Fastvue Reporter is used in hundreds of schools and educational institutions throughout world, and a popular use case, especially in the United Kingdom, is to monitor Internet searches and web activity to help identify students that may be at risk of radicalization and extremism, violence or abuse, and other online safety issues.
We've seen a dramatic increase in this use case after The Prevent Duty legislation was published in July 2015, and again with the September 2016 changes to the Keeping Children Safe in Education (KCSiE) policies.
The September 2016 changes include a new paragraph highlighting the need for appropriate filters and monitoring systems to be put in place. They also strengthened the wording from 'should consider' to 'should ensure':
"Governing bodies and proprietors should be doing all that they reasonably can to limit children’s exposure to the above risks from the school or college’s IT system. As part of this process, governing bodies and proprietors should ensure their school or college has appropriate filters and monitoring systems in place."
If you are not receiving clear, timely alerts when a student's online behaviour steps into 'at risk' territory, then you are not doing 'all you reasonably can' to safeguard students. Furthermore, if you only have one person receiving alerts and reports, they can quickly become 'alert blind' and fail to follow up potential issues.
Fortunately, Fastvue Reporter makes sense of the web traffic flowing through your firewall (no need to install local agents on student devices), and can distribute alerts and reports to the right people such as teachers, principals, student counselors when specific search terms are used, or websites accessed.
Below is a Fastvue alert email that has been sent to year 10 teachers identifying a student at risk of extremism and radicalization:
To receive these alerts, there are just three steps to follow.
First of all, you'll need to enable HTTPS inspection on your firewall. Why? The world's most used search engine, google.com, strictly enforces HTTPS for all searches. This means your firewall knows there is traffic to https://www.google.com, but not what the full URLs or search terms are (e.g. https://www.google.com/?q=**My+Search+Term**).
Fortunately, most modern firewalls and UTMs include HTTPS Inspection as part of their feature set. SonicWALL calls this DPI SSL (Deep Packet Inspection of SSL traffic). When you enable this feature, the full URL including the search term will be logged and sent to Fastvue Reporter.
Note: DPI SSL / HTTPS Inspection requires some deployment effort due to certificates and client trust issues. Apply it to a sub-set of your network, and test the end user experience across all critical applications and devices before doing a full roll out. One common issue is that Chrome and Android devices may not function correctly unless these domains are excluded from HTTPS inspection.
Fastvue Reporter now ships with this Alert by default. The steps below will take you through the process of creating such an alert, and can be applied to creating similar alerts on other search topics.
Coming up with an effective list of keywords is a difficult and time consuming task. So to make things easier, we have included a list of keywords, along with another list of 'exclude' keywords below.
To create your alert:
In Fastvue Reporter, go to Settings | Alerts
Click New Alert, name the alert Extremist Searches and click OK
In the Alert Criteria section, select: Category 'Equal to' Search Engines and Portals AND Search Term 'Contains'
[Paste in keywords from this text file] AND Search Term 'Does not contain' [
In the Alert Properties section, leave the defaults (Name = Extremist Searches, Alert key = User, Priority = High)
In the Alert Evidence section, ensure the User, Search Term, and Origin Domain fields are set as columns along with any other columns you would like to see such as Source IP, Department etc.
In the Alert Notification section, enter the email addresses of the people or distribution lists that should receive these alerts via email.
Tip: To avoid the 'Alert Blindness' issue mentioned previously where a single person receives all alerts, it is a good idea to add a department filter to the criteria section in the alert, and email the alerts to person responsible for that department. You can then duplicate the alert (using the Duplicate button in the header for each alert) and change the department and email addresses for each one.
Click Save Alert
Click the toggle switch to enable the alert.
Now that you've added your alert, head to your favourite search engine (if you don't have HTTPS Inspection applied yet, use a search engine that works over http such as bing.com), and search for one of the keywords such as 'isis' or 'explosive'.
Go to the Alerts tab in Fastvue Reporter and you should see the resulting alert.
Sending real-time alerts when extremist searches occur is a great first step, however it's important to note that alerts are purged after 48 hours. If you need to retrieve information about extremist searches prior to the last 48 hours, you will need to run a report.
User Overview Reports contain a 'Search Terms' section at the bottom of the 'Productivity' section of the report. However this shows all searches made by a specific user, and you probably don't want to open hundreds of user reports to investigate whether any extremist searches were made.
Fortunately, you can run an Activity Report that lists all 'extremist searches' made by anyone on your network, along with the username.
To do this:
The KCSiE policies outline a number of requirements to help define what is considered 'Appropriate' monitoring for schools.
|Requirement||How SonicWALL and Fastvue Reporter can help|
|Assign appropriate responsibility for analysing the logfile information. These reports can often be difficult to understand and may require specialism to analyse.||Although configuring Fastvue Reporter to consume log data from SonicWALL is a job for the IT department, the reports and alerts are designed to be easily consumed by non-technical staff members such as teachers, principals, counsellors, department heads and HR teams. Distributing reports and alerts to the people responsible for various departments or classes is easily achieved with Fastvue Reporter.|
|The logfile information should be able to identify an individual user (or group as appropriate) for effective intervention.||When SonicWALL is configured to authenticate users by integrating your directory via LDAP or AD SSO, it will log the authenticated username with their web traffic. Fastvue Reporter then matches the traffic back to a user, department, office or company configured in Active Directory and can display this information in your reports and alerts.|
|Logs need to be regularly reviewed, interpreted and alerts prioritised for intervention||Filtering reports and alerts by AD groups or departments, and sending them to the managers of those departments is a great way to ensure the information is actually reviewed and acted upon. If you configure all reports and alerts to be sent to a select few people, they may soon develop 'alert blindness' and stop reviewing the information. Split and distribute the load as best you can using the filters interface in Fastvue Reporter.|
|Information held by the school that indicates potential harm, must be acted upon||As above. If you are delivering relevant information to the right people, and distributing the load, then the information has the best chance of being reviewed and acted upon.|
|Be aware of any limitations of the logfile information||Fastvue Reporter understands and works around the limitations in SonicWALL's log data so that you don't have to. The best information is simply presented in a clear, easy to understand format.That said, you should be aware of the following limitations:|
More information on Appropriate Monitoring for Schools can be found via the resources below:
We hope this information helps you in your endeavours to keep children safe online, and adhere to government policies in your school. If you have any questions or issues, please leave a comment below.
To find out how Fastvue Reporter third-party monitoring solutions are helping schools worldwide, visit Safeguarding Students.
Download the free 30 day trial, or schedule a demo and we'll show you how it works!
Monitoring Internet Usage to Safeguard Students in Schools
How to Enable Dark Mode in Fortinet FortiGate (FortiOS 7.0)