.

Connecting to ‘Free Internet’ Connections

If you’re out and about with your laptop and looking to connect to the web, be careful of free wi-fi solutions. Connections with a wireless name such as ‘free internet’ should be approached with caution.

There will always be threats out there and it’s very difficult to be 100% safe, but thinking about the above and acting upon potential risks will help keep your web-world safe.

Fibre connectivity reaches 1.4Tbps

British Scientists working with Alcatel-Lucent and BT have broken a new record for data transmission. The test was between the BT tower in London and BT’s research center in Suffolk.

Using a fibre link, which used existing fibre infrastructure, data rates reached a speed of 1.4 terabits per second. That’s enough to download 44 full length, high definition movies in just 1 second.

It will be some time before we see anything like this in our homes or workplaces, with most of our customers currently enjoying between 50 and 100mbps internet connectivity.