Opendium Documentation - User contributions [en-gb]

Chrome OS Configuration

2024-11-08T10:06:21Z

Steve: Add to categories

==One-to-one devices==
This section covers devices which are not managed by the school through an MDM and are standalone or BYOD devices information on shared devices will be updated at a later date in the [[Chrome OS Configuration#Shared Devices|Shared Devices]] section.
*If possible, configure your wireless network to use 802.1x (WPA-Enterprise) authentication and to [[RADIUS#Linking%20a%20network%20access%20controller%20to%20the%20Opendium%20system|send RADIUS accounting data]] to the Opendium system. Set the [[Web: Permissions & Limits#User%20identification|User Identification]] mode to ''RADIUS''. If 802.1x authentication cannot be used, Set the [[Web: Permissions & Limits#User%20identification|User Identification]] mode to ''Single User Devices''.
*If you are using 802.1x and RADIUS accounting, log the device onto the network with the user's credentials.
*If you are not using 802.1x and RADIUS accounting, the user must use the captive portal to authenticate.
If the network's [[Web: Permissions & Limits#HTTPS%20decryption|HTTPS Decryption]] mode is set to ''Active'', you must install your unique Opendium inspection certificate:

* Open and login to the Chromebook
* Open chrome web browser and navigate to the certificate location <UTM/Webgateway>/opendium.crt
* This will download the certificate to your chromebook, click show in folder to confirm the certificate has downloaded and where it is saved. by default this will be the downloads folder:

[[File:3 Cert in downloads folder.png|alt=Certificate in downloads folder.|border|center|Certificate in downloads folder.]]

* In the URI bar go to chrome://settings or click the three dots top right and click settings:

[[File:4 chrome settings.png|border|center]]

* Navigate to: Privacy and Security -> Security -> Advanced -> Manage Certificates

[[File:Privacy and Security.png|border|center]]
[[File:Manage Certificate.png|border|center]]

* Select the Authorities tab

[[File:Certificate Authorities.png|border|center]]

* Click Import and select opendium.crt if it isn't visible navigate to the location you downloaded the certificate to above.

[[File:Certificate in downloads.png|border|center]]

* Select at least "Trust this certificate for identifying websites" and click OK

[[File:Trust certificate.png|border|center]]

* Check the opendium certificate is in the authorities list by scrolling down the list.

[[File:Check cert.png|border|center]]

You should now be able to browse HTTPS sites without getting a security warning.

==Shared Devices==
Coming Soon.
[[Category:Client Configuration]]
[[Category:To do]]

Microsoft Windows Configuration

2024-05-21T09:45:40Z

Steve: /* One-to-one devices */

== One-to-one devices ==
This section covers devices which are not joined to the Windows domain and always used by the same user, such as devices deployed in a one-to-one arrangement or bring your own device. Scroll down for information regarding [[Microsoft Windows Configuration#Shared devices|Shared devices]] (including domain-joined) and [[Microsoft Windows Configuration#Multiuser servers|Multiuser servers]].

* If possible, configure your wireless network to use 802.1x (WPA-Enterprise) authentication and to [[RADIUS#Linking%20a%20network%20access%20controller%20to%20the%20Opendium%20system|send RADIUS accounting data]] to the Opendium system. Set the [[Web: Permissions & Limits#User%20identification|User Identification]] mode to ''RADIUS''. If 802.1x authentication cannot be used, Set the [[Web: Permissions & Limits#User%20identification|User Identification]] mode to ''Single User Devices''.
* If you are using 802.1x and RADIUS accounting, log the device onto the network with the user's credentials.
* If you are not using 802.1x and RADIUS accounting, the user must use the captive portal to authenticate.

If the network's [[Web: Permissions & Limits#HTTPS%20decryption|HTTPS Decryption]] mode is set to ''Active'', you must install your unique Opendium inspection certificate:

* Browse to https://''<your Opendium host name>''/opendium.crt (This URI is displayed on the [[Web]] tab).
* Go to ''Downloads.''
* Double click the certificate.
* Click ''Install Certificate'', which will launch the Certificate Import Wizard.

[[File:Windows Certificate Import Wizard.png|alt=Windows Certificate Import Wizard|center|frame|Windows Certificate Import Wizard]]

* Select ''Local Machine'' and click ''Next''.

[[File:Windows Import Certificate Wizard - Local Machine.png|alt=Windows Import Certificate Wizard - Importing into Local Machine|center|frame|Windows Import Certificate Wizard - Importing into Local Machine]]

* Click ''Yes'' in the User Account Control box which pops up.

[[File:Windows Import Certificate - User Account Control.png|alt=User Account Control popup|center|frame|User Account Control popup]]

* Select ''Place all certificates in the following store'' and click ''Browse''
* Select ''Trusted Root Certification Authorities'' and click ''Ok''.

[[File:Windows - Select Certificate Store.png|alt=Select certificate store|center|frame|Select certificate store]]

* Click ''Next'' in the Certificate Import Wizard.

[[File:Windows Certificate Import Wizard - Import into Trusted Root Certification authorities.png|alt=Import into Trusted Root Certification authorities|center|frame|Import into Trusted Root Certification authorities]]

* The final page of the wizard lets you review your settings. Click ''Finish'' and the certificate will be imported.

[[File:Windows Import Certificate Wizard - Finish.png|alt=Windows Import Certificate Wizard - Finish|center|frame|Windows Import Certificate Wizard - Finish]]

* A security warning will be displayed saying that Windows cannot validate the certificate. This is normal, click ''Yes''.

[[File:Windows cannot validate certificate.png|alt=Security warning|center|frame|Security warning]]

* The Certificate Import Wizard will pop up a box announcing that the certificate was successfully imported.

[[File:Windows Certificate Import Wizard - Success.png|alt=Windows Certificate Import Wizard - Success|center|frame|Windows Certificate Import Wizard - Success]]

=== Troubleshooting ===
These instructions explain how to confirm that the Opendium inspection certificate is installed on a stand alone Windows machine. Windows versions 8 and 8.1 have a different style start menu to Windows versions 7 and 10, but the procedure is the same in all cases.

* Click ''Start'' or press the Windows key, then type ''mmc'' and click the ''mmc'' command.

[[File:Run mmc.png|alt=Search for mmc|center|frame|Search for mmc]]
[[File:Run mmc 2.png|alt=Run mmc|center|frame|Run mmc]]

* If a ''User Account Control'' dialog pops up asking if you would like to allow Microsoft Management Console to make changes, click ''Yes''.

[[File:User Account Control - mmc.png|alt=User Account Control|center|frame|User Account Control]]

* Microsoft Management Console will then start, go to ''File -> Add/Remove Snap-in...''

[[File:Mmc Add-Remove Snap-in.png|alt=Add/Remove Snap-in|center|frame|Add/Remove Snap-in]]

* Add the certificate snap-in by double clicking or highlighting ''Certificates'' and clicking ''Add''.

[[File:Mmc Add certificates Snap-in.png|alt=Add certificates Snap-in|center|frame|Add certificates Snap-in]]

* Select the ''Computer account'' radio button and click ''Next''.

[[File:Manage certificates for computer account.png|alt=Manage certificates for computer account|center|frame|Manage certificates for computer account]]

* Leave the ''Local computer'' radio button selected and click ''Finish''.

[[File:Select local computer.png|alt=Select local computer|center|frame|Select local computer]]

* You should now see ''Certificates (Local Computer)'' in the right hand pane.

[[File:Certificates snap-in installed for local computer.png|alt=Certificates snap-in installed for local computer|center|frame|Certificates snap-in installed for local computer]]

* Click ''Ok'', which will take you back to MMC and should show ''Certificates (Local Computer)'' in the left hand pane.

[[File:Mmc Certificates for Local Computer.png|alt=Certificates (Local Computer)|center|frame|Certificates (Local Computer)]]

* Select ''Certificates (Local Computer) -> Trusted Root Certification Authorities -> Certificates''
* You should see the Opendium certificate listed in the right hand pane.

[[File:Mmc Opendium certificate.png|alt=Opendium certificate in mmc|center|frame|Opendium certificate in mmc]]

* For more details, double click the certificate and click the ''Details'' tab.

[[File:Inspection Certificate Details.png|alt=Inspection certificate details|center|frame|Inspection certificate details]]

== Shared devices ==
This section covers devices which are shared between multiple users (one user logged in at a time). Scroll down for information regarding [[Microsoft Windows Configuration#Multiuser servers|multiuser servers]].

=== Devices on the Windows domain ===
Client devices '''must''' use your non-transparent proxy, as this is a requirement of the Kerberos single signon protocol. We recommend using automatic proxy discovery wherever possible.

* The network that the device is being connected to should have [[Web: Permissions & Limits#Autoconfigure%20devices%20to%20use%20the%20proxy|Autoconfigure devices to use the proxy]] ticked in [[Web: Permissions & Limits|Permissions & Limits]].
* Ensure that the [[Installation Requirements#Internal%20DNS%20configuration|''wpad'' DNS records]] have been created on your internal domain.
* Ensure that your DHCP scopes are [[Installation Requirements#DHCP|correctly configured]].
* Group Policy should have no web proxy servers set, and "Automatically detect settings" should be ticked.

* The network that the device is being connected to should have its user identification profile set to ''Workstations''.

If the network's [[Web: Permissions & Limits#HTTPS%20decryption|HTTPS Decryption]] mode is set to ''Active'', you must install your unique Opendium inspection certificate. This is usually done through Group Policy:

* Browse to https://''<your Opendium host name>''/opendium.crt (This URI is displayed on the [[Web]] tab).
* Go to administrative tools on your domain controller and open ''Group Policy Management''.

[[File:Open Group Policy Management.png|alt=Open Group Policy Management|center|frame|Open Group Policy Management]]

* Right click and edit ''Default Domain Policy'' within your domain.

[[File:Right click Default Domain Policy.png|alt=Right click Default Domain Policy|center|frame|Right click Default Domain Policy]]

* Select ''Computer Configuration -> Policies -> Windows Settings -> Security Settings -> Public Key Policies -> Trusted Root Certification Authorities''.

[[File:GPO select Trusted Root Certification Authorities.png|alt=GPO select Trusted Root Certification Authorities|center|frame|GPO select Trusted Root Certification Authorities]]

* Right-click the right hand pane and click ''Import...'', which will start the certificate import wizard.

[[File:GPO start import wizard.png|alt=Start Certificate Import Wizard|center|frame|Start Certificate Import Wizard]]

* Click ''Next'' on the first page of the import wizard.

[[File:GPO Certificate Import Wizard.png|alt=Certificate Import Wizard|center|frame|Certificate Import Wizard]]

* Enter the file name of the new certificate, or use the ''Browse'' button to select it and click ''Next''.

[[File:Certificate Import Wizard - Browse.png|alt=Browse for the certificate file|center|frame|Browse for the certificate file]]

* The certificate location should be shown as ''Trusted Root Certification Authorities''. If not, use the ''Browse'' button to set the store to ''Trusted Root Certification Authorities'' or ''Computer Configuration -> Policies -> Windows Settings -> Security Settings -> Public Key Policies -> Trusted Root Certification Authorities'', and then click ''Next''.

[[File:Windows Certificate Import Wizard - Import into Trusted Root Certification authorities.png|alt=Import into Trusted Root Certification Authorities|center|frame|Import into Trusted Root Certification Authorities]]

* The final page of the wizard lets you review your settings. Click ''Finish'' and the certificate will be imported into the GPO and it should then distribute across your domain.

[[File:Windows Import Certificate Wizard - Finish.png|alt=Windows Import Certificate Wizard - Finish|center|frame]]

===Stand alone devices===
Shared devices which are not connected to the Windows domain must authenticate through the captive portal:
*Configure your wireless network to use 802.1x (WPA-Enterprise) authentication and to [[RADIUS#Linking%20a%20network%20access%20controller%20to%20the%20Opendium%20system|send RADIUS accounting data]] to the Opendium system.
*Set the [[Web: Permissions & Limits#User%20identification|User Identification]] mode to ''RADIUS''.
*Log the device onto the network with a user name that starts with "op-shared-". For example, "op-shared-windows". This user must exist on the Opendium system.
*The user must use the captive portal to authenticate.
*When the user has finished with the device, they must disconnect from the wifi (i.e. turn wifi off on the device, shut down the device, or place the device in a shielded box/cupboard).
If the network's [[Web: Permissions & Limits#HTTPS%20decryption|HTTPS Decryption]] mode is set to ''Active'', you must install your unique Opendium inspection certificate. See the instructions above in the [[Microsoft Windows Configuration#One-to-one devices|One-to-one devices]] section.

Shared stand alone Windows devices cannot be supported on networks which do not support 802.1x and RADIUS accounting. If your network cannot support 802.1x, the only option is to disable [[Web: Permissions & Limits#User%20identification|User Identification]].

=== Troubleshooting ===
Shared devices on the Windows domain should transparently authenticate using Kerberos single sign-on. If the device pops up authentication boxes rather than automatically authenticating, check that the clock on both the device and the domain controller are correct. The Opendium server provides an NTP service and we recommend that your machines use this to keep their clocks synchronised.

== Multiuser Servers ==
This section covers servers which allow logins for multiple concurrent users, and are connected to the Windows domain. If the machine is not on the Windows domain, the only option is to disable [[Web: Permissions & Limits#User%20identification|User Identification]].

Client devices '''must''' use your non-transparent proxy, as this is a requirement of the Kerberos single signon protocol. We recommend using automatic proxy discovery wherever possible.

* The network that the device is being connected to should have [[Web: Permissions & Limits#Autoconfigure%20devices%20to%20use%20the%20proxy|Autoconfigure devices to use the proxy]] ticked in [[Web: Permissions & Limits|Permissions & Limits]].
* Ensure that the [[Installation Requirements#Internal%20DNS%20configuration|''wpad'' DNS records]] have been created on your internal domain.
* Ensure that your DHCP scopes are [[Installation Requirements#DHCP|correctly configured]].
* Group Policy should have no web proxy servers set, and "Automatically detect settings" should be ticked.

* The network that the device is being connected to should have its user identification profile set to ''Multiuser Servers''.

If the network's HTTPS interception mode is set to ''Active'', you must install your unique Opendium interception certificate. This should be done through Windows Group Policy. See the instructions above in the [[Microsoft Windows Configuration#Shared devices|Shared devices]] section.

=== Limitations ===

* Not all applications respect the proxy server settings and traffic for such software is instead caught by the transparent proxy and it is not possible to authenticate this traffic. Most of the user identification modes expect only one user to be logged into each device at any one time and can therefore infer which user the unauthenticated traffic belongs to based on recently authenticated traffic from the same device. Inferring traffic ownership in this way is not possible for systems that have multiple concurrent users, and therefore transparent proxy traffic from ''Multiuser Servers'' will not have an owner associated with it. Therefore, transparent proxy traffic will not be logged against an individual user, and will be filtered according to the ''Unidentified Users'' section of the [[Web: Policy Modelling|Policy Modelling]] report.
* Not all applications support authenticated web proxy servers, and of those which do, some do not support Kerberos single signon. Many of the user identification profiles use heuristics to prevent broken software from being required to authenticate, and instead infer the traffic's ownership as described above. When the profile is set to ''Multiuser Servers'' these heuristics are disabled and all software using the non-transparent proxy is required to authenticate. This may result in some applications failing to connect to the internet, or spurious pop-up authentication boxes.

[[Category:Client Configuration]]

Retention

2024-03-14T09:58:21Z

Steve:

Opendium systems have a finite amount of storage, and therefore automatically delete old log data and reports. The retention period can be viewed and set on the ''Retention'' subsection under the ''Reports'' tab.

The retention period that you use will need to be considered and documented as part of your Data Protection Impact Assessment.

[[Category:Product Manuals]]

Retention

2024-03-14T09:57:37Z

Steve: Created page with "Opendium systems have a finite amount of storage, and therefore automatically delete old log data. The retention period can be viewed and set on the ''Retention'' subsection under the ''Reports'' tab. The retention period that you use will need to be considered and documented as part of your Data Protection Impact Assessment. Category:Product Manuals"

Opendium systems have a finite amount of storage, and therefore automatically delete old log data. The retention period can be viewed and set on the ''Retention'' subsection under the ''Reports'' tab.

The retention period that you use will need to be considered and documented as part of your Data Protection Impact Assessment.

[[Category:Product Manuals]]

Category:Product Manuals

2024-03-14T09:37:18Z

Steve:

The Opendium Web Gateway is an appliance filter designed to provide filtering services for anywhere from 50 to 50,000 users. Based on our state-of-the-art dynamic deep inspection technology the Opendium Web Gateway provides everything you need to comply with UK government guidelines such as [https://www.gov.uk/government/publications/prevent-duty-guidance Prevent] and [https://www.gov.uk/government/publications/keeping-children-safe-in-education--2 Keeping Children Safe in Education]. To read about how Opendium systems perform against the [https://saferinternet.org.uk/ UK Safer Internet Centre's] [https://www.saferinternet.org.uk/advice-centre/teachers-and-school-staff/appropriate-filtering-and-monitoring/appropriate-filtering Appropriate Filtering for Education Settings] guidance, please see the [[Appropriate Filtering for Education Settings|knowledgebase page]].

Opendium UTM provides the same functionality as Web Gateway, but with additional unified threat management capabilities, such as per-user control of non-web traffic, control of traffic between internal networks and support for site-to-site and remote worker VPNs.

The first few pages in this manual should be read first in this order:

* [[Installation Requirements]]
* [[User Interface Overview]]
* [[Recommended Minimal Configuration]]
The remaining pages are organised here in a similar way to the Opendium user interface.
* [[Filtering Categories]]
* [[Firewall]]
** [[Firewall: Rules & Policies|Rules & Policies]]
** [[Firewall: NAT|NAT]]
** [[Firewall: Rule Bundles|Rule Bundles]]
** [[Firewall: Services|Services]]
** [[Firewall: Zones|Zones]]
* [[RADIUS]]
* [[Release Notes]]
* [[Reports]]
** [[Accounting: Reports|Accounting]]
** [[Audit Log]]
** [[Automatic Reports]]
** [[Firewall: Reports|Firewall]]
** [[RADIUS: Reports|RADIUS]]
** [[Retention]]
** [[Web: Reports|Web]]
* [[Time Periods]]
* [[Users & Groups]]
** [[Import Users]]
** [[User Synchronisation]]
** [[Virtual Groups]]
* [[VPNs]]
* [[Web]]
** [[Web: Filtering|Filtering]]
** [[Web: Permissions & Limits|Permissions & Limits]]
** [[Web: Reporting Categories|Reporting Categories]]

RADIUS

2023-09-26T15:01:28Z

Steve: /* Linking a network access controller to the Opendium system */ Add info about turning on interim updates on UniFi

Opendium systems provide RADIUS authentication and accounting services. With the help of network access controllers, such as your wifi controller, a single sign-on service can be provided for single user devices. For example, people bringing their own smartphones and tablets will only need to enter their credentials once in order to join the wifi network, rather than having to log onto the wifi network and then separately log onto the web proxy.

We recommend that networks which utilise RADIUS have a layer 2 connection to the Opendium system, rather than being routed by a layer 3 switch. If the network is routed via a layer 3 switch, the network access controller <nowiki>'''</nowiki>must<nowiki>'''</nowiki> include Framed-IP-Address / Framed-IPv6-Address attributes in the accounting data. See the [[Network Topology]] knowledgebase article for more information.

==Linking a network access controller to the Opendium system==
The ''Clients'' page, which can be accessed by clicking the ''Clients'' tab within ''RADIUS'', shows the network access controllers which are currently linked to the Opendium system, and allows new controllers to be added.

Use the ''Create Client'' button and either enter the IP address of a single network access controller, or a network in [[wikipedia:Classless_Inter-Domain_Routing#CIDR_notation|CIDR notation]]. The RADIUS traffic will be protected with a shared secret and you can either use the shared secret that has been automatically generated, or replace it with your own. Note that for some wifi systems, only a single wifi controller needs to be configured as a RADIUS client, whereas for other wifi systems all of the access points are RADIUS clients. In the latter case, it is best to enter a single network that covers all of the access points, rather than creating a separate client for each access point.

You can either configure the network access controller / wifi system to use the Opendium system's RADIUS authentication service, or a third party service such as Microsoft NPS. However, the network access controller / wifi system must be configured to send accounting data to the Opendium system's RADIUS accounting service, even if an alternate authentication service is used.

Ensure that your network access controller is configured to send interim accounting updates. For Ubiquiti UniFi systems this is done by logging onto the controller, going to Settings -> Profiles -> Select Accounting Server, clicking Edit and ticking "Enable interim updates".

Remember to set appropriate [[Web: Permissions & Limits#User identification|User Identification]] profiles for your networks.

==RADIUS authentication attributes==
If the Opendium system is being used as a RADIUS authentication service, some dynamic attributes can be configured, which are applied based on the user that is connecting to the network. Note that these settings are chosen based on only the user name, as the user's IP address is not known at the time that they are being applied.

These are heritable settings (see [[Group Inheritance]]). If you are not sure which settings would be applied to a user, look at the [[RADIUS: Policy Modelling|Policy Modelling]] report.

===VLAN===
If supported by your network access controller / wifi system, you can dynamically set which VLAN devices are connected to, based on the user name that they are authenticating as.

Select the appropriate user group from the group tree, and on the ''VLAN'' row of the table ensure that "Inherit" isn't ticked and "Enabled" is ticked. Enter the VLAN ID (1-4094) into the text box and click ''Save Configuration''.

When a connection is authenticated, the VLAN is resolved from the group tree (see [[Group Inheritance]]) and an appropriate "Tunnel-Private-Group-Id" attribute is added to the RADIUS authentication response. The following RADIUS attributes are also added:
Tunnel-Type: VLAN
Tunnel-Medium-Type: IEEE-802

===Ruckus user groups===
For Ruckus networks, you can indicate the user groups to the access point using the "Ruckus-User-Groups" vendor specific RADIUS attribute., which corresponds to Roles in Ruckus ZoneDirector.

Select the appropriate user group from the group tree, and on the ''Ruckus user groups'' row of the table ensure that "Inherit" isn't ticked and "Enabled" is ticked. Enter the appropriate configuration into the text box and click ''Save Configuration''.

== Machine authentication ==
Devices which are part of a Windows domain can be configured to authenticate themselves with the network as a machine, rather than a specific user.

The [[RADIUS#RADIUS authentication attributes|RADIUS authentication attributes]], such as dynamic VLAN assignments, will come from the ''Anonymous'' group. However, we recommend setting them on the ''Everyone'' group and allowing them to be inherited by ''Anonymous''.

A device which is authenticated as a machine will be expected to behave as a workstation and authenticate with the web proxy using Kerberos single sign-on authentication.

== Logs ==
There are no logs for RADIUS service itself, but the RADIUS accounting data can be found in the [[Accounting: Reports]].

[[Category:Product Manuals]]

Installation Requirements

2023-09-26T14:58:22Z

Steve: /* Wifi */ Add information about enabling interim RADIUS updates on UniFi

In order for your Opendium system to integrate into your network, there some basic configuration of your existing systems needs to be carried out. The Opendium installation engineer will ensure that the necessary configuration is done at installation time, but it is documented here for your reference.

== Network topology ==
The Opendium system is designed to operate as a gateway device, situated between your network and the internet. Usually one of the Opendium system's network interfaces will be connected to your internet router and another interface connected to your internal networks. If your internet connection is delivered as a PPPoE connection (e.g. ADSL, vDSL/FTTC, FTTP), the Opendium system can terminate the PPP link, eliminating the need for the router.

If possible, the internal network connection should be a tagged VLAN trunk, which will allow the Opendium system to act as a gateway for multiple internal VLANs. We recommend that most wifi VLANs have a layer 2 connection to the Opendium system, rather than being routed by a layer 3 switch.

For larger sites, we may recommend that the Opendium system is connected to the internal network using an LACP trunk, which utilises multiple network links for improved redundancy and speed.

See the [[Network Topology]] knowledgebase article for more comprehensive information.

==Internet connectivity==
Opendium systems must be connected to an internet connection which provides a static IP address.

The Opendium system has an integrated firewall, and we do not recommend installing it behind a third party firewall since this adds unnecessary complexity. However, if it is installed behind another firewall, at least TCP ports 22 (SSH) and 80 (HTTP) must be forwarded to the Opendium system.

*TCP port 22 is used by Opendium engineers to access your system in order to provide technical support.
*TCP port 80 is used to automatically renew encryption certificates.

==External DNS records==
The following DNS records must be added to your external DNS zone:
{| class="wikitable"
|opendium
|A
|<external IPv4 address>
|-
|opendium
|AAAA
|<external IPv6 address>
|}
The addresses for these records are your Opendium system's external IP addresses. If your internet provider only supports the legacy IPv4 protocol, omit the AAAA record.

These records are required for:

*Offsite backups of the system's configuration.
*Monitoring of the system's health.
*Access by Opendium engineers in order to provide technical support.
*Automatic renewal of encryption certificates.

Depending on your wifi system, Opendium engineers may also recommend configuring the following DNS record:
{| class="wikitable"
|wifi
|CNAME
|opendium
|}
This may be required for automatic renewal of encryption certificates used by the RADIUS authentication server.

==Internal DNS configuration==
The following DNS records must be added to your internal DNS zone:
{| class="wikitable"
|opendium
|A
|<internal IPv4 address>
|-
|opendium
|AAAA
|<internal IPv6 address>
|-
|proxy
|A
|<internal IPv4 address>
|-
|proxy
|AAAA
|<internal IPv6 address>
|-
|wpad
|A
|<internal IPv4 address>
|-
|wpad
|AAAA
|<internal IPv6 address>
|-
|certcheck
|A
|<internal IPv4 address>
|-
|certcheck
|AAAA
|<internal IPv6 address>
|}
The addresses for these records are your Opendium system's primary internal IP addresses. If your network does not have IPv6, omit the AAAA records.

Although it is tempting to use CNAME records rather than A / AAAA records, this should not be done as unfortunately CNAMEs break some functionality, such as Kerberos single sign-on authentication.

If your internal DNS records are hosted by your Windows Domain Controllers, their global query block list must be disabled in order to allow the wpad record to be resolved. This must be done on all of the domain controllers, not just the primary one, using the following command:
dnscmd /config /enableglobalqueryblocklist 0

Your internal DNS servers should be configured to always forward DNS requests to the Opendium system. On Windows systems, this can be done by adding forwarders into the DNS server properties in DNS Manager. Ensure the "Use root hints if no forwarders are available" check box is '''not''' ticked. This must be done on all of your internal DNS servers.

==Time synchronisation==
Many services require clocks to be properly synchronised. In particular, Kerberos single sign-on authentication if very sensitive to clock drift and will not work if clocks have drifted by more than 5 minutes. The Opendium system provides an NTP service and your domain controllers should all be configured to synchronise against the Opendium's NTP service.

This can be done using the following commands on all of the domain controllers:
w32tm /config /update /manualpeerlist:opendium /syncfromflags:manual /reliable:yes
w32tm /resync /rediscover

You can then verify that the server is using NTP with:
w32tm /query /source

==Trust relationship==
If the Opendium system is being installed into a Windows network, it requires a trust relationship with the domain. The Opendium installation engineer will configure the trust relationship, which will require a temporary domain administrator account. Once the trust relationship has been established, the temporary administrator account can be removed.

==User synchronisation==
If the Opendium system is being installed into a Windows network, it must synchonise its internal user directory with Active Directory. This requires a user to be created within Active Directory for that purpose. This user should not be an administrator.

The synchronisation user's DN and password are configured on the Opendium system in the [[User Sync Configuration]] page, together with the IP address of the domain controller and the domain's base DN. By default all of the users under the base DN are synchronised, but more specific OUs can be added here to be synchronised instead.

Appropriate group mappings must also be configured in the [[User Sync Configuration]] page, to ensure that users are mapped into appropriate Opendium groups, based on their Active Directory security groups.

==DHCP==
The following DHCP option must be added to all DHCP scopes:
{| class="wikitable"
!Name
|WPAD
|-
!Data type
|String
|-
!Array
|Unticked
|-
!Code
|252
|-
!Description
|<nowiki>http://wpad</nowiki>.<internal domain>/wpad.dat
|}

Replace <internal domain> with your internal domain.

This is because whilst the Opendium system can filter web traffic which is not sent via its web proxy server, there are certain capabilities that can only be provided by the proxy. It is therefore always best to use the proxy server where possible. It is possible to manually configure devices to use the proxy, but that can cause a number of problems, especially in situations where devices may be moved onto other networks, such as laptops which may be taken home. We therefore recommend using automatic configuration, which requires this DHCP option.

==Inspection certificate ==
In order for the Opendium system to be able to decrypt HTTPS traffic, devices on your network must have the appropriate certificate installed.

For devices connected to your Windows domain, this should be done through Group Policy by downloading the certificate from the [[Web]] tab and importing it into the domain's Trusted Root Certification Authorities. Please see [[Microsoft Windows Configuration#Shared devices|Microsoft Windows Configuration]].

The certificate will need to be installed manually onto stand-alone devices. There are a number of ways to make this easier, such as using the QR code which is displayed on the [[Web]] tab, or using the [[Web: Permissions & Limits#Display splash page for new devices|Splash Page]].

This certificate is unique to your Opendium system, and is separate from any certificate that is required to connect to your wifi network.

==Proxy ==
We recommend using automatic proxy discovery. If the Opendium system is being installed into a Windows network, ensure that Group Policy configures no proxy servers, and has "Automatically discover proxy settings" ticked.

However, if it is necessary to manually configure the proxy, the settings used should be:
{|
!Proxy address
|proxy.<internal domain>
|-
!Port
|3128
|-
!Use the same proxy server for all protocols
|Ticked
|}
You '''must''' use the address shown above, rather than the proxy's IP address, otherwise Kerberos Single Sign-on authentication will not work.

==Wifi==
If you have any wifi networks which use WPA2-Enterprise / 802.1x authentication, they must be added to the [[RADIUS: Clients|RADIUS Clients]] page and configured to send RADIUS accounting data to the Opendium system. Ensure that your wifi system is configured to send interim accounting updates (e.g. on Ubiquiti UniFi this is done by logging onto the controller, going to Settings -> Profiles -> Select Accounting Server, clicking Edit and ticking "Enable interim updates".

The Opendium system also provides a RADIUS authentication service, so it may be desirable to configure the wifi networks to use the Opendium system for authentication.

We recommend setting up a completely unfiltered wifi network, to be '''only''' used for temporary testing and device onboarding. Since such a network is a potential risk, ensure that the password is kept secure, and consider restricting it only to certain parts of the school, such as the ICT office.

==Data protection policy==
Since the Opendium system automatically examines network traffic, including encrypted traffic, you should ensure the users all agree to a usage policy that indicates that their network traffic may be monitored. Under data protection law, there are a number of requirements that must be met, which are discussed in our [https://www.opendium.com/blogs/gdpr-online-safety-your-school-compliant blog article] on the subject.

You are the data controller for the data which are collected directly by the Opendium system. Reports of miscategorised websites are passed directly to Opendium staff and Opendium is considered the data controller of those reports. Data for which we are considered the data controller are governed by our [https://www.opendium.com/content/data-protection-policy Data Protection Policy].

Some filtering suppliers put an onus on the school to ensure that the supplier's engineers are not given access to any personal data. With such a restriction, we do not believe that it would be possible to offer the level of support, and would inevitably lead to schools committing routine data protection breaches by giving access to the supplier's engineers. Instead, the contract between the school and Opendium includes a data processing agreement, and we are therefore considered data processors of the data which are collected by the Opendium system.

[[Category:Product Manuals]]

Appropriate Filtering for Education Settings

2023-06-29T09:43:44Z

Steve: Add capacity information

Schools and colleges in the UK are required to establish appropriate levels of filtering to ensure children are provided with safe access to the internet without over blocking. Schools and colleges in England must adhere to the Department for Education's [https://www.gov.uk/government/publications/keeping-children-safe-in-education--2 Keeping Children Safe in Education] statutory guidance, those in Wales are governed by the Welsh Government's [https://www.gov.wales/keeping-learners-safe Keeping Learners Safe], in Scotland the requirements are laid down by the Scottish Government's National Action Plan on [https://www.gov.scot/publications/national-action-plan-internet-safety-children-young-people/ Internet Safety for Children and Young People] and in Northern Ireland the requirements are in the Department of Education's [https://www.education-ni.gov.uk/publications/safeguarding-and-child-protection-schools-guide-schools Safeguarding and Child Protection in Schools].

The guidance allows schools a huge amount of freedom, to be exercised with a "risk based approach". Whilst schools benefit from the freedom they have been afforded, further guidance is essential to allow them to properly assess the risks and design appropriate policies. To this end, the [http://www.saferinternet.org.uk/ UK Safer Internet Centre] has issued detailed [https://www.saferinternet.org.uk/advice-centre/teachers-and-school-staff/appropriate-filtering-and-monitoring/appropriate-filtering Appropriate Filtering for Education Settings] guidance, which is cited by both Keeping Children Safe in Education and the National Action Plan on Internet Safety for Children and Young People as an example of what constitutes ''"appropriate filtering"''.

Although the guidance affords schools the freedom to design their own policies from scratch, we feel that both the Department for Education's [https://www.gov.uk/guidance/meeting-digital-and-technology-standards-in-schools-and-colleges/filtering-and-monitoring-standards-for-schools-and-colleges Filtering and Monitoring Standards for Schools and Colleges] and the UK Safer Internet Centre's standards should form the basis of all schools' filtering policies. Where schools feel the need to deviate from those standards, we strongly recommend that they complete a risk assessment so that the reasons for deviating and associated risks can be understood and documented.

We are committed to supporting schools in carrying out their safeguarding duties, and have outlined below how we meet these standards. Our official UK Safer Internet Centre [https://d1xsi6mgo67kia.cloudfront.net/uploads/2017/08/Oppendium-Appropriate-Filtering-Provider-Response-2023.pdf certification] is also available for download.

It is important to recognise that no filtering systems can be 100% effective and need to be supported with good teaching and learning practice and effective supervision.

==Illegal Online Content==
Our '''Web Gateway''' and '''UTM''' online safety systems ensure that access to illegal content is blocked. The UK Safer Internet Centre advises that providers:
{| class="wikitable"
!Aspect
!Rating
!Explanation
|-
|Are IWF Members
|{{UKSIC Pass}}
|We have been IWF members since 2016.
|-
|Block access to illegal Child Abuse Images (by actively implementing the IWF URL list)
|{{UKSIC Pass}}
|The IWF Child Abuse Image Content URL list is integrated into the ''Child Abuse Images'' filtering category and we have successfully completed the IWF's certification process.

Our systems go beyond the basic protection by also utilising the IWF's keywords list, and Non-Pornographic Child Abuse Images URL lists.

As well as directly blocking content that the IWF has listed, all of these resources are also used to dynamically identify and block offending content which has not yet been reported to the IWF.
|-
|Integrate the ‘the police assessed list of unlawful terrorist content, produced on behalf of the Home Office’.
|{{UKSIC Pass}}
|The police assessed list of unlawful terrorist content, produced on behalf of the Home Office is integrated into the ''Radicalisation'' filtering category.
|-
|Confirm that filters for illegal content cannot be disabled by the school
|{{UKSIC Amber}}
|We have always sought to give our customers as much control as possible over their own systems, so whether to enable or disable any filter is currently the school's choice. We would, however, advise that it would be negligent for a school to disable the illegal content filters, except as a temporary measure for debugging purposes.

In light of this new requirement, a prohibition on disabling the illegal content filters will be implemented in the coming months.
|}

==Inappropriate Online Content==
Recognising that no filter can guarantee to be 100% effective, the following table confirms and describes how '''Opendium Web Gateway''' and '''Opendium UTM''' manage the following content:
{| class="wikitable"
!Content
!Description
!Rating
!Explanation
|-
|Discrimination
|Promotion of the unjust or prejudicial treatment of people on the grounds of race, religion, age, or sex.
|{{UKSIC Pass}}
|We provide a ''Discrimination'' category which covers content that promotes the unjust or prejudicial treatment of people on the grounds of race, religion, age, or sex.

We also provide a ''Hate'' category which covers content promoting religious or racial hate.
|-
|Drugs / Substance abuse
|Promotion of the illegal use of drugs or substances.
|{{UKSIC Pass}}
|We provide a ''Drugs'' category which covers content that promotes or facilitates recreational drug use, including "legal highs". This category does not include educational material about recreational drugs and information about medicinal drugs.
|-
|Extremism
|Promotion of terrorism and terrorist ideologies, violence or intolerance
|{{UKSIC Pass}}
|We provide a ''Radicalisation'' category which covers radicalisation, extremism and terrorism. This includes the police assessed list of unlawful terrorist content, produced on behalf of the Home Office.
|-
|Gambling
|Enables gambling
|{{UKSIC Pass}}
|We provide a ''Gambling'' category which covers online gambling web sites. This does not include information about offline gambling, such as instructions for card games, etc.
|-
|Malware / Hacking
|Promotion of the compromising of systems including anonymous browsing and other filter bypass tools as well as sites hosting malicious content.
|{{UKSIC Pass}}
|We provide an ''Anonymisers / Proxies / VPNs'' filtering category to control anonymous browsing systems which could be used to bypass filtering and monitoring.

We also provide a ''Cracking'' category which covers information about how to gain illicit entry to computer systems.

We also provide a ''Malware'' category which covers Malware, spyware, viruses and URIs related to their operation. Also aims to include adverts designed to trick users into downloading malware.
|-
|Pornography
|Sexual acts or explicit images.
|{{UKSIC Pass}}
|We provide a ''Pornography'' category which covers pornographic content and erotic text. This does not include non-sexualised images (e.g. medical information).

We also provide a ''Sexualised Text'' filtering category which covers textual content which is sexual in nature but falls short of being considered pornographic.
|-
|Piracy and copyright theft
|Illegal provision of copyrighted material.
|{{UKSIC Pass}}
|We provide a ''Copyright Infringement'' category which covers content that promotes and facilitates illegal downloading of copyrighted content, such as software, music, movies, etc.
|-
|Self Harm
|Promotion or display of deliberate self harm (including suicide and eating disorders).
|{{UKSIC Pass}}
|We provide a ''Self Harm'' category which covers content that promotes self harm and suicide.
|-
|Violence
|Promotion or display of the use of physical force intended to hurt or kill.
|{{UKSIC Pass}}
|We provide a ''Violence'' category which covers content that promotes violent acts.
|}
This list is not exhaustive. We maintain a selection of predefined categories, and updates to the categorisation criteria are downloaded every hour. Websites and web searches are categorised using a variety of methods, including through a database of known web addresses and by real time content analysis. By analysing content on the fly, the system can effectively filter new content and websites that tailor dynamic content to the individual user, such as social networking sites. School system administrators can add filtering criteria to the categories to either augment or override the predefined criteria. School administrators can also add their own custom categories.

==Data Protection ==
'''''Opendium Web Gateway''''' and '''''Opendium UTM''''' are on-premises systems. These systems store internet history data on the school's server. By default, log data, including the user's identification, is retained for 2 years, but the retention period can be adjusted to meet the school's needs.

Internet history data that is stored on our internal systems will be retained for no longer than 3 years. This includes any log extracts, reports, etc. that the school may need to send to our technical support team.

Some filtering providers rely on contractual clauses that place an onus on schools to ensure that they do not pass on personal data to the provider. We strongly believe that it is not possible to provide the level of support that schools expect whilst adhering to those restrictions, and they ultimately lead to data protection law being routinely broken, with the school carrying the liability. Instead, we provide schools with a standard data processing agreement, which allows us to better support the school whilst ensuring that the personal data is properly protected and that the relevant legislation can be adhered to.

All schools should have a suitable data processing, or data sharing, agreement with any third parties that have access to personal data, including the company that supports their filtering system and any outsourced ICT provider, to ensure that personal data is always handled in a secure and legal way.

==Over Blocking==
'''''Opendium Web Gateway''''' and '''''Opendium UTM''''' allow school administrators a lot of scope for tuning the system to meet their needs. The sensitivity of the filters can be adjusted and administrators can decide whether or not repeat offenders should have their web access automatically disabled. Miscategorised websites can be manually recategorised instantly, or the filters completely disabled for educational websites. Users can be given the option to override the filters after being shown a warning, and users can report miscategorised pages directly to us for recategorisation.

The systems can generate real time alerts for concerning behaviour to ensure early intervention from staff in the most serious circumstances; and comprehensive reports can be generated on an automatic or ad-hoc basis to ensure that staff can spot and follow up on concerning behaviour.

Our systems also support Location Aware Filtering, which can be used to relax filters in supervised parts of the school, or in classrooms that have specific requirements.

Schools may decide that, for some categories, rather than risk overblocking it is better to allow access and to follow up concerning behaviour that is highlighted by the reporting system. A variety of reporting tools are provided to facilitate this, such as real time alerts and our unique Word Cloud report that flags up search phrases which fall into concerning categories. This provides an easy and understandable way for staff to drill down into the data.

==Filtering System Features==
The following table describes how '''Opendium Web Gateway''' and '''Opendium UTM''' meet the principles set out by the UK Safer Internet Centre:
{| class="wikitable"
!Principle
!Rating
!Explanation
|-
|Context appropriate differentiated filtering, based on age, vulnerability and risk of harm – also includes the ability to vary filtering strength appropriate for staff
|{{UKSIC Pass}}
|'''Opendium Web Gateway''' and '''Opendium UTM''' both integrate with the school's existing user directory and provide a hierarchical system to configure and refine filtering policies, filter sensitivity and real-time alert triggers on a per-usergroup, per-network and per-user basis.
|-
|Circumvention – the extent and ability to identify and manage technologies and techniques used to circumvent the system, specifically VPN, proxy services and DNS over HTTPS.
|{{UKSIC Pass}}
|'''''Opendium Web Gateway''''' and '''''Opendium UTM''''' provide a variety of tools to prevent circumvention of the system:

We provide an ''Anonymisers / Proxies / VPNs'' category to control anonymous browsing systems.

Both '''''Opendium Web Gateway''''' and '''''Opendium UTM''''' incorporate anti-spoofing technologies and utilise deep packet inspection to restrict VPN connections whilst allowing other applications. '''''Opendium UTM''''' provides additional protection by providing numerous predefined firewall rule bundles for common applications, which utilise deep packet inspection to prevent VPN connections from misusing ports that are required by legitimate services.

Our online safety systems do not rely on DNS filtering, so are unaffected by technologies such as DNS-over-HTTPS (DoH) and DNS-over-TLS (DoT). '''''Opendium UTM''''' also performs DNS and NTP interception to prevent VPNs from taking advantage of these important ports without getting in the way of legitimate systems that rely on them.

New VPNs are appearing all of the time and use a wide variety of techniques to mask their traffic. It is important for schools to understand that no system can block them with 100% accuracy, but we work closely with schools to rapidly provide a solution whenever a new threat is identified.
|-
|Control – has the ability and ease of use that allows schools to control the filter themselves to permit or deny access to specific content. Any changes to the filter system are logged enabling an audit trail that ensure transparency and that individuals are not able to make unilateral changes
|{{UKSIC Pass}}
|The web based user interface allows school administrators to adjust settings from anywhere in the school, with immediate effect. All customers have direct access to our experienced engineers, who endeavour to provide high quality telephone and email support.

Any changes to the system's configuration are recorded in an audit log, and comments can be attached to most configuration items so that they can be documented and understood at a later date.
|-
|Contextual Content Filters – in addition to URL or IP based filtering, the extent to which (http and https) content is analysed as it is streamed to the user and blocked, this would include AI generated content. For example, being able to contextually analyse text on a page and dynamically filter.
|{{UKSIC Pass}}
|Real time content analysis has been a core part of our filtering technology from its inception.

A URL filter can tell that a user is looking at an online messaging forum, for example, but not that the specific message that they are looking at is extremist or promoting drug use. Nor can a URL filter spot when a legitimate website has recently been hacked and now contains links to pornographic websites.

So much of the modern web is made up of dynamic content that a filter cannot be fit for purpose if it is unable to analyse content in real time to catch these types of scenario.

We use a combination of techniques to categorise content, including HTTPS decryption, content analysis and URL lists to provide the most accurate filtering.
|-
|Filtering Policy – the filtering provider publishes a rationale that details their approach to filtering with classification and categorisation as well as over blocking
|{{UKSIC Pass}}
|Our filtering rationale is [[Filtering Rationale|described]] in our knowledgebase. A description for each category, outlining the categorisation criteria, is provided through the system's user interface.
|-
|Group / Multi-site Management – the ability for deployment of central policy and central oversight or dashboard
|{{UKSIC Amber}}
|'''''Opendium Web Gateway''''' and '''''Opendium UTM''''' are designed for single-school installations and we therefore do not provide multi-site management. However, individual systems can be independently managed remotely from anywhere in the world.

We expect to provide a comprehensive multi-site management solution in the future.
|-
|Identification - the filtering system should have the ability to identify users
|{{UKSIC Pass}}
|'''Opendium Web Gateway''' and '''Opendium UTM''' both support a variety of user identification methods, such as Kerberos single sign on for workstations and RADIUS accounting, WISPr and captive portal for mobile devices / BYOD.
|-
|Mobile and App content – mobile and app content is often delivered in entirely different mechanisms from that delivered through a traditional web browser. To what extent does the filter system block inappropriate content via mobile and app technologies (beyond typical web browser delivered content). Providers should be clear about the capacity of their filtering system to manage content on mobile and web apps
|{{UKSIC Pass}}
|By providing a comprehensive transparent proxy service with HTTPS decryption, '''''Opendium Web Gateway''''' and '''''Opendium UTM''''' both allow the school to control apps that communicate using HTTP and HTTPS, and these comprise the vast majority of apps. Where apps have been designed to disallow active HTTPS decryption, the app can still be identified and either allowed or blocked, by means of passive inspection.

A minority of apps use entirely different delivery mechanisms, and '''''Opendium Web Gateway''''' provides a firewall that can control these on a per-network basis. '''''Opendium UTM''''' extends this capability to allow fine grained control over these apps by user group or individual user, in a similar way to web traffic.
|-
|Multiple language support – the ability for the system to manage relevant languages
|{{UKSIC Pass}}
|The use of a wide variety of categorisation methods makes the system largely language agnostic, filtering both English language and foreign language websites alike.

Our textual content analysis system uses unicode to support all languages and character sets.
|-
|Network level - filtering should be applied at ‘network level’ ie, not reliant on any software on user devices whilst at school (recognising that device configuration/software may be required for filtering beyond the school infrastructure)
|{{UKSIC Pass}}
|'''''Opendium Web Gateway''''' and '''''Opendium UTM''''' both provide network level filtering and do not require software to be installed on user devices. This is provided through a combination of deep packet inspection, transparent proxying and both active HTTPS decryption and passive HTTPS inspection.
|-
|Remote devices – with many children and staff working remotely, the ability for school owned devices to receive the same or equivalent filtering to that provided in school
|{{UKSIC Pass}}
|Remote devices can be configured to route their network traffic via the school's '''''Opendium UTM''''' through a secure VPN. Children and staff working from home can therefore receive the same level of filtering whether they are at home or on the school's premises, as well as being able to interact with other on-premises services as if they were physically at school.
|-
|Reporting mechanism – the ability to report inappropriate content for access or blocking
|{{UKSIC Pass}}
|When access to a website is blocked, the user is given an option to report a miscategorisation of the website directly to us. All reported web sites are manually examined and, if necessary, recategorised.

We also take underblocking very seriously and welcome reports of such instances. We continually work with customers to address any concerns and improve the accuracy of the filters.
|-
|Reports – the system offers clear historical information on the websites users have accessed or attempted to access
|{{UKSIC Pass}}
|'''Opendium Web Gateway''' and '''Opendium UTM''' keep historical logs and can generate a variety of reports to allow staff to drill down into the data.

Additionally, the systems can be configured to automatically alert relevant staff in real time, to any seriously concerning behaviour.
|-
|Safe Search – the ability to enforce ‘safe search’ when using search engines
|{{UKSIC Pass}}
|'''Opendium Web Gateway''' and '''Opendium UTM''' can be configured to enforce Safe Search on a variety of search engines, as well as Restricted Mode on YouTube. With YouTube Restricted Mode enforced, schools can delegate to specific staff members the ability to white list additional videos through their Google dashboard.
|}

==Supporting Schools==
Filtering systems are only ever one tool in helping to safeguard children when online and schools have an obligation to “''consider how children may be taught about safeguarding, including online, through teaching and learning opportunities, as part of providing a broad and balanced curriculum''”. Our products have always been developed hand-in-hand with schools. Schools are on the front line and in the best position to know what tools they need and we always try to listen and develop those tools.

We provide a holistic service which goes above and beyond filtering. This includes training and advice for school IT and safeguarding staff, and consultancy services to improve schools' network infrastructure to cater for their ever changing requirements. However, we will never pressure schools into purchasing additional services and are equally happy to work with third parties to bring about any infrastructure improvements that our customers require.

We also run webinars from time to time, to help schools to better understand their obligations and how to improve the safety of the school environment. Many of these events, such as our recent "Online Safety for Boarding Schools" webinar, are not specific to our products and are open to all schools to attend at no cost.

==Capacity==
Schools are now expected to ensure that there is sufficient capability and capacity in those responsible for, and those managing, the filtering system ('''''including any external support provider''''').

All customers have direct access to our experienced engineers, through both email and telephone. As we recognise that school ICT staff are extremely busy and don't have time to wait in a telephone queue, we do not employ a queuing system. Instead, we endeavour to ensure that we have enough capacity to answer the vast majority of calls immediately, and on the infrequent occasions when all of our staff are busy, customers are invited to leave a voicemail and are called back as soon as possible.

To help schools evaluate our capacity, and to underscore our commitment to high quality customer support, we are pleased to publish the following customer support statistics for the period 1st June 2022 - 1st June 2023:

*Telephone support:
**Ratio of answered telephone support calls versus voicemails left: '''96%'''.*
**Average time to respond to voicemails: '''1 working hour, 13 minutes'''.<sup>†</sup>
**Average time to respond to urgent calls: '''23 minutes'''.<sup>†</sup>
*All support:
**Average time to resolution: '''2 working days, 5 hours, 13 minutes'''.

<span style="font-size:75%;"><nowiki>*</nowiki> Excludes voicemails which were left outside of our "standard support" hours (09:00 - 17:00 Monday - Friday).<br />† The time when our staff annotate the support ticket, which usually happens shortly ''after'' they have responded to the voicemail, is used to measure the time taken to respond to voicemails. This figure is therefore an overestimate.</span>

==Certification Declaration==
In order that schools can be confident regarding the accuracy of the self-certification statements, we confirm:

*that our self-certification responses have been fully and accurately completed by a person or persons who are competent in the relevant fields
*that we will update our self-certification responses promptly when changes to the service or its terms and conditions would result in the existing compliance statement no longer being accurate or complete
*that we will provide any additional information or clarification sought as part of the self-certification process
*that if at any time, the UK Safer Internet Centre is of the view that any element or elements of our self-certification responses require independent verification, we will agree to that independent verification, supply all necessary clarification requested, meet the associated verification costs, or withdraw our self-certification submission.
[[Category:Knowledgebase]]

Appropriate Filtering for Education Settings

2023-06-29T09:34:23Z

Steve: Updated to 2023 certification

Schools and colleges in the UK are required to establish appropriate levels of filtering to ensure children are provided with safe access to the internet without over blocking. Schools and colleges in England must adhere to the Department for Education's [https://www.gov.uk/government/publications/keeping-children-safe-in-education--2 Keeping Children Safe in Education] statutory guidance, those in Wales are governed by the Welsh Government's [https://www.gov.wales/keeping-learners-safe Keeping Learners Safe], in Scotland the requirements are laid down by the Scottish Government's National Action Plan on [https://www.gov.scot/publications/national-action-plan-internet-safety-children-young-people/ Internet Safety for Children and Young People] and in Northern Ireland the requirements are in the Department of Education's [https://www.education-ni.gov.uk/publications/safeguarding-and-child-protection-schools-guide-schools Safeguarding and Child Protection in Schools].

The guidance allows schools a huge amount of freedom, to be exercised with a "risk based approach". Whilst schools benefit from the freedom they have been afforded, further guidance is essential to allow them to properly assess the risks and design appropriate policies. To this end, the [http://www.saferinternet.org.uk/ UK Safer Internet Centre] has issued detailed [https://www.saferinternet.org.uk/advice-centre/teachers-and-school-staff/appropriate-filtering-and-monitoring/appropriate-filtering Appropriate Filtering for Education Settings] guidance, which is cited by both Keeping Children Safe in Education and the National Action Plan on Internet Safety for Children and Young People as an example of what constitutes ''"appropriate filtering"''.

Although the guidance affords schools the freedom to design their own policies from scratch, we feel that both the Department for Education's [https://www.gov.uk/guidance/meeting-digital-and-technology-standards-in-schools-and-colleges/filtering-and-monitoring-standards-for-schools-and-colleges Filtering and Monitoring Standards for Schools and Colleges] and the UK Safer Internet Centre's standards should form the basis of all schools' filtering policies. Where schools feel the need to deviate from those standards, we strongly recommend that they complete a risk assessment so that the reasons for deviating and associated risks can be understood and documented.

We are committed to supporting schools in carrying out their safeguarding duties, and have outlined below how we meet these standards. Our official UK Safer Internet Centre [https://d1xsi6mgo67kia.cloudfront.net/uploads/2017/08/Oppendium-Appropriate-Filtering-Provider-Response-2023.pdf certification] is also available for download.

It is important to recognise that no filtering systems can be 100% effective and need to be supported with good teaching and learning practice and effective supervision.

==Illegal Online Content==
Our '''Web Gateway''' and '''UTM''' online safety systems ensure that access to illegal content is blocked. The UK Safer Internet Centre advises that providers:
{| class="wikitable"
!Aspect
!Rating
!Explanation
|-
|Are IWF Members
|{{UKSIC Pass}}
|We have been IWF members since 2016.
|-
|Block access to illegal Child Abuse Images (by actively implementing the IWF URL list)
|{{UKSIC Pass}}
|The IWF Child Abuse Image Content URL list is integrated into the ''Child Abuse Images'' filtering category and we have successfully completed the IWF's certification process.

Our systems go beyond the basic protection by also utilising the IWF's keywords list, and Non-Pornographic Child Abuse Images URL lists.

As well as directly blocking content that the IWF has listed, all of these resources are also used to dynamically identify and block offending content which has not yet been reported to the IWF.
|-
|Integrate the ‘the police assessed list of unlawful terrorist content, produced on behalf of the Home Office’.
|{{UKSIC Pass}}
|The police assessed list of unlawful terrorist content, produced on behalf of the Home Office is integrated into the ''Radicalisation'' filtering category.
|-
|Confirm that filters for illegal content cannot be disabled by the school
|{{UKSIC Amber}}
|We have always sought to give our customers as much control as possible over their own systems, so whether to enable or disable any filter is currently the school's choice. We would, however, advise that it would be negligent for a school to disable the illegal content filters, except as a temporary measure for debugging purposes.

In light of this new requirement, a prohibition on disabling the illegal content filters will be implemented in the coming months.
|}

==Inappropriate Online Content==
Recognising that no filter can guarantee to be 100% effective, the following table confirms and describes how '''Opendium Web Gateway''' and '''Opendium UTM''' manage the following content:
{| class="wikitable"
!Content
!Description
!Rating
!Explanation
|-
|Discrimination
|Promotion of the unjust or prejudicial treatment of people on the grounds of race, religion, age, or sex.
|{{UKSIC Pass}}
|We provide a ''Discrimination'' category which covers content that promotes the unjust or prejudicial treatment of people on the grounds of race, religion, age, or sex.

We also provide a ''Hate'' category which covers content promoting religious or racial hate.
|-
|Drugs / Substance abuse
|Promotion of the illegal use of drugs or substances.
|{{UKSIC Pass}}
|We provide a ''Drugs'' category which covers content that promotes or facilitates recreational drug use, including "legal highs". This category does not include educational material about recreational drugs and information about medicinal drugs.
|-
|Extremism
|Promotion of terrorism and terrorist ideologies, violence or intolerance
|{{UKSIC Pass}}
|We provide a ''Radicalisation'' category which covers radicalisation, extremism and terrorism. This includes the police assessed list of unlawful terrorist content, produced on behalf of the Home Office.
|-
|Gambling
|Enables gambling
|{{UKSIC Pass}}
|We provide a ''Gambling'' category which covers online gambling web sites. This does not include information about offline gambling, such as instructions for card games, etc.
|-
|Malware / Hacking
|Promotion of the compromising of systems including anonymous browsing and other filter bypass tools as well as sites hosting malicious content.
|{{UKSIC Pass}}
|We provide an ''Anonymisers / Proxies / VPNs'' filtering category to control anonymous browsing systems which could be used to bypass filtering and monitoring.

We also provide a ''Cracking'' category which covers information about how to gain illicit entry to computer systems.

We also provide a ''Malware'' category which covers Malware, spyware, viruses and URIs related to their operation. Also aims to include adverts designed to trick users into downloading malware.
|-
|Pornography
|Sexual acts or explicit images.
|{{UKSIC Pass}}
|We provide a ''Pornography'' category which covers pornographic content and erotic text. This does not include non-sexualised images (e.g. medical information).

We also provide a ''Sexualised Text'' filtering category which covers textual content which is sexual in nature but falls short of being considered pornographic.
|-
|Piracy and copyright theft
|Illegal provision of copyrighted material.
|{{UKSIC Pass}}
|We provide a ''Copyright Infringement'' category which covers content that promotes and facilitates illegal downloading of copyrighted content, such as software, music, movies, etc.
|-
|Self Harm
|Promotion or display of deliberate self harm (including suicide and eating disorders).
|{{UKSIC Pass}}
|We provide a ''Self Harm'' category which covers content that promotes self harm and suicide.
|-
|Violence
|Promotion or display of the use of physical force intended to hurt or kill.
|{{UKSIC Pass}}
|We provide a ''Violence'' category which covers content that promotes violent acts.
|}
This list is not exhaustive. We maintain a selection of predefined categories, and updates to the categorisation criteria are downloaded every hour. Websites and web searches are categorised using a variety of methods, including through a database of known web addresses and by real time content analysis. By analysing content on the fly, the system can effectively filter new content and websites that tailor dynamic content to the individual user, such as social networking sites. School system administrators can add filtering criteria to the categories to either augment or override the predefined criteria. School administrators can also add their own custom categories.

==Data Protection ==
'''''Opendium Web Gateway''''' and '''''Opendium UTM''''' are on-premises systems. These systems store internet history data on the school's server. By default, log data, including the user's identification, is retained for 2 years, but the retention period can be adjusted to meet the school's needs.

Internet history data that is stored on our internal systems will be retained for no longer than 3 years. This includes any log extracts, reports, etc. that the school may need to send to our technical support team.

Some filtering providers rely on contractual clauses that place an onus on schools to ensure that they do not pass on personal data to the provider. We strongly believe that it is not possible to provide the level of support that schools expect whilst adhering to those restrictions, and they ultimately lead to data protection law being routinely broken, with the school carrying the liability. Instead, we provide schools with a standard data processing agreement, which allows us to better support the school whilst ensuring that the personal data is properly protected and that the relevant legislation can be adhered to.

All schools should have a suitable data processing, or data sharing, agreement with any third parties that have access to personal data, including the company that supports their filtering system and any outsourced ICT provider, to ensure that personal data is always handled in a secure and legal way.

==Over Blocking==
'''''Opendium Web Gateway''''' and '''''Opendium UTM''''' allow school administrators a lot of scope for tuning the system to meet their needs. The sensitivity of the filters can be adjusted and administrators can decide whether or not repeat offenders should have their web access automatically disabled. Miscategorised websites can be manually recategorised instantly, or the filters completely disabled for educational websites. Users can be given the option to override the filters after being shown a warning, and users can report miscategorised pages directly to us for recategorisation.

The systems can generate real time alerts for concerning behaviour to ensure early intervention from staff in the most serious circumstances; and comprehensive reports can be generated on an automatic or ad-hoc basis to ensure that staff can spot and follow up on concerning behaviour.

Our systems also support Location Aware Filtering, which can be used to relax filters in supervised parts of the school, or in classrooms that have specific requirements.

Schools may decide that, for some categories, rather than risk overblocking it is better to allow access and to follow up concerning behaviour that is highlighted by the reporting system. A variety of reporting tools are provided to facilitate this, such as real time alerts and our unique Word Cloud report that flags up search phrases which fall into concerning categories. This provides an easy and understandable way for staff to drill down into the data.

==Filtering System Features==
The following table describes how '''Opendium Web Gateway''' and '''Opendium UTM''' meet the principles set out by the UK Safer Internet Centre:
{| class="wikitable"
!Principle
!Rating
!Explanation
|-
|Context appropriate differentiated filtering, based on age, vulnerability and risk of harm – also includes the ability to vary filtering strength appropriate for staff
|{{UKSIC Pass}}
|'''Opendium Web Gateway''' and '''Opendium UTM''' both integrate with the school's existing user directory and provide a hierarchical system to configure and refine filtering policies, filter sensitivity and real-time alert triggers on a per-usergroup, per-network and per-user basis.
|-
|Circumvention – the extent and ability to identify and manage technologies and techniques used to circumvent the system, specifically VPN, proxy services and DNS over HTTPS.
|{{UKSIC Pass}}
|'''''Opendium Web Gateway''''' and '''''Opendium UTM''''' provide a variety of tools to prevent circumvention of the system:

We provide an ''Anonymisers / Proxies / VPNs'' category to control anonymous browsing systems.

Both '''''Opendium Web Gateway''''' and '''''Opendium UTM''''' incorporate anti-spoofing technologies and utilise deep packet inspection to restrict VPN connections whilst allowing other applications. '''''Opendium UTM''''' provides additional protection by providing numerous predefined firewall rule bundles for common applications, which utilise deep packet inspection to prevent VPN connections from misusing ports that are required by legitimate services.

Our online safety systems do not rely on DNS filtering, so are unaffected by technologies such as DNS-over-HTTPS (DoH) and DNS-over-TLS (DoT). '''''Opendium UTM''''' also performs DNS and NTP interception to prevent VPNs from taking advantage of these important ports without getting in the way of legitimate systems that rely on them.

New VPNs are appearing all of the time and use a wide variety of techniques to mask their traffic. It is important for schools to understand that no system can block them with 100% accuracy, but we work closely with schools to rapidly provide a solution whenever a new threat is identified.
|-
|Control – has the ability and ease of use that allows schools to control the filter themselves to permit or deny access to specific content. Any changes to the filter system are logged enabling an audit trail that ensure transparency and that individuals are not able to make unilateral changes
|{{UKSIC Pass}}
|The web based user interface allows school administrators to adjust settings from anywhere in the school, with immediate effect. All customers have direct access to our experienced engineers, who endeavour to provide high quality telephone and email support.

Any changes to the system's configuration are recorded in an audit log, and comments can be attached to most configuration items so that they can be documented and understood at a later date.
|-
|Contextual Content Filters – in addition to URL or IP based filtering, the extent to which (http and https) content is analysed as it is streamed to the user and blocked, this would include AI generated content. For example, being able to contextually analyse text on a page and dynamically filter.
|{{UKSIC Pass}}
|Real time content analysis has been a core part of our filtering technology from its inception.

A URL filter can tell that a user is looking at an online messaging forum, for example, but not that the specific message that they are looking at is extremist or promoting drug use. Nor can a URL filter spot when a legitimate website has recently been hacked and now contains links to pornographic websites.

So much of the modern web is made up of dynamic content that a filter cannot be fit for purpose if it is unable to analyse content in real time to catch these types of scenario.

We use a combination of techniques to categorise content, including HTTPS decryption, content analysis and URL lists to provide the most accurate filtering.
|-
|Filtering Policy – the filtering provider publishes a rationale that details their approach to filtering with classification and categorisation as well as over blocking
|{{UKSIC Pass}}
|Our filtering rationale is [[Filtering Rationale|described]] in our knowledgebase. A description for each category, outlining the categorisation criteria, is provided through the system's user interface.
|-
|Group / Multi-site Management – the ability for deployment of central policy and central oversight or dashboard
|{{UKSIC Amber}}
|'''''Opendium Web Gateway''''' and '''''Opendium UTM''''' are designed for single-school installations and we therefore do not provide multi-site management. However, individual systems can be independently managed remotely from anywhere in the world.

We expect to provide a comprehensive multi-site management solution in the future.
|-
|Identification - the filtering system should have the ability to identify users
|{{UKSIC Pass}}
|'''Opendium Web Gateway''' and '''Opendium UTM''' both support a variety of user identification methods, such as Kerberos single sign on for workstations and RADIUS accounting, WISPr and captive portal for mobile devices / BYOD.
|-
|Mobile and App content – mobile and app content is often delivered in entirely different mechanisms from that delivered through a traditional web browser. To what extent does the filter system block inappropriate content via mobile and app technologies (beyond typical web browser delivered content). Providers should be clear about the capacity of their filtering system to manage content on mobile and web apps
|{{UKSIC Pass}}
|By providing a comprehensive transparent proxy service with HTTPS decryption, '''''Opendium Web Gateway''''' and '''''Opendium UTM''''' both allow the school to control apps that communicate using HTTP and HTTPS, and these comprise the vast majority of apps. Where apps have been designed to disallow active HTTPS decryption, the app can still be identified and either allowed or blocked, by means of passive inspection.

A minority of apps use entirely different delivery mechanisms, and '''''Opendium Web Gateway''''' provides a firewall that can control these on a per-network basis. '''''Opendium UTM''''' extends this capability to allow fine grained control over these apps by user group or individual user, in a similar way to web traffic.
|-
|Multiple language support – the ability for the system to manage relevant languages
|{{UKSIC Pass}}
|The use of a wide variety of categorisation methods makes the system largely language agnostic, filtering both English language and foreign language websites alike.

Our textual content analysis system uses unicode to support all languages and character sets.
|-
|Network level - filtering should be applied at ‘network level’ ie, not reliant on any software on user devices whilst at school (recognising that device configuration/software may be required for filtering beyond the school infrastructure)
|{{UKSIC Pass}}
|'''''Opendium Web Gateway''''' and '''''Opendium UTM''''' both provide network level filtering and do not require software to be installed on user devices. This is provided through a combination of deep packet inspection, transparent proxying and both active HTTPS decryption and passive HTTPS inspection.
|-
|Remote devices – with many children and staff working remotely, the ability for school owned devices to receive the same or equivalent filtering to that provided in school
|{{UKSIC Pass}}
|Remote devices can be configured to route their network traffic via the school's '''''Opendium UTM''''' through a secure VPN. Children and staff working from home can therefore receive the same level of filtering whether they are at home or on the school's premises, as well as being able to interact with other on-premises services as if they were physically at school.
|-
|Reporting mechanism – the ability to report inappropriate content for access or blocking
|{{UKSIC Pass}}
|When access to a website is blocked, the user is given an option to report a miscategorisation of the website directly to us. All reported web sites are manually examined and, if necessary, recategorised.

We also take underblocking very seriously and welcome reports of such instances. We continually work with customers to address any concerns and improve the accuracy of the filters.
|-
|Reports – the system offers clear historical information on the websites users have accessed or attempted to access
|{{UKSIC Pass}}
|'''Opendium Web Gateway''' and '''Opendium UTM''' keep historical logs and can generate a variety of reports to allow staff to drill down into the data.

Additionally, the systems can be configured to automatically alert relevant staff in real time, to any seriously concerning behaviour.
|-
|Safe Search – the ability to enforce ‘safe search’ when using search engines
|{{UKSIC Pass}}
|'''Opendium Web Gateway''' and '''Opendium UTM''' can be configured to enforce Safe Search on a variety of search engines, as well as Restricted Mode on YouTube. With YouTube Restricted Mode enforced, schools can delegate to specific staff members the ability to white list additional videos through their Google dashboard.
|}

==Supporting Schools==
Filtering systems are only ever one tool in helping to safeguard children when online and schools have an obligation to “''consider how children may be taught about safeguarding, including online, through teaching and learning opportunities, as part of providing a broad and balanced curriculum''”. Our products have always been developed hand-in-hand with schools. Schools are on the front line and in the best position to know what tools they need and we always try to listen and develop those tools.

We provide a holistic service which goes above and beyond filtering. This includes training and advice for school IT and safeguarding staff, and consultancy services to improve schools' network infrastructure to cater for their ever changing requirements. However, we will never pressure schools into purchasing additional services and are equally happy to work with third parties to bring about any infrastructure improvements that our customers require.

We also run webinars from time to time, to help schools to better understand their obligations and how to improve the safety of the school environment. Many of these events, such as our recent "Online Safety for Boarding Schools" webinar, are not specific to our products and are open to all schools to attend at no cost.

==Certification Declaration==
In order that schools can be confident regarding the accuracy of the self-certification statements, we confirm:

*that our self-certification responses have been fully and accurately completed by a person or persons who are competent in the relevant fields
*that we will update our self-certification responses promptly when changes to the service or its terms and conditions would result in the existing compliance statement no longer being accurate or complete
*that we will provide any additional information or clarification sought as part of the self-certification process
*that if at any time, the UK Safer Internet Centre is of the view that any element or elements of our self-certification responses require independent verification, we will agree to that independent verification, supply all necessary clarification requested, meet the associated verification costs, or withdraw our self-certification submission.
[[Category:Knowledgebase]]

Installation Requirements

2023-06-26T08:58:31Z

Steve: /* Time synchronisation */ Added instructions for setting up the DCs to use the Opendium system's NTP server

In order for your Opendium system to integrate into your network, there some basic configuration of your existing systems needs to be carried out. The Opendium installation engineer will ensure that the necessary configuration is done at installation time, but it is documented here for your reference.

== Network topology ==
The Opendium system is designed to operate as a gateway device, situated between your network and the internet. Usually one of the Opendium system's network interfaces will be connected to your internet router and another interface connected to your internal networks. If your internet connection is delivered as a PPPoE connection (e.g. ADSL, vDSL/FTTC, FTTP), the Opendium system can terminate the PPP link, eliminating the need for the router.

If possible, the internal network connection should be a tagged VLAN trunk, which will allow the Opendium system to act as a gateway for multiple internal VLANs. We recommend that most wifi VLANs have a layer 2 connection to the Opendium system, rather than being routed by a layer 3 switch.

For larger sites, we may recommend that the Opendium system is connected to the internal network using an LACP trunk, which utilises multiple network links for improved redundancy and speed.

See the [[Network Topology]] knowledgebase article for more comprehensive information.

==Internet connectivity==
Opendium systems must be connected to an internet connection which provides a static IP address.

The Opendium system has an integrated firewall, and we do not recommend installing it behind a third party firewall since this adds unnecessary complexity. However, if it is installed behind another firewall, at least TCP ports 22 (SSH) and 80 (HTTP) must be forwarded to the Opendium system.

*TCP port 22 is used by Opendium engineers to access your system in order to provide technical support.
*TCP port 80 is used to automatically renew encryption certificates.

==External DNS records==
The following DNS records must be added to your external DNS zone:
{| class="wikitable"
|opendium
|A
|<external IPv4 address>
|-
|opendium
|AAAA
|<external IPv6 address>
|}
The addresses for these records are your Opendium system's external IP addresses. If your internet provider only supports the legacy IPv4 protocol, omit the AAAA record.

These records are required for:

*Offsite backups of the system's configuration.
*Monitoring of the system's health.
*Access by Opendium engineers in order to provide technical support.
*Automatic renewal of encryption certificates.

Depending on your wifi system, Opendium engineers may also recommend configuring the following DNS record:
{| class="wikitable"
|wifi
|CNAME
|opendium
|}
This may be required for automatic renewal of encryption certificates used by the RADIUS authentication server.

==Internal DNS configuration==
The following DNS records must be added to your internal DNS zone:
{| class="wikitable"
|opendium
|A
|<internal IPv4 address>
|-
|opendium
|AAAA
|<internal IPv6 address>
|-
|proxy
|A
|<internal IPv4 address>
|-
|proxy
|AAAA
|<internal IPv6 address>
|-
|wpad
|A
|<internal IPv4 address>
|-
|wpad
|AAAA
|<internal IPv6 address>
|-
|certcheck
|A
|<internal IPv4 address>
|-
|certcheck
|AAAA
|<internal IPv6 address>
|}
The addresses for these records are your Opendium system's primary internal IP addresses. If your network does not have IPv6, omit the AAAA records.

Although it is tempting to use CNAME records rather than A / AAAA records, this should not be done as unfortunately CNAMEs break some functionality, such as Kerberos single sign-on authentication.

If your internal DNS records are hosted by your Windows Domain Controllers, their global query block list must be disabled in order to allow the wpad record to be resolved. This must be done on all of the domain controllers, not just the primary one, using the following command:
dnscmd /config /enableglobalqueryblocklist 0

Your internal DNS servers should be configured to always forward DNS requests to the Opendium system. On Windows systems, this can be done by adding forwarders into the DNS server properties in DNS Manager. Ensure the "Use root hints if no forwarders are available" check box is '''not''' ticked. This must be done on all of your internal DNS servers.

==Time synchronisation==
Many services require clocks to be properly synchronised. In particular, Kerberos single sign-on authentication if very sensitive to clock drift and will not work if clocks have drifted by more than 5 minutes. The Opendium system provides an NTP service and your domain controllers should all be configured to synchronise against the Opendium's NTP service.

This can be done using the following commands on all of the domain controllers:
w32tm /config /update /manualpeerlist:opendium /syncfromflags:manual /reliable:yes
w32tm /resync /rediscover

You can then verify that the server is using NTP with:
w32tm /query /source

==Trust relationship==
If the Opendium system is being installed into a Windows network, it requires a trust relationship with the domain. The Opendium installation engineer will configure the trust relationship, which will require a temporary domain administrator account. Once the trust relationship has been established, the temporary administrator account can be removed.

==User synchronisation==
If the Opendium system is being installed into a Windows network, it must synchonise its internal user directory with Active Directory. This requires a user to be created within Active Directory for that purpose. This user should not be an administrator.

The synchronisation user's DN and password are configured on the Opendium system in the [[User Sync Configuration]] page, together with the IP address of the domain controller and the domain's base DN. By default all of the users under the base DN are synchronised, but more specific OUs can be added here to be synchronised instead.

Appropriate group mappings must also be configured in the [[User Sync Configuration]] page, to ensure that users are mapped into appropriate Opendium groups, based on their Active Directory security groups.

==DHCP==
The following DHCP option must be added to all DHCP scopes:
{| class="wikitable"
!Name
|WPAD
|-
!Data type
|String
|-
!Array
|Unticked
|-
!Code
|252
|-
!Description
|<nowiki>http://wpad</nowiki>.<internal domain>/wpad.dat
|}

Replace <internal domain> with your internal domain.

This is because whilst the Opendium system can filter web traffic which is not sent via its web proxy server, there are certain capabilities that can only be provided by the proxy. It is therefore always best to use the proxy server where possible. It is possible to manually configure devices to use the proxy, but that can cause a number of problems, especially in situations where devices may be moved onto other networks, such as laptops which may be taken home. We therefore recommend using automatic configuration, which requires this DHCP option.

==Inspection certificate ==
In order for the Opendium system to be able to decrypt HTTPS traffic, devices on your network must have the appropriate certificate installed.

For devices connected to your Windows domain, this should be done through Group Policy by downloading the certificate from the [[Web]] tab and importing it into the domain's Trusted Root Certification Authorities. Please see [[Microsoft Windows Configuration#Shared devices|Microsoft Windows Configuration]].

The certificate will need to be installed manually onto stand-alone devices. There are a number of ways to make this easier, such as using the QR code which is displayed on the [[Web]] tab, or using the [[Web: Permissions & Limits#Display splash page for new devices|Splash Page]].

This certificate is unique to your Opendium system, and is separate from any certificate that is required to connect to your wifi network.

==Proxy ==
We recommend using automatic proxy discovery. If the Opendium system is being installed into a Windows network, ensure that Group Policy configures no proxy servers, and has "Automatically discover proxy settings" ticked.

However, if it is necessary to manually configure the proxy, the settings used should be:
{|
!Proxy address
|proxy.<internal domain>
|-
!Port
|3128
|-
!Use the same proxy server for all protocols
|Ticked
|}
You '''must''' use the address shown above, rather than the proxy's IP address, otherwise Kerberos Single Sign-on authentication will not work.

==Wifi==
If you have any wifi networks which use WPA2-Enterprise / 802.1x authentication, they must be added to the [[RADIUS: Clients|RADIUS Clients]] page and configured to send RADIUS accounting data to the Opendium system.

The Opendium system also provides a RADIUS authentication service, so it may be desirable to configure the wifi networks to use the Opendium system for authentication.

We recommend setting up a completely unfiltered wifi network, to be '''only''' used for temporary testing and device onboarding. Since such a network is a potential risk, ensure that the password is kept secure, and consider restricting it only to certain parts of the school, such as the ICT office.

==Data protection policy==
Since the Opendium system automatically examines network traffic, including encrypted traffic, you should ensure the users all agree to a usage policy that indicates that their network traffic may be monitored. Under data protection law, there are a number of requirements that must be met, which are discussed in our [https://www.opendium.com/blogs/gdpr-online-safety-your-school-compliant blog article] on the subject.

You are the data controller for the data which are collected directly by the Opendium system. Reports of miscategorised websites are passed directly to Opendium staff and Opendium is considered the data controller of those reports. Data for which we are considered the data controller are governed by our [https://www.opendium.com/content/data-protection-policy Data Protection Policy].

Some filtering suppliers put an onus on the school to ensure that the supplier's engineers are not given access to any personal data. With such a restriction, we do not believe that it would be possible to offer the level of support, and would inevitably lead to schools committing routine data protection breaches by giving access to the supplier's engineers. Instead, the contract between the school and Opendium includes a data processing agreement, and we are therefore considered data processors of the data which are collected by the Opendium system.

[[Category:Product Manuals]]

Appropriate Filtering for Education Settings

2023-06-09T11:24:48Z

Steve: /* Inappropriate Online Content */

Schools and colleges in the UK are required to establish appropriate levels of filtering to ensure children are provided with safe access to the internet without over blocking. Schools and colleges in England must adhere to the Department for Education's [https://www.gov.uk/government/publications/keeping-children-safe-in-education--2 Keeping Children Safe in Education] statutory guidance, those in Wales are governed by the Welsh Government's [https://www.gov.wales/keeping-learners-safe Keeping Learners Safe], in Scotland the requirements are laid down by the Scottish Government's National Action Plan on [https://www.gov.scot/publications/national-action-plan-internet-safety-children-young-people/ Internet Safety for Children and Young People] and in Northern Ireland the requirements are in the Department of Education's [https://www.education-ni.gov.uk/publications/safeguarding-and-child-protection-schools-guide-schools Safeguarding and Child Protection in Schools].

The guidance allows schools a huge amount of freedom, to be exercised with a "risk based approach". Whilst schools benefit from the freedom they have been afforded, further guidance is essential to allow them to properly assess the risks and design appropriate policies. To this end, the [http://www.saferinternet.org.uk/ UK Safer Internet Centre] has issued detailed [https://www.saferinternet.org.uk/advice-centre/teachers-and-school-staff/appropriate-filtering-and-monitoring/appropriate-filtering Appropriate Filtering for Education Settings] guidance, which is cited by both Keeping Children Safe in Education and the National Action Plan on Internet Safety for Children and Young People as an example of what constitutes ''"appropriate filtering"''.

Although the guidance affords schools the freedom to design their own policies from scratch, we feel that the UK Safer Internet Centre's standards should form the basis of all schools' filtering policies. Where schools feel the need to deviate from those standards, we strongly recommend that they complete a risk assessment so that the reasons for deviating and associated risks can be understood and documented.

We are committed to supporting schools in carrying out their safeguarding duties, and have outlined below how we meet these standards. Our official UK Safer Internet Centre [https://d1xsi6mgo67kia.cloudfront.net/uploads/2021/10/opendium-appropriate-filtering.pdf certification] is also available for download.

It is important to recognise that no filtering systems can be 100% effective and need to be supported with good teaching and learning practice and effective supervision.

==Illegal Online Content==
Our '''Web Gateway''' and '''UTM''' online safety systems ensure that access to illegal content is blocked. The UK Safer Internet Centre advises that providers:
{| class="wikitable"
!Aspect
!Rating
!Explanation
|-
|Are IWF Members
|{{UKSIC Pass}}
|We are IWF members.
|-
|Block access to illegal Child Abuse Images (by actively implementing the IWF URL list)
|{{UKSIC Pass}}
|The IWF child Abuse Image Content URL list is integrated into the ''Child Abuse Images'' filtering category and we have successfully completed the IWF's certification process.

Our systems go beyond the basic protection by also utilising the IWF's keywords list, and Non-Pornographic Child Abuse Images URL lists.

As well as directly blocking content that the IWF has listed, all of these resources are also used to dynamically identify and block offending content which has not yet been reported to the IWF.
|-
|Integrate the ‘the police assessed list of unlawful terrorist content, produced on behalf of the Home Office’.
|{{UKSIC Pass}}
|The police assessed list of unlawful terrorist content, produced on behalf of the Home Office is integrated into the ''Radicalisation'' filtering category.
|}

==Inappropriate Online Content==
Recognising that no filter can guarantee to be 100% effective, the following table confirms and describes how '''Opendium Web Gateway''' and '''Opendium UTM''' manage the following content:
{| class="wikitable"
!Content
!Description
!Rating
!Explanation
|-
|Discrimination
|Promotion of the unjust or prejudicial treatment of people on the grounds of race, religion, age, or sex.
|{{UKSIC Pass}}
|We provide a ''Discrimination'' category which covers content that promotes the unjust or prejudicial treatment of people on the grounds of race, religion, age, or sex.

We also provide a ''Hate'' category which covers content promoting religious or racial hate.
|-
|Drugs / Substance abuse
|Promotion of the illegal use of drugs or substances.
|{{UKSIC Pass}}
|We provide a ''Drugs'' category which covers content that promotes or facilitates recreational drug use, including "legal highs". This category does not include educational material about recreational drugs and information about medicinal drugs.
|-
|Extremism
|Promotion of terrorism and terrorist ideologies, violence or intolerance
|{{UKSIC Pass}}
|We provide a ''Radicalisation'' category which covers radicalisation, extremism and terrorism. This includes the police assessed list of unlawful terrorist content, produced on behalf of the Home Office.
|-
|Malware / Hacking
|Promotion of the compromising of systems including anonymous browsing and other filter bypass tools as well as sites hosting malicious content.
|{{UKSIC Pass}}
|We provide a ''Cracking'' category which covers information about how to gain illicit entry to computer systems.

We provide an ''Anonymisers / Proxies / VPNs'' filtering category to control anonymous browsing systems which could be used to bypass filtering and monitoring.
|-
|Pornography
|Sexual acts or explicit images.
|{{UKSIC Pass}}
|We provide a ''Pornography'' category which covers pornographic content. This does not include non-sexualised images (e.g. medical information).

We provide a ''Sexualised Text'' filtering category which covers textual content which is sexual in nature but falls short of being considered pornographic.
|-
|Piracy and copyright theft
|Illegal provision of copyrighted material.
|{{UKSIC Pass}}
|We provide a ''Copyright Infringement'' category which covers content that promotes and facilitates illegal downloading of copyrighted content, such as software, music, movies, etc.
|-
|Self Harm
|Promotion or display of deliberate self harm (including suicide and eating disorders).
|{{UKSIC Pass}}
|We provide a ''Self Harm'' category which covers content that promotes self harm and suicide.
|-
|Violence
|Promotion or display of the use of physical force intended to hurt or kill.
|{{UKSIC Pass}}
|We provide a ''Violence'' category which covers content that promotes violent acts.
|}
This list is not exhaustive. We maintain a selection of predefined categories, and updates to the categorisation criteria are downloaded every hour. Websites and web searches are categorised using a variety of methods, including through a database of known web addresses and by real time content analysis. By analysing content on the fly, the system can effectively filter new content and websites that tailor dynamic content to the individual user, such as social networking sites. School system administrators can add filtering criteria to the categories to either augment or override the predefined criteria. School administrators can also add their own custom categories.

==Data Protection==
'''''Opendium Web Gateway''''' and '''''Opendium UTM''''' are available as both cloud based and on-premises systems. Cloud based systems store internet history data on our servers, whereas for the on-premises systems this data is stored on the school's server. In both cases, log data, including the user's identification, is retained for 2 years by default, but the retention period can be adjusted to meet the school's needs.

Internet history data that is stored on our internal systems will be retained for no longer than 3 years. This includes any log extracts, reports, etc. that the school may need to send to our technical support team.

Many filtering providers rely on contractual clauses that place an onus on schools to ensure that they do not pass on personal data to the provider. We strongly believe that it is not possible to provide the level of support that schools expect whilst adhering to those restrictions, and they ultimately lead to data protection law being routinely broken, with the school carrying the liability. Instead, we provide schools with a standard data processing agreement, which allows us to better support the school whilst ensuring that the personal data is properly protected and that the relevant legislation can be adhered to.

All schools should have a suitable data processing agreement with the company that supports their filtering system, to ensure that personal data is always handled in a secure and legal way.

==Over Blocking==
'''''Opendium Web Gateway''''' and '''''Opendium UTM''''' allow school administrators a lot of scope for tuning the system to meet their needs. The sensitivity of the filters can be adjusted and administrators can decide whether or not repeat offenders should have their web access automatically disabled. Miscategorised websites can be manually recategorised instantly, or the filters completely disabled for educational websites. Users can be given the option to override the filters after being shown a warning, and users can report miscategorised pages directly to us for recategorisation. Comprehensive reports can be generated on an automatic or ad-hoc basis to ensure that staff can spot and follow up on concerning behaviour. Our systems also support Location Aware Filtering, which can be used to relax filters in supervised parts of the school, or in classrooms that have specific requirements.

Schools may decide that, for some categories, rather than risk overblocking it is better to allow access and to follow up concerning behaviour that is highlighted by the reporting system. A variety of reporting tools are provided to facilitate this, such as our unique Word Cloud report that flags up search phrases which fall into concerning categories. This provides an easy and understandable way for staff to drill down into the data.

==Filtering System Features==
The following table describes how '''Opendium Web Gateway''' and '''Opendium UTM''' meet the principles set out by the UK Safer Internet Centre:
{| class="wikitable"
!Principle
!Rating
!Explanation
|-
|Age appropriate, differentiated filtering – includes the ability to vary filtering strength appropriate to age and role.
|{{UKSIC Pass}}
|'''Opendium Web Gateway''' and '''Opendium UTM''' both integrate with the school's existing user directory and provide a hierarchical system to configure and refine filtering policies and filter sensitivity on a per-usergroup, per-network or per-user basis.
|-
|Circumvention – the extent and ability to identify and manage technologies and techniques used to circumvent the system, specifically VPN, proxy services and DNS over HTTPS.
|{{UKSIC Pass}}
|'''''Opendium Web Gateway''''' and '''''Opendium UTM''''' provide a variety of tools to prevent circumvention of the system:

We provide an ''Anonymisers / Proxies / VPNs'' category to control anonymous browsing systems.

Both '''''Opendium Web Gateway''''' and '''''Opendium UTM''''' incorporate anti-spoofing technologies and utilise deep packet inspection to restrict VPN connections whilst allowing other applications. '''''Opendium UTM''''' provides additional protection by providing numerous predefined firewall rule bundles for common applications, which utilise deep packet inspection to prevent VPN connections from misusing ports that are required by legitimate services.

Our online safety systems do not rely on DNS filtering, so are unaffected by technologies such as DNS-over-HTTPS (DoH) and DNS-over-TLS (DoT). '''''Opendium UTM''''' also performs DNS and NTP interception to prevent VPNs from taking advantage of these important ports without getting in the way of legitimate systems that rely on them.

New VPNs are appearing all of the time and use a wide variety of techniques to mask their traffic. It is important for schools to understand that no system can block them with 100% accuracy, but we work closely with schools to rapidly provide a solution whenever a new threat is identified.
|-
|Control - has the ability and ease of use that allows schools to control the filter themselves to permit or deny access to specific content.
|{{UKSIC Pass}}
|The web based user interface allows school administrators to adjust settings from anywhere in the school, with immediate effect. All of our customers have direct access to our experienced engineers, who endeavour to provide high quality telephone and email support.
|-
|Contextual Content Filters – in addition to URL or IP based filtering, the extent to which (http and https) content is analysed as it is streamed to the user and blocked. For example, being able to contextually analyse text on a page and dynamically filter
|{{UKSIC Pass}}
|Real time content analysis has been a core part of our filtering technology from its inception.

A URL filter can tell that a user is looking at an online messaging forum, for example, but not that the specific message that they are looking at is extremist or promoting drug use. Nor can a URL filter spot when a legitimate website has recently been hacked and now contains links to pornographic websites.

So much of the modern web is made up of dynamic content that we believe a filter cannot be fit for purpose if it is unable to analyse content in real time to catch these types of scenario.

We use a combination of techniques to categorise content, including HTTPS decryption, content analysis and URL lists to provide the most accurate filtering.
|-
|Filtering Policy – a published rationale that details our approach to filtering with classification and categorisation as well as over blocking.
|{{UKSIC Pass}}
|Our filtering rationale is described in our knowledgebase. A description for each category, outlining the categorisation criteria, is provided through the system's user interface.
|-
|Group / Multi-site Management – the ability for deployment of central policy and central oversight or dashboard
|{{UKSIC Amber}}
|'''''Opendium Web Gateway''''' and '''''Opendium UTM''''' are designed for single-school installations and we therefore do not provide multi-site management. However, individual systems can be independently managed remotely from anywhere in the world.

We expect to provide a comprehensive multi-site management solution in the future.
|-
|Identification - the filtering system should have the ability to identify users.
|{{UKSIC Pass}}
|'''Opendium Web Gateway''' and '''Opendium UTM''' both support a variety of user identification methods, such as Kerberos single sign on for workstations and RADIUS accounting, WISPr and captive portal for mobile devices / BYOD.
|-
|Mobile and App content – mobile and app content is often delivered in entirely different mechanisms from that delivered through a traditional web browser. To what extent does the filter system block inappropriate content via mobile and app technologies (beyond typical web browser delivered content)
|{{UKSIC Pass}}
|By providing a comprehensive transparent proxy service with both passive and active HTTPS inspection and decryption, '''''Opendium Web Gateway''''' and '''''Opendium UTM''''' both allow the school to control apps that communicate using HTTP and HTTPS, and these comprise the vast majority of apps.

A minority of apps use entirely different delivery mechanisms, and '''''Opendium Web Gateway''''' provides a firewall that can control these on a per-network basis. '''''Opendium UTM''''' extends this capability to allow fine grained control over these apps by user group or individual user, in a similar way to web traffic.
|-
|Multiple language support – the ability for the system to manage relevant languages.
|{{UKSIC Pass}}
|The use of a wide variety of categorisation methods makes the system largely language agnostic, filtering both English language and foreign language websites alike.

Our textual content analysis system uses unicode to support all languages and character sets.
|-
|Network level - filtering should be applied at ‘network level’ i.e., not reliant on any software on user devices.
|{{UKSIC Pass}}
|'''''Opendium Web Gateway''''' and '''''Opendium UTM''''' both provide network level filtering and do not require software to be installed on user devices. This is provided through a combination of deep packet inspection, transparent proxying and both active HTTPS decryption and passive HTTPS inspection.
|-
|Remote devices – with many children and staff working remotely, the ability for devices (school and/or personal) to receive school based filtering to a similar quality to that expected in school

|{{UKSIC Pass}}
|Remote devices can be configured to route their network traffic via the school's '''''Opendium UTM''''' through a secure VPN. Children and staff working from home can therefore receive the same level of filtering whether they are at home or on the school's premises, as well as being able to interact with other on-premises services as if they were physically at school.
|-
|Reporting mechanism – the ability to report inappropriate content for access or blocking.
|{{UKSIC Pass}}
|When access to a website is blocked, the user is given an option to report a miscategorisation of the website directly to us. All reported web sites are manually examined and, if necessary, recategorised.

We also take underblocking very seriously and welcome reports of such instances. We continually work with our customers to address any concerns and improve the accuracy of the filters.
|-
|Reports – the system offers clear historical information on the websites visited by your users.
|{{UKSIC Pass}}
|'''Opendium Web Gateway''' and '''Opendium UTM''' keep historical logs and can generate a variety of reports to allow staff to drill down into the data.
|}

==Supporting Schools==
Filtering systems are only ever a tool in helping to safeguard children when online and schools have an obligation to “''consider how children may be taught about safeguarding, including online, through teaching and learning opportunities, as part of providing a broad and balanced curriculum''”. Our products have always been developed hand-in-hand with schools. Schools are on the front line and in the best position to know what tools they need and we always try to listen and develop those tools.

We provide a holistic service which goes above and beyond filtering. This includes training and advice for school IT and safeguarding staff, and consultancy services to improve schools' network infrastructure to cater for their ever changing requirements. However, we will never pressure schools into purchasing additional services and are equally happy to work with third parties to bring about any infrastructure improvements that our customers require.

==Certification Declaration==
In order that schools can be confident regarding the accuracy of the self-certification statements, we confirm:

*that our self-certification responses have been fully and accurately completed by a person or persons who are competent in the relevant fields
*that we will update our self-certification responses promptly when changes to the service or its terms and conditions would result in the existing compliance statement no longer being accurate or complete
*that we will provide any additional information or clarification sought as part of the self-certification process
*that if at any time, the UK Safer Internet Centre is of the view that any element or elements of our self-certification responses require independent verification, we will agree to that independent verification, supply all necessary clarification requested, meet the associated verification costs, or withdraw our self-certification submission.
[[Category:Knowledgebase]]

Appropriate Filtering for Education Settings

2023-06-08T08:56:16Z

Steve: /* Filtering System Features */

Schools and colleges in the UK are required to establish appropriate levels of filtering to ensure children are provided with safe access to the internet without over blocking. Schools and colleges in England must adhere to the Department for Education's [https://www.gov.uk/government/publications/keeping-children-safe-in-education--2 Keeping Children Safe in Education] statutory guidance, those in Wales are governed by the Welsh Government's [https://www.gov.wales/keeping-learners-safe Keeping Learners Safe], in Scotland the requirements are laid down by the Scottish Government's National Action Plan on [https://www.gov.scot/publications/national-action-plan-internet-safety-children-young-people/ Internet Safety for Children and Young People] and in Northern Ireland the requirements are in the Department of Education's [https://www.education-ni.gov.uk/publications/safeguarding-and-child-protection-schools-guide-schools Safeguarding and Child Protection in Schools].

The guidance allows schools a huge amount of freedom, to be exercised with a "risk based approach". Whilst schools benefit from the freedom they have been afforded, further guidance is essential to allow them to properly assess the risks and design appropriate policies. To this end, the [http://www.saferinternet.org.uk/ UK Safer Internet Centre] has issued detailed [https://www.saferinternet.org.uk/advice-centre/teachers-and-school-staff/appropriate-filtering-and-monitoring/appropriate-filtering Appropriate Filtering for Education Settings] guidance, which is cited by both Keeping Children Safe in Education and the National Action Plan on Internet Safety for Children and Young People as an example of what constitutes ''"appropriate filtering"''.

Although the guidance affords schools the freedom to design their own policies from scratch, we feel that the UK Safer Internet Centre's standards should form the basis of all schools' filtering policies. Where schools feel the need to deviate from those standards, we strongly recommend that they complete a risk assessment so that the reasons for deviating and associated risks can be understood and documented.

We are committed to supporting schools in carrying out their safeguarding duties, and have outlined below how we meet these standards. Our official UK Safer Internet Centre [https://d1xsi6mgo67kia.cloudfront.net/uploads/2021/10/opendium-appropriate-filtering.pdf certification] is also available for download.

It is important to recognise that no filtering systems can be 100% effective and need to be supported with good teaching and learning practice and effective supervision.

==Illegal Online Content==
Our '''Web Gateway''' and '''UTM''' online safety systems ensure that access to illegal content is blocked. The UK Safer Internet Centre advises that providers:
{| class="wikitable"
!Aspect
!Rating
!Explanation
|-
|Are IWF Members
|{{UKSIC Pass}}
|We are IWF members.
|-
|Block access to illegal Child Abuse Images (by actively implementing the IWF URL list)
|{{UKSIC Pass}}
|The IWF child Abuse Image Content URL list is integrated into the ''Child Abuse Images'' filtering category and we have successfully completed the IWF's certification process.

Our systems go beyond the basic protection by also utilising the IWF's keywords list, and Non-Pornographic Child Abuse Images URL lists.

As well as directly blocking content that the IWF has listed, all of these resources are also used to dynamically identify and block offending content which has not yet been reported to the IWF.
|-
|Integrate the ‘the police assessed list of unlawful terrorist content, produced on behalf of the Home Office’.
|{{UKSIC Pass}}
|The police assessed list of unlawful terrorist content, produced on behalf of the Home Office is integrated into the ''Radicalisation'' filtering category.
|}

==Inappropriate Online Content==
Recognising that no filter can guarantee to be 100% effective, the following table confirms and describes how '''Opendium Web Gateway''' and '''Opendium UTM''' manage the following content:
{| class="wikitable"
!Content
!Description
!Rating
!Explanation
|-
|Discrimination
|Promotion of the unjust or prejudicial treatment of people on the grounds of race, religion, age, or sex.
|{{UKSIC Pass}}
|We provide a ''Discrimination'' category which covers content that promotes the unjust or prejudicial treatment of people on the grounds of race, religion, age, or sex.

We also provide a ''Hate'' category which covers content promoting religious or racial hate.
|-
|Drugs / Substance abuse
|Promotion of the illegal use of drugs or substances.
|{{UKSIC Pass}}
|We provide a ''Drugs'' category which covers content that promotes or facilitates recreational drug use, including "legal highs". This category does not include educational material about recreational drugs and information about medicinal drugs.
|-
|Extremism
|Promotion of terrorism and terrorist ideologies, violence or intolerance
|{{UKSIC Pass}}
|We provide a ''Radicalisation'' category which covers radicalisation, extremism and terrorism. This includes the police assessed list of unlawful terrorist content, produced on behalf of the Home Office.
|-
|Malware / Hacking
|Promotion of the compromising of systems including anonymous browsing and other filter bypass tools as well as sites hosting malicious content.
|{{UKSIC Pass}}
|We provide a ''Cracking'' category which covers information about how to gain illicit entry to computer systems.

We provide an ''Anonymisers / Proxies / VPNs'' filtering category to control anonymous browsing systems which could be used to bypass filtering and monitoring.
|-
|Pornography
|Sexual acts or explicit images.
|{{UKSIC Pass}}
|We provide a ''Pornography'' category which covers pornographic content. This does not include non-sexualised images (e.g. medical information).

We provide a ''Sexualised Text'' filtering category which covers textual content which is sexual in nature but falls short of being considered pornographic.
|-
|Piracy and copyright theft
|Illegal provision of copyrighted material.
|{{UKSIC Pass}}
|We provide a ''Copyright Infringement'' category which covers content that promotes and facilitates illegal downloading of copyrighted content, such as sofware, music, movies, etc.
|-
|Self Harm
|Promotion or display of deliberate self harm (including suicide and eating disorders).
|{{UKSIC Pass}}
|We provide a ''Self Harm'' category which covers content that promotes self harm and suicide.
|-
|Violence
|Promotion or display of the use of physical force intended to hurt or kill.
|{{UKSIC Pass}}
|We provide a ''Violence'' category which covers content that promotes violent acts.
|}
This list is not exhaustive. We maintain a selection of predefined categories, and updates to the categorisation criteria are downloaded every hour. Websites and web searches are categorised using a variety of methods, including through a database of known web addresses and by real time content analysis. By analysing content on the fly, the system can effectively filter new content and websites that tailor dynamic content to the individual user, such as social networking sites. School system administrators can add filtering criteria to the categories to either augment or override the predefined criteria. School administrators can also add their own custom categories.

==Data Protection==
'''''Opendium Web Gateway''''' and '''''Opendium UTM''''' are available as both cloud based and on-premises systems. Cloud based systems store internet history data on our servers, whereas for the on-premises systems this data is stored on the school's server. In both cases, log data, including the user's identification, is retained for 2 years by default, but the retention period can be adjusted to meet the school's needs.

Internet history data that is stored on our internal systems will be retained for no longer than 3 years. This includes any log extracts, reports, etc. that the school may need to send to our technical support team.

Many filtering providers rely on contractual clauses that place an onus on schools to ensure that they do not pass on personal data to the provider. We strongly believe that it is not possible to provide the level of support that schools expect whilst adhering to those restrictions, and they ultimately lead to data protection law being routinely broken, with the school carrying the liability. Instead, we provide schools with a standard data processing agreement, which allows us to better support the school whilst ensuring that the personal data is properly protected and that the relevant legislation can be adhered to.

All schools should have a suitable data processing agreement with the company that supports their filtering system, to ensure that personal data is always handled in a secure and legal way.

==Over Blocking==
'''''Opendium Web Gateway''''' and '''''Opendium UTM''''' allow school administrators a lot of scope for tuning the system to meet their needs. The sensitivity of the filters can be adjusted and administrators can decide whether or not repeat offenders should have their web access automatically disabled. Miscategorised websites can be manually recategorised instantly, or the filters completely disabled for educational websites. Users can be given the option to override the filters after being shown a warning, and users can report miscategorised pages directly to us for recategorisation. Comprehensive reports can be generated on an automatic or ad-hoc basis to ensure that staff can spot and follow up on concerning behaviour. Our systems also support Location Aware Filtering, which can be used to relax filters in supervised parts of the school, or in classrooms that have specific requirements.

Schools may decide that, for some categories, rather than risk overblocking it is better to allow access and to follow up concerning behaviour that is highlighted by the reporting system. A variety of reporting tools are provided to facilitate this, such as our unique Word Cloud report that flags up search phrases which fall into concerning categories. This provides an easy and understandable way for staff to drill down into the data.

==Filtering System Features==
The following table describes how '''Opendium Web Gateway''' and '''Opendium UTM''' meet the principles set out by the UK Safer Internet Centre:
{| class="wikitable"
!Principle
!Rating
!Explanation
|-
|Age appropriate, differentiated filtering – includes the ability to vary filtering strength appropriate to age and role.
|{{UKSIC Pass}}
|'''Opendium Web Gateway''' and '''Opendium UTM''' both integrate with the school's existing user directory and provide a hierarchical system to configure and refine filtering policies and filter sensitivity on a per-usergroup, per-network or per-user basis.
|-
|Circumvention – the extent and ability to identify and manage technologies and techniques used to circumvent the system, specifically VPN, proxy services and DNS over HTTPS.
|{{UKSIC Pass}}
|'''''Opendium Web Gateway''''' and '''''Opendium UTM''''' provide a variety of tools to prevent circumvention of the system:

We provide an ''Anonymisers / Proxies / VPNs'' category to control anonymous browsing systems.

Both '''''Opendium Web Gateway''''' and '''''Opendium UTM''''' incorporate anti-spoofing technologies and utilise deep packet inspection to restrict VPN connections whilst allowing other applications. '''''Opendium UTM''''' provides additional protection by providing numerous predefined firewall rule bundles for common applications, which utilise deep packet inspection to prevent VPN connections from misusing ports that are required by legitimate services.

Our online safety systems do not rely on DNS filtering, so are unaffected by technologies such as DNS-over-HTTPS (DoH) and DNS-over-TLS (DoT). '''''Opendium UTM''''' also performs DNS and NTP interception to prevent VPNs from taking advantage of these important ports without getting in the way of legitimate systems that rely on them.

New VPNs are appearing all of the time and use a wide variety of techniques to mask their traffic. It is important for schools to understand that no system can block them with 100% accuracy, but we work closely with schools to rapidly provide a solution whenever a new threat is identified.
|-
|Control - has the ability and ease of use that allows schools to control the filter themselves to permit or deny access to specific content.
|{{UKSIC Pass}}
|The web based user interface allows school administrators to adjust settings from anywhere in the school, with immediate effect. All of our customers have direct access to our experienced engineers, who endeavour to provide high quality telephone and email support.
|-
|Contextual Content Filters – in addition to URL or IP based filtering, the extent to which (http and https) content is analysed as it is streamed to the user and blocked. For example, being able to contextually analyse text on a page and dynamically filter
|{{UKSIC Pass}}
|Real time content analysis has been a core part of our filtering technology from its inception.

A URL filter can tell that a user is looking at an online messaging forum, for example, but not that the specific message that they are looking at is extremist or promoting drug use. Nor can a URL filter spot when a legitimate website has recently been hacked and now contains links to pornographic websites.

So much of the modern web is made up of dynamic content that we believe a filter cannot be fit for purpose if it is unable to analyse content in real time to catch these types of scenario.

We use a combination of techniques to categorise content, including HTTPS decryption, content analysis and URL lists to provide the most accurate filtering.
|-
|Filtering Policy – a published rationale that details our approach to filtering with classification and categorisation as well as over blocking.
|{{UKSIC Pass}}
|Our filtering rationale is described in our knowledgebase. A description for each category, outlining the categorisation criteria, is provided through the system's user interface.
|-
|Group / Multi-site Management – the ability for deployment of central policy and central oversight or dashboard
|{{UKSIC Amber}}
|'''''Opendium Web Gateway''''' and '''''Opendium UTM''''' are designed for single-school installations and we therefore do not provide multi-site management. However, individual systems can be independently managed remotely from anywhere in the world.

We expect to provide a comprehensive multi-site management solution in the future.
|-
|Identification - the filtering system should have the ability to identify users.
|{{UKSIC Pass}}
|'''Opendium Web Gateway''' and '''Opendium UTM''' both support a variety of user identification methods, such as Kerberos single sign on for workstations and RADIUS accounting, WISPr and captive portal for mobile devices / BYOD.
|-
|Mobile and App content – mobile and app content is often delivered in entirely different mechanisms from that delivered through a traditional web browser. To what extent does the filter system block inappropriate content via mobile and app technologies (beyond typical web browser delivered content)
|{{UKSIC Pass}}
|By providing a comprehensive transparent proxy service with both passive and active HTTPS inspection and decryption, '''''Opendium Web Gateway''''' and '''''Opendium UTM''''' both allow the school to control apps that communicate using HTTP and HTTPS, and these comprise the vast majority of apps.

A minority of apps use entirely different delivery mechanisms, and '''''Opendium Web Gateway''''' provides a firewall that can control these on a per-network basis. '''''Opendium UTM''''' extends this capability to allow fine grained control over these apps by user group or individual user, in a similar way to web traffic.
|-
|Multiple language support – the ability for the system to manage relevant languages.
|{{UKSIC Pass}}
|The use of a wide variety of categorisation methods makes the system largely language agnostic, filtering both English language and foreign language websites alike.

Our textual content analysis system uses unicode to support all languages and character sets.
|-
|Network level - filtering should be applied at ‘network level’ i.e., not reliant on any software on user devices.
|{{UKSIC Pass}}
|'''''Opendium Web Gateway''''' and '''''Opendium UTM''''' both provide network level filtering and do not require software to be installed on user devices. This is provided through a combination of deep packet inspection, transparent proxying and both active HTTPS decryption and passive HTTPS inspection.
|-
|Remote devices – with many children and staff working remotely, the ability for devices (school and/or personal) to receive school based filtering to a similar quality to that expected in school

|{{UKSIC Pass}}
|Remote devices can be configured to route their network traffic via the school's '''''Opendium UTM''''' through a secure VPN. Children and staff working from home can therefore receive the same level of filtering whether they are at home or on the school's premises, as well as being able to interact with other on-premises services as if they were physically at school.
|-
|Reporting mechanism – the ability to report inappropriate content for access or blocking.
|{{UKSIC Pass}}
|When access to a website is blocked, the user is given an option to report a miscategorisation of the website directly to us. All reported web sites are manually examined and, if necessary, recategorised.

We also take underblocking very seriously and welcome reports of such instances. We continually work with our customers to address any concerns and improve the accuracy of the filters.
|-
|Reports – the system offers clear historical information on the websites visited by your users.
|{{UKSIC Pass}}
|'''Opendium Web Gateway''' and '''Opendium UTM''' keep historical logs and can generate a variety of reports to allow staff to drill down into the data.
|}

==Supporting Schools==
Filtering systems are only ever a tool in helping to safeguard children when online and schools have an obligation to “''consider how children may be taught about safeguarding, including online, through teaching and learning opportunities, as part of providing a broad and balanced curriculum''”. Our products have always been developed hand-in-hand with schools. Schools are on the front line and in the best position to know what tools they need and we always try to listen and develop those tools.

We provide a holistic service which goes above and beyond filtering. This includes training and advice for school IT and safeguarding staff, and consultancy services to improve schools' network infrastructure to cater for their ever changing requirements. However, we will never pressure schools into purchasing additional services and are equally happy to work with third parties to bring about any infrastructure improvements that our customers require.

==Certification Declaration==
In order that schools can be confident regarding the accuracy of the self-certification statements, we confirm:

*that our self-certification responses have been fully and accurately completed by a person or persons who are competent in the relevant fields
*that we will update our self-certification responses promptly when changes to the service or its terms and conditions would result in the existing compliance statement no longer being accurate or complete
*that we will provide any additional information or clarification sought as part of the self-certification process
*that if at any time, the UK Safer Internet Centre is of the view that any element or elements of our self-certification responses require independent verification, we will agree to that independent verification, supply all necessary clarification requested, meet the associated verification costs, or withdraw our self-certification submission.
[[Category:Knowledgebase]]

GoToAssist

2023-05-26T14:07:01Z

Steve: Tidy up

== Status ==
GoToAssist Remote access and screen Share (LogMeIn Rescue): Fully working.

Goto Webinar: Fully Working.

GoTo Meeting: Fully working with additional configuration.

== Configuration ==
* Allow the ''STUN'' bundle firewall bundle on the [[Firewall: Egress|Egress]] page. We recommend only doing this for the groups containing the relevant users / device IPs rather than the whole network.
* Ensure that the ''Disable HTTPS Decryption'' [[Web: Overrides|Override]] is enabled. Note: we recommend that this override is always enabled (this is the default).
== Detail ==
Goto Meeting uses STUN on a peer to peer basis and so to get this working you need to allow STUN out to everywhere. This is more appropriate for specific subgroups rather than the whole network, as this protocol can be abused by VPN software.

==Vendor Contact Log==
* 2023-04-18 Testing Carried out with GoTo customer support, all products tested and findings as above.

[[Category:Third Party Software Compatibility]]

Appropriate Filtering for Education Settings

2023-05-09T13:53:19Z

Steve:

Schools and colleges in the UK are required to establish appropriate levels of filtering to ensure children are provided with safe access to the internet without over blocking. Schools and colleges in England must adhere to the Department for Education's [https://www.gov.uk/government/publications/keeping-children-safe-in-education--2 Keeping Children Safe in Education] statutory guidance, those in Wales are governed by the Welsh Government's [https://www.gov.wales/keeping-learners-safe Keeping Learners Safe], in Scotland the requirements are laid down by the Scottish Government's National Action Plan on [https://www.gov.scot/publications/national-action-plan-internet-safety-children-young-people/ Internet Safety for Children and Young People] and in Northern Ireland the requirements are in the Department of Education's [https://www.education-ni.gov.uk/publications/safeguarding-and-child-protection-schools-guide-schools Safeguarding and Child Protection in Schools].

The guidance allows schools a huge amount of freedom, to be exercised with a "risk based approach". Whilst schools benefit from the freedom they have been afforded, further guidance is essential to allow them to properly assess the risks and design appropriate policies. To this end, the [http://www.saferinternet.org.uk/ UK Safer Internet Centre] has issued detailed [https://www.saferinternet.org.uk/advice-centre/teachers-and-school-staff/appropriate-filtering-and-monitoring/appropriate-filtering Appropriate Filtering for Education Settings] guidance, which is cited by both Keeping Children Safe in Education and the National Action Plan on Internet Safety for Children and Young People as an example of what constitutes ''"appropriate filtering"''.

Although the guidance affords schools the freedom to design their own policies from scratch, we feel that the UK Safer Internet Centre's standards should form the basis of all schools' filtering policies. Where schools feel the need to deviate from those standards, we strongly recommend that they complete a risk assessment so that the reasons for deviating and associated risks can be understood and documented.

We are committed to supporting schools in carrying out their safeguarding duties, and have outlined below how we meet these standards. Our official UK Safer Internet Centre [https://d1xsi6mgo67kia.cloudfront.net/uploads/2021/10/opendium-appropriate-filtering.pdf certification] is also available for download.

It is important to recognise that no filtering systems can be 100% effective and need to be supported with good teaching and learning practice and effective supervision.

==Illegal Online Content==
Our '''Web Gateway''' and '''UTM''' online safety systems ensure that access to illegal content is blocked. The UK Safer Internet Centre advises that providers:
{| class="wikitable"
!Aspect
!Rating
!Explanation
|-
|Are IWF Members
|{{UKSIC Pass}}
|We are IWF members.
|-
|Block access to illegal Child Abuse Images (by actively implementing the IWF URL list)
|{{UKSIC Pass}}
|The IWF child Abuse Image Content URL list is integrated into the ''Child Abuse Images'' filtering category and we have successfully completed the IWF's certification process.

Our systems go beyond the basic protection by also utilising the IWF's keywords list, and Non-Pornographic Child Abuse Images URL lists.

As well as directly blocking content that the IWF has listed, all of these resources are also used to dynamically identify and block offending content which has not yet been reported to the IWF.
|-
|Integrate the ‘the police assessed list of unlawful terrorist content, produced on behalf of the Home Office’.
|{{UKSIC Pass}}
|The police assessed list of unlawful terrorist content, produced on behalf of the Home Office is integrated into the ''Radicalisation'' filtering category.
|}

==Inappropriate Online Content==
Recognising that no filter can guarantee to be 100% effective, the following table confirms and describes how '''Opendium Web Gateway''' and '''Opendium UTM''' manage the following content:
{| class="wikitable"
!Content
!Description
!Rating
!Explanation
|-
|Discrimination
|Promotion of the unjust or prejudicial treatment of people on the grounds of race, religion, age, or sex.
|{{UKSIC Pass}}
|We provide a ''Discrimination'' category which covers content that promotes the unjust or prejudicial treatment of people on the grounds of race, religion, age, or sex.

We also provide a ''Hate'' category which covers content promoting religious or racial hate.
|-
|Drugs / Substance abuse
|Promotion of the illegal use of drugs or substances.
|{{UKSIC Pass}}
|We provide a ''Drugs'' category which covers content that promotes or facilitates recreational drug use, including "legal highs". This category does not include educational material about recreational drugs and information about medicinal drugs.
|-
|Extremism
|Promotion of terrorism and terrorist ideologies, violence or intolerance
|{{UKSIC Pass}}
|We provide a ''Radicalisation'' category which covers radicalisation, extremism and terrorism. This includes the police assessed list of unlawful terrorist content, produced on behalf of the Home Office.
|-
|Malware / Hacking
|Promotion of the compromising of systems including anonymous browsing and other filter bypass tools as well as sites hosting malicious content.
|{{UKSIC Pass}}
|We provide a ''Cracking'' category which covers information about how to gain illicit entry to computer systems.

We provide an ''Anonymisers / Proxies / VPNs'' filtering category to control anonymous browsing systems which could be used to bypass filtering and monitoring.
|-
|Pornography
|Sexual acts or explicit images.
|{{UKSIC Pass}}
|We provide a ''Pornography'' category which covers pornographic content. This does not include non-sexualised images (e.g. medical information).

We provide a ''Sexualised Text'' filtering category which covers textual content which is sexual in nature but falls short of being considered pornographic.
|-
|Piracy and copyright theft
|Illegal provision of copyrighted material.
|{{UKSIC Pass}}
|We provide a ''Copyright Infringement'' category which covers content that promotes and facilitates illegal downloading of copyrighted content, such as sofware, music, movies, etc.
|-
|Self Harm
|Promotion or display of deliberate self harm (including suicide and eating disorders).
|{{UKSIC Pass}}
|We provide a ''Self Harm'' category which covers content that promotes self harm and suicide.
|-
|Violence
|Promotion or display of the use of physical force intended to hurt or kill.
|{{UKSIC Pass}}
|We provide a ''Violence'' category which covers content that promotes violent acts.
|}
This list is not exhaustive. We maintain a selection of predefined categories, and updates to the categorisation criteria are downloaded every hour. Websites and web searches are categorised using a variety of methods, including through a database of known web addresses and by real time content analysis. By analysing content on the fly, the system can effectively filter new content and websites that tailor dynamic content to the individual user, such as social networking sites. School system administrators can add filtering criteria to the categories to either augment or override the predefined criteria. School administrators can also add their own custom categories.

==Data Protection==
'''''Opendium Web Gateway''''' and '''''Opendium UTM''''' are available as both cloud based and on-premises systems. Cloud based systems store internet history data on our servers, whereas for the on-premises systems this data is stored on the school's server. In both cases, log data, including the user's identification, is retained for 2 years by default, but the retention period can be adjusted to meet the school's needs.

Internet history data that is stored on our internal systems will be retained for no longer than 3 years. This includes any log extracts, reports, etc. that the school may need to send to our technical support team.

Many filtering providers rely on contractual clauses that place an onus on schools to ensure that they do not pass on personal data to the provider. We strongly believe that it is not possible to provide the level of support that schools expect whilst adhering to those restrictions, and they ultimately lead to data protection law being routinely broken, with the school carrying the liability. Instead, we provide schools with a standard data processing agreement, which allows us to better support the school whilst ensuring that the personal data is properly protected and that the relevant legislation can be adhered to.

All schools should have a suitable data processing agreement with the company that supports their filtering system, to ensure that personal data is always handled in a secure and legal way.

==Over Blocking==
'''''Opendium Web Gateway''''' and '''''Opendium UTM''''' allow school administrators a lot of scope for tuning the system to meet their needs. The sensitivity of the filters can be adjusted and administrators can decide whether or not repeat offenders should have their web access automatically disabled. Miscategorised websites can be manually recategorised instantly, or the filters completely disabled for educational websites. Users can be given the option to override the filters after being shown a warning, and users can report miscategorised pages directly to us for recategorisation. Comprehensive reports can be generated on an automatic or ad-hoc basis to ensure that staff can spot and follow up on concerning behaviour. Our systems also support Location Aware Filtering, which can be used to relax filters in supervised parts of the school, or in classrooms that have specific requirements.

Schools may decide that, for some categories, rather than risk overblocking it is better to allow access and to follow up concerning behaviour that is highlighted by the reporting system. A variety of reporting tools are provided to facilitate this, such as our unique Word Cloud report that flags up search phrases which fall into concerning categories. This provides an easy and understandable way for staff to drill down into the data.

==Filtering System Features==
The following table describes how '''Opendium Web Gateway''' and '''Opendium UTM''' meet the principles set out by the UK Safer Internet Centre:
{| class="wikitable"
!Principle
!Rating
!Explanation
|-
|Age appropriate, differentiated filtering – includes the ability to vary filtering strength appropriate to age and role.
|{{UKSIC Pass}}
|'''Opendium Web Gateway''' and '''Opendium UTM''' both integrate with the school's existing user directory and provide a hierarchical system to configure and refine filtering policies and filter sensitivity on a per-usergroup, per-network or per-user basis.
|-
|Circumvention – the extent and ability to identify and manage technologies and techniques used to circumvent the system, specifically VPN, proxy services and DNS over HTTPS.
|{{UKSIC Pass}}
|'''''Opendium Web Gateway''''' and '''''Opendium UTM''''' provide a variety of tools to prevent circumvention of the system:

We provide an ''Anonymisers / Proxies / VPNs'' category to control anonymous browsing systems.

Both '''''Opendium Web Gateway''''' and '''''Opendium UTM''''' incorporate anti-spoofing technologies and utilise deep packet inspection to restrict VPN connections whilst allowing other applications. '''''Opendium UTM''''' provides additional protection by providing numerous predefined firewall rule bundles for common applications, which utilise deep packet inspection to prevent VPN connections from misusing ports that are required by legitimate services.

Our online safety systems do not rely on DNS filtering, so are unaffected by technologies such as DNS-over-HTTPS (DoH) and DNS-over-TLS (DoT). '''''Opendium UTM''''' also performs DNS and NTP interception to prevent VPNs from taking advantage of these important ports without getting in the way of legitimate systems that rely on them.

New VPNs are appearing all of the time and use a wide variety of techniques to mask their traffic. It is important for schools to understand that no system can block them with 100% accuracy, but we work closely with schools to rapidly provide a solution whenever a new threat is identified.
|-
|Control - has the ability and ease of use that allows schools to control the filter themselves to permit or deny access to specific content.
|{{UKSIC Pass}}
|The web based user interface allows school administrators to adjust settings from anywhere in the school, with immediate effect. All of our customers have direct access to our experienced engineers, who endeavour to provide high quality telephone and email support.
|-
|Contextual Content Filters – in addition to URL or IP based filtering, the extent to which (http and https) content is analysed as it is streamed to the user and blocked. For example, being able to contextually analyse text on a page and dynamically filter
|{{UKSIC Pass}}
|Real time content analysis has been a core part of our filtering technology from its inception.

A URL filter can tell that a user is looking at an online messaging forum, for example, but not that the specific message that they are looking at is extremist or promoting drug use. Nor can a URL filter spot when a legitimate website has recently been hacked and now contains links to pornographic websites.

So much of the modern web is made up of dynamic content that we believe a filter cannot be fit for purpose if it is unable to analyse content in real time to catch these types of scenario.

We use a combination of techniques to categorise content, including HTTPS decryption, content analysis and URL lists to provide the most accurate filtering.
|-
|Filtering Policy – a published rationale that details our approach to filtering with classification and categorisation as well as over blocking.
|{{UKSIC Pass}}
|Our filtering rationale is described in our knowledgebase. A description for each category, outlining the categorisation criteria, is provided through the system's user interface.
|-
|Group / Multi-site Management – the ability for deployment of central policy and central oversight or dashboard
|{{UKSIC Amber}}
|'''''Opendium Web Gateway''''' and '''''Opendium UTM''''' are designed for single-school installations and we therefore do not provide multi-site management. However, individual systems can be independently managed remotely from anywhere in the world.

We expect to provide a comprehensive multi-site management solution in the future.
|-
|Identification - the filtering system should have the ability to identify users.
|{{UKSIC Pass}}
|'''Opendium Web Gateway''' and '''Opendium UTM''' both support a variety of user identification methods, such as Kerberos single sign on for workstations and RADIUS accounting, WISPr and captive portal for mobile devices / BYOD.
|-
|Mobile and App content – mobile and app content is ofen delivered in entirely different mechanisms from that delivered through a traditional web browser. To what extent does the filter system block inappropriate content via mobile and app technologies (beyond typical web browser delivered content)
|{{UKSIC Pass}}
|By providing a comprehensive transparent proxy service with both passive and active HTTPS inspection and decryption, '''''Opendium Web Gateway''''' and '''''Opendium UTM''''' both allow the school to control apps that communicate using HTTP and HTTPS, and these comprise the vast majority of apps.

A minority of apps use entirely different delivery mechanisms, and '''''Opendium Web Gateway''''' provides a firewall that can control these on a per-network basis. '''''Opendium UTM''''' extends this capability to allow fine grained control over these apps by user group or individual user, in a similar way to web traffic.
|-
|Multiple language support – the ability for the system to manage relevant languages.
|{{UKSIC Pass}}
|The use of a wide variety of categorisation methods makes the system largely language agnostic, filtering both English language and foreign language websites alike.

Our textual content analysis system uses unicode to support all languages and character sets.
|-
|Network level - filtering should be applied at ‘network level’ i.e., not reliant on any software on user devices.
|{{UKSIC Pass}}
|'''''Opendium Web Gateway''''' and '''''Opendium UTM''''' both provide network level filtering and do not require software to be installed on user devices. This is provided through a combination of deep packet inspection, transparent proxying and both active HTTPS decryption and passive HTTPS inspection.
|-
|Remote devices – with many children and staff working remotely, the ability for devices (school and/or personal) to receive school based filtering to a similar quality to that expected in school

|{{UKSIC Pass}}
|Remote devices can be configured to route their network traffic via the school's '''''Opendium UTM''''' through a secure VPN. Children and staff working from home can therefore receive the same level of filtering whether they are at home or on the school's premises, as well as being able to interact with other on-premises services as if they were physically at school.
|-
|Reporting mechanism – the ability to report inappropriate content for access or blocking.
|{{UKSIC Pass}}
|When access to a website is blocked, the user is given an option to report a miscategorisation of the website directly to us. All reported web sites are manually examined and, if necessary, recategorised.

We also take underblocking very seriously and welcome reports of such instances. We continually work with our customers to address any concerns and improve the accuracy of the filters.
|-
|Reports – the system offers clear historical information on the websites visited by your users.
|{{UKSIC Pass}}
|'''Opendium Web Gateway''' and '''Opendium UTM''' keep historical logs and can generate a variety of reports to allow staff to drill down into the data.
|}

==Supporting Schools==
Filtering systems are only ever a tool in helping to safeguard children when online and schools have an obligation to “''consider how children may be taught about safeguarding, including online, through teaching and learning opportunities, as part of providing a broad and balanced curriculum''”. Our products have always been developed hand-in-hand with schools. Schools are on the front line and in the best position to know what tools they need and we always try to listen and develop those tools.

We provide a holistic service which goes above and beyond filtering. This includes training and advice for school IT and safeguarding staff, and consultancy services to improve schools' network infrastructure to cater for their ever changing requirements. However, we will never pressure schools into purchasing additional services and are equally happy to work with third parties to bring about any infrastructure improvements that our customers require.

==Certification Declaration==
In order that schools can be confident regarding the accuracy of the self-certification statements, we confirm:

*that our self-certification responses have been fully and accurately completed by a person or persons who are competent in the relevant fields
*that we will update our self-certification responses promptly when changes to the service or its terms and conditions would result in the existing compliance statement no longer being accurate or complete
*that we will provide any additional information or clarification sought as part of the self-certification process
*that if at any time, the UK Safer Internet Centre is of the view that any element or elements of our self-certification responses require independent verification, we will agree to that independent verification, supply all necessary clarification requested, meet the associated verification costs, or withdraw our self-certification submission.
[[Category:Knowledgebase]]

Appropriate Filtering for Education Settings

2023-05-09T13:17:47Z

Steve:

Schools and colleges in the UK are required to establish appropriate levels of filtering to ensure children are provided with safe access to the internet without over blocking. Schools and colleges in England must adhere to the Department for Education's [https://www.gov.uk/government/publications/keeping-children-safe-in-education--2 Keeping Children Safe in Education] statutory guidance, those in Wales are governed by the Welsh Government's [https://www.gov.wales/keeping-learners-safe Keeping Learners Safe], in Scotland the requirements are laid down by the Scottish Government's National Action Plan on [https://www.gov.scot/publications/national-action-plan-internet-safety-children-young-people/ Internet Safety for Children and Young People] and in Northern Ireland the requirements are in the Department for Education's [https://www.education-ni.gov.uk/publications/safeguarding-and-child-protection-schools-guide-schools Safeguarding and Child Protection in Schools].

The guidance allows schools a huge amount of freedom, to be exercised with a "risk based approach". Whilst schools benefit from the freedom they have been afforded, further guidance is essential to allow them to properly assess the risks and design appropriate policies. To this end, the [http://www.saferinternet.org.uk/ UK Safer Internet Centre] has issued detailed [https://www.saferinternet.org.uk/advice-centre/teachers-and-school-staff/appropriate-filtering-and-monitoring/appropriate-filtering Appropriate Filtering for Education Settings] guidance, which is cited by both Keeping Children Safe in Education and the National Action Plan on Internet Safety for Children and Young People as an example of what constitutes ''"appropriate filtering"''.

Although the guidance affords schools the freedom to design their own policies from scratch, we feel that the UK Safer Internet Centre's standards should form the basis of all schools' filtering policies. Where schools feel the need to deviate from those standards, we strongly recommend that they complete a risk assessment so that the reasons for deviating and associated risks can be understood and documented.

We are committed to supporting schools in carrying out their safeguarding duties, and have outlined below how we meet these standards. Our official UK Safer Internet Centre [https://d1xsi6mgo67kia.cloudfront.net/uploads/2021/10/opendium-appropriate-filtering.pdf certification] is also available for download.

It is important to recognise that no filtering systems can be 100% effective and need to be supported with good teaching and learning practice and effective supervision.

==Illegal Online Content==
Our '''Web Gateway''' and '''UTM''' online safety systems ensure that access to illegal content is blocked. The UK Safer Internet Centre advises that providers:
{| class="wikitable"
!Aspect
!Rating
!Explanation
|-
|Are IWF Members
|{{UKSIC Pass}}
|We are IWF members.
|-
|Block access to illegal Child Abuse Images (by actively implementing the IWF URL list)
|{{UKSIC Pass}}
|The IWF child Abuse Image Content URL list is integrated into the ''Child Abuse Images'' filtering category and we have successfully completed the IWF's certification process.

Our systems go beyond the basic protection by also utilising the IWF's keywords list, and Non-Pornographic Child Abuse Images URL lists.

As well as directly blocking content that the IWF has listed, all of these resources are also used to dynamically identify and block offending content which has not yet been reported to the IWF.
|-
|Integrate the ‘the police assessed list of unlawful terrorist content, produced on behalf of the Home Office’.
|{{UKSIC Pass}}
|The police assessed list of unlawful terrorist content, produced on behalf of the Home Office is integrated into the ''Radicalisation'' filtering category.
|}

==Inappropriate Online Content==
Recognising that no filter can guarantee to be 100% effective, the following table confirms and describes how '''Opendium Web Gateway''' and '''Opendium UTM''' manage the following content:
{| class="wikitable"
!Content
!Description
!Rating
!Explanation
|-
|Discrimination
|Promotion of the unjust or prejudicial treatment of people on the grounds of race, religion, age, or sex.
|{{UKSIC Pass}}
|We provide a ''Discrimination'' category which covers content that promotes the unjust or prejudicial treatment of people on the grounds of race, religion, age, or sex.

We also provide a ''Hate'' category which covers content promoting religious or racial hate.
|-
|Drugs / Substance abuse
|Promotion of the illegal use of drugs or substances.
|{{UKSIC Pass}}
|We provide a ''Drugs'' category which covers content that promotes or facilitates recreational drug use, including "legal highs". This category does not include educational material about recreational drugs and information about medicinal drugs.
|-
|Extremism
|Promotion of terrorism and terrorist ideologies, violence or intolerance
|{{UKSIC Pass}}
|We provide a ''Radicalisation'' category which covers radicalisation, extremism and terrorism. This includes the police assessed list of unlawful terrorist content, produced on behalf of the Home Office.
|-
|Malware / Hacking
|Promotion of the compromising of systems including anonymous browsing and other filter bypass tools as well as sites hosting malicious content.
|{{UKSIC Pass}}
|We provide a ''Cracking'' category which covers information about how to gain illicit entry to computer systems.

We provide an ''Anonymisers / Proxies / VPNs'' filtering category to control anonymous browsing systems which could be used to bypass filtering and monitoring.
|-
|Pornography
|Sexual acts or explicit images.
|{{UKSIC Pass}}
|We provide a ''Pornography'' category which covers pornographic content. This does not include non-sexualised images (e.g. medical information).

We provide a ''Sexualised Text'' filtering category which covers textual content which is sexual in nature but falls short of being considered pornographic.
|-
|Piracy and copyright theft
|Illegal provision of copyrighted material.
|{{UKSIC Pass}}
|We provide a ''Copyright Infringement'' category which covers content that promotes and facilitates illegal downloading of copyrighted content, such as sofware, music, movies, etc.
|-
|Self Harm
|Promotion or display of deliberate self harm (including suicide and eating disorders).
|{{UKSIC Pass}}
|We provide a ''Self Harm'' category which covers content that promotes self harm and suicide.
|-
|Violence
|Promotion or display of the use of physical force intended to hurt or kill.
|{{UKSIC Pass}}
|We provide a ''Violence'' category which covers content that promotes violent acts.
|}
This list is not exhaustive. We maintain a selection of predefined categories, and updates to the categorisation criteria are downloaded every hour. Websites and web searches are categorised using a variety of methods, including through a database of known web addresses and by real time content analysis. By analysing content on the fly, the system can effectively filter new content and websites that tailor dynamic content to the individual user, such as social networking sites. School system administrators can add filtering criteria to the categories to either augment or override the predefined criteria. School administrators can also add their own custom categories.

==Data Protection==
'''''Opendium Web Gateway''''' and '''''Opendium UTM''''' are available as both cloud based and on-premises systems. Cloud based systems store internet history data on our servers, whereas for the on-premises systems this data is stored on the school's server. In both cases, log data, including the user's identification, is retained for 2 years by default, but the retention period can be adjusted to meet the school's needs.

Internet history data that is stored on our internal systems will be retained for no longer than 3 years. This includes any log extracts, reports, etc. that the school may need to send to our technical support team.

Many filtering providers rely on contractual clauses that place an onus on schools to ensure that they do not pass on personal data to the provider. We strongly believe that it is not possible to provide the level of support that schools expect whilst adhering to those restrictions, and they ultimately lead to data protection law being routinely broken, with the school carrying the liability. Instead, we provide schools with a standard data processing agreement, which allows us to better support the school whilst ensuring that the personal data is properly protected and that the relevant legislation can be adhered to.

All schools should have a suitable data processing agreement with the company that supports their filtering system, to ensure that personal data is always handled in a secure and legal way.

==Over Blocking==
'''''Opendium Web Gateway''''' and '''''Opendium UTM''''' allow school administrators a lot of scope for tuning the system to meet their needs. The sensitivity of the filters can be adjusted and administrators can decide whether or not repeat offenders should have their web access automatically disabled. Miscategorised websites can be manually recategorised instantly, or the filters completely disabled for educational websites. Users can be given the option to override the filters after being shown a warning, and users can report miscategorised pages directly to us for recategorisation. Comprehensive reports can be generated on an automatic or ad-hoc basis to ensure that staff can spot and follow up on concerning behaviour. Our systems also support Location Aware Filtering, which can be used to relax filters in supervised parts of the school, or in classrooms that have specific requirements.

Schools may decide that, for some categories, rather than risk overblocking it is better to allow access and to follow up concerning behaviour that is highlighted by the reporting system. A variety of reporting tools are provided to facilitate this, such as our unique Word Cloud report that flags up search phrases which fall into concerning categories. This provides an easy and understandable way for staff to drill down into the data.

==Filtering System Features==
The following table describes how '''Opendium Web Gateway''' and '''Opendium UTM''' meet the principles set out by the UK Safer Internet Centre:
{| class="wikitable"
!Principle
!Rating
!Explanation
|-
|Age appropriate, differentiated filtering – includes the ability to vary filtering strength appropriate to age and role.
|{{UKSIC Pass}}
|'''Opendium Web Gateway''' and '''Opendium UTM''' both integrate with the school's existing user directory and provide a hierarchical system to configure and refine filtering policies and filter sensitivity on a per-usergroup, per-network or per-user basis.
|-
|Circumvention – the extent and ability to identify and manage technologies and techniques used to circumvent the system, specifically VPN, proxy services and DNS over HTTPS.
|{{UKSIC Pass}}
|'''''Opendium Web Gateway''''' and '''''Opendium UTM''''' provide a variety of tools to prevent circumvention of the system:

We provide an ''Anonymisers / Proxies / VPNs'' category to control anonymous browsing systems.

Both '''''Opendium Web Gateway''''' and '''''Opendium UTM''''' incorporate anti-spoofing technologies and utilise deep packet inspection to restrict VPN connections whilst allowing other applications. '''''Opendium UTM''''' provides additional protection by providing numerous predefined firewall rule bundles for common applications, which utilise deep packet inspection to prevent VPN connections from misusing ports that are required by legitimate services.

Our online safety systems do not rely on DNS filtering, so are unaffected by technologies such as DNS-over-HTTPS (DoH) and DNS-over-TLS (DoT). '''''Opendium UTM''''' also performs DNS and NTP interception to prevent VPNs from taking advantage of these important ports without getting in the way of legitimate systems that rely on them.

New VPNs are appearing all of the time and use a wide variety of techniques to mask their traffic. It is important for schools to understand that no system can block them with 100% accuracy, but we work closely with schools to rapidly provide a solution whenever a new threat is identified.
|-
|Control - has the ability and ease of use that allows schools to control the filter themselves to permit or deny access to specific content.
|{{UKSIC Pass}}
|The web based user interface allows school administrators to adjust settings from anywhere in the school, with immediate effect. All of our customers have direct access to our experienced engineers, who endeavour to provide high quality telephone and email support.
|-
|Contextual Content Filters – in addition to URL or IP based filtering, the extent to which (http and https) content is analysed as it is streamed to the user and blocked. For example, being able to contextually analyse text on a page and dynamically filter
|{{UKSIC Pass}}
|Real time content analysis has been a core part of our filtering technology from its inception.

A URL filter can tell that a user is looking at an online messaging forum, for example, but not that the specific message that they are looking at is extremist or promoting drug use. Nor can a URL filter spot when a legitimate website has recently been hacked and now contains links to pornographic websites.

So much of the modern web is made up of dynamic content that we believe a filter cannot be fit for purpose if it is unable to analyse content in real time to catch these types of scenario.

We use a combination of techniques to categorise content, including HTTPS decryption, content analysis and URL lists to provide the most accurate filtering.
|-
|Filtering Policy – a published rationale that details our approach to filtering with classification and categorisation as well as over blocking.
|{{UKSIC Pass}}
|Our filtering rationale is described in our knowledgebase. A description for each category, outlining the categorisation criteria, is provided through the system's user interface.
|-
|Group / Multi-site Management – the ability for deployment of central policy and central oversight or dashboard
|{{UKSIC Amber}}
|'''''Opendium Web Gateway''''' and '''''Opendium UTM''''' are designed for single-school installations and we therefore do not provide multi-site management. However, individual systems can be independently managed remotely from anywhere in the world.

We expect to provide a comprehensive multi-site management solution in the future.
|-
|Identification - the filtering system should have the ability to identify users.
|{{UKSIC Pass}}
|'''Opendium Web Gateway''' and '''Opendium UTM''' both support a variety of user identification methods, such as Kerberos single sign on for workstations and RADIUS accounting, WISPr and captive portal for mobile devices / BYOD.
|-
|Mobile and App content – mobile and app content is ofen delivered in entirely different mechanisms from that delivered through a traditional web browser. To what extent does the filter system block inappropriate content via mobile and app technologies (beyond typical web browser delivered content)
|{{UKSIC Pass}}
|By providing a comprehensive transparent proxy service with both passive and active HTTPS inspection and decryption, '''''Opendium Web Gateway''''' and '''''Opendium UTM''''' both allow the school to control apps that communicate using HTTP and HTTPS, and these comprise the vast majority of apps.

A minority of apps use entirely different delivery mechanisms, and '''''Opendium Web Gateway''''' provides a firewall that can control these on a per-network basis. '''''Opendium UTM''''' extends this capability to allow fine grained control over these apps by user group or individual user, in a similar way to web traffic.
|-
|Multiple language support – the ability for the system to manage relevant languages.
|{{UKSIC Pass}}
|The use of a wide variety of categorisation methods makes the system largely language agnostic, filtering both English language and foreign language websites alike.

Our textual content analysis system uses unicode to support all languages and character sets.
|-
|Network level - filtering should be applied at ‘network level’ i.e., not reliant on any software on user devices.
|{{UKSIC Pass}}
|'''''Opendium Web Gateway''''' and '''''Opendium UTM''''' both provide network level filtering and do not require software to be installed on user devices. This is provided through a combination of deep packet inspection, transparent proxying and both active HTTPS decryption and passive HTTPS inspection.
|-
|Remote devices – with many children and staff working remotely, the ability for devices (school and/or personal) to receive school based filtering to a similar quality to that expected in school

|{{UKSIC Pass}}
|Remote devices can be configured to route their network traffic via the school's '''''Opendium UTM''''' through a secure VPN. Children and staff working from home can therefore receive the same level of filtering whether they are at home or on the school's premises, as well as being able to interact with other on-premises services as if they were physically at school.
|-
|Reporting mechanism – the ability to report inappropriate content for access or blocking.
|{{UKSIC Pass}}
|When access to a website is blocked, the user is given an option to report a miscategorisation of the website directly to us. All reported web sites are manually examined and, if necessary, recategorised.

We also take underblocking very seriously and welcome reports of such instances. We continually work with our customers to address any concerns and improve the accuracy of the filters.
|-
|Reports – the system offers clear historical information on the websites visited by your users.
|{{UKSIC Pass}}
|'''Opendium Web Gateway''' and '''Opendium UTM''' keep historical logs and can generate a variety of reports to allow staff to drill down into the data.
|}

==Supporting Schools==
Filtering systems are only ever a tool in helping to safeguard children when online and schools have an obligation to “''consider how children may be taught about safeguarding, including online, through teaching and learning opportunities, as part of providing a broad and balanced curriculum''”. Our products have always been developed hand-in-hand with schools. Schools are on the front line and in the best position to know what tools they need and we always try to listen and develop those tools.

We provide a holistic service which goes above and beyond filtering. This includes training and advice for school IT and safeguarding staff, and consultancy services to improve schools' network infrastructure to cater for their ever changing requirements. However, we will never pressure schools into purchasing additional services and are equally happy to work with third parties to bring about any infrastructure improvements that our customers require.

==Certification Declaration==
In order that schools can be confident regarding the accuracy of the self-certification statements, we confirm:

*that our self-certification responses have been fully and accurately completed by a person or persons who are competent in the relevant fields
*that we will update our self-certification responses promptly when changes to the service or its terms and conditions would result in the existing compliance statement no longer being accurate or complete
*that we will provide any additional information or clarification sought as part of the self-certification process
*that if at any time, the UK Safer Internet Centre is of the view that any element or elements of our self-certification responses require independent verification, we will agree to that independent verification, supply all necessary clarification requested, meet the associated verification costs, or withdraw our self-certification submission.
[[Category:Knowledgebase]]

Appropriate Filtering for Education Settings

2023-05-05T16:19:58Z

Steve: KCSIE only applies to England - fixed the links to Welsh, Scottish and Northern Irish guidance.

Schools and colleges in the UK are required to establish appropriate levels of filtering to ensure children are provided with safe access to the internet without over blocking. Schools and colleges in England must adhere to the Department for Education's [https://www.gov.uk/government/publications/keeping-children-safe-in-education--2 Keeping Children Safe in Education] statutory guidance, those in Wales are governed by the Welsh Government's [https://www.gov.wales/keeping-learners-safe Keeping Learners Safe], in Scotland the requirements are laid down by the Scottish Government's [https://www.gov.scot/collections/national-guidance-for-child-protection-in-scotland/ National Guidance for Child Protection in Scotland] and in Northern Ireland the requirements are in the Department for Education's [https://www.education-ni.gov.uk/publications/safeguarding-and-child-protection-schools-guide-schools Safeguarding and Child Protection in Schools].

The guidance allows schools a huge amount of freedom, to be exercised with a "risk based approach". Whilst schools benefit from the freedom they have been afforded, further guidance is essential to allow them to properly assess the risks and design appropriate policies. To this end, the [http://www.saferinternet.org.uk/ UK Safer Internet Centre] has issued detailed [https://www.saferinternet.org.uk/advice-centre/teachers-and-school-staff/appropriate-filtering-and-monitoring/appropriate-filtering Appropriate Filtering for Education Settings] guidance, which is cited by both Keeping Children Safe in Education and the National Action Plan on Internet Safety for Children and Young People as an example of what constitutes ''"appropriate filtering"''.

Although the guidance affords schools the freedom to design their own policies from scratch, we feel that the UK Safer Internet Centre's standards should form the basis of all schools' filtering policies. Where schools feel the need to deviate from those standards, we strongly recommend that they complete a risk assessment so that the reasons for deviating and associated risks can be understood and documented.

We are committed to supporting schools in carrying out their safeguarding duties, and have outlined below how we meet these standards. Our official UK Safer Internet Centre [https://d1xsi6mgo67kia.cloudfront.net/uploads/2021/10/opendium-appropriate-filtering.pdf certification] is also available for download.

It is important to recognise that no filtering systems can be 100% effective and need to be supported with good teaching and learning practice and effective supervision.

==Illegal Online Content==
Our '''Web Gateway''' and '''UTM''' online safety systems ensure that access to illegal content is blocked. The UK Safer Internet Centre advises that providers:
{| class="wikitable"
!Aspect
!Rating
!Explanation
|-
|Are IWF Members
|{{UKSIC Pass}}
|We are IWF members.
|-
|Block access to illegal Child Abuse Images (by actively implementing the IWF URL list)
|{{UKSIC Pass}}
|The IWF child Abuse Image Content URL list is integrated into the ''Child Abuse Images'' filtering category and we have successfully completed the IWF's certification process.

Our systems go beyond the basic protection by also utilising the IWF's keywords list, and Non-Pornographic Child Abuse Images URL lists.

As well as directly blocking content that the IWF has listed, all of these resources are also used to dynamically identify and block offending content which has not yet been reported to the IWF.
|-
|Integrate the ‘the police assessed list of unlawful terrorist content, produced on behalf of the Home Office’.
|{{UKSIC Pass}}
|The police assessed list of unlawful terrorist content, produced on behalf of the Home Office is integrated into the ''Radicalisation'' filtering category.
|}

==Inappropriate Online Content==
Recognising that no filter can guarantee to be 100% effective, the following table confirms and describes how '''Opendium Web Gateway''' and '''Opendium UTM''' manage the following content:
{| class="wikitable"
!Content
!Description
!Rating
!Explanation
|-
|Discrimination
|Promotion of the unjust or prejudicial treatment of people on the grounds of race, religion, age, or sex.
|{{UKSIC Pass}}
|We provide a ''Discrimination'' category which covers content that promotes the unjust or prejudicial treatment of people on the grounds of race, religion, age, or sex.

We also provide a ''Hate'' category which covers content promoting religious or racial hate.
|-
|Drugs / Substance abuse
|Promotion of the illegal use of drugs or substances.
|{{UKSIC Pass}}
|We provide a ''Drugs'' category which covers content that promotes or facilitates recreational drug use, including "legal highs". This category does not include educational material about recreational drugs and information about medicinal drugs.
|-
|Extremism
|Promotion of terrorism and terrorist ideologies, violence or intolerance
|{{UKSIC Pass}}
|We provide a ''Radicalisation'' category which covers radicalisation, extremism and terrorism. This includes the police assessed list of unlawful terrorist content, produced on behalf of the Home Office.
|-
|Malware / Hacking
|Promotion of the compromising of systems including anonymous browsing and other filter bypass tools as well as sites hosting malicious content.
|{{UKSIC Pass}}
|We provide a ''Cracking'' category which covers information about how to gain illicit entry to computer systems.

We provide an ''Anonymisers / Proxies / VPNs'' filtering category to control anonymous browsing systems which could be used to bypass filtering and monitoring.
|-
|Pornography
|Sexual acts or explicit images.
|{{UKSIC Pass}}
|We provide a ''Pornography'' category which covers pornographic content. This does not include non-sexualised images (e.g. medical information).

We provide a ''Sexualised Text'' filtering category which covers textual content which is sexual in nature but falls short of being considered pornographic.
|-
|Piracy and copyright theft
|Illegal provision of copyrighted material.
|{{UKSIC Pass}}
|We provide a ''Copyright Infringement'' category which covers content that promotes and facilitates illegal downloading of copyrighted content, such as sofware, music, movies, etc.
|-
|Self Harm
|Promotion or display of deliberate self harm (including suicide and eating disorders).
|{{UKSIC Pass}}
|We provide a ''Self Harm'' category which covers content that promotes self harm and suicide.
|-
|Violence
|Promotion or display of the use of physical force intended to hurt or kill.
|{{UKSIC Pass}}
|We provide a ''Violence'' category which covers content that promotes violent acts.
|}
This list is not exhaustive. We maintain a selection of predefined categories, and updates to the categorisation criteria are downloaded every hour. Websites and web searches are categorised using a variety of methods, including through a database of known web addresses and by real time content analysis. By analysing content on the fly, the system can effectively filter new content and websites that tailor dynamic content to the individual user, such as social networking sites. School system administrators can add filtering criteria to the categories to either augment or override the predefined criteria. School administrators can also add their own custom categories.

==Data Protection==
'''''Opendium Web Gateway''''' and '''''Opendium UTM''''' are available as both cloud based and on-premises systems. Cloud based systems store internet history data on our servers, whereas for the on-premises systems this data is stored on the school's server. In both cases, log data, including the user's identification, is retained for 2 years by default, but the retention period can be adjusted to meet the school's needs.

Internet history data that is stored on our internal systems will be retained for no longer than 3 years. This includes any log extracts, reports, etc. that the school may need to send to our technical support team.

Many filtering providers rely on contractual clauses that place an onus on schools to ensure that they do not pass on personal data to the provider. We strongly believe that it is not possible to provide the level of support that schools expect whilst adhering to those restrictions, and they ultimately lead to data protection law being routinely broken, with the school carrying the liability. Instead, we provide schools with a standard data processing agreement, which allows us to better support the school whilst ensuring that the personal data is properly protected and that the relevant legislation can be adhered to.

All schools should have a suitable data processing agreement with the company that supports their filtering system, to ensure that personal data is always handled in a secure and legal way.

==Over Blocking==
'''''Opendium Web Gateway''''' and '''''Opendium UTM''''' allow school administrators a lot of scope for tuning the system to meet their needs. The sensitivity of the filters can be adjusted and administrators can decide whether or not repeat offenders should have their web access automatically disabled. Miscategorised websites can be manually recategorised instantly, or the filters completely disabled for educational websites. Users can be given the option to override the filters after being shown a warning, and users can report miscategorised pages directly to us for recategorisation. Comprehensive reports can be generated on an automatic or ad-hoc basis to ensure that staff can spot and follow up on concerning behaviour. Our systems also support Location Aware Filtering, which can be used to relax filters in supervised parts of the school, or in classrooms that have specific requirements.

Schools may decide that, for some categories, rather than risk overblocking it is better to allow access and to follow up concerning behaviour that is highlighted by the reporting system. A variety of reporting tools are provided to facilitate this, such as our unique Word Cloud report that flags up search phrases which fall into concerning categories. This provides an easy and understandable way for staff to drill down into the data.

==Filtering System Features==
The following table describes how '''Opendium Web Gateway''' and '''Opendium UTM''' meet the principles set out by the UK Safer Internet Centre:
{| class="wikitable"
!Principle
!Rating
!Explanation
|-
|Age appropriate, differentiated filtering – includes the ability to vary filtering strength appropriate to age and role.
|{{UKSIC Pass}}
|'''Opendium Web Gateway''' and '''Opendium UTM''' both integrate with the school's existing user directory and provide a hierarchical system to configure and refine filtering policies and filter sensitivity on a per-usergroup, per-network or per-user basis.
|-
|Circumvention – the extent and ability to identify and manage technologies and techniques used to circumvent the system, specifically VPN, proxy services and DNS over HTTPS.
|{{UKSIC Pass}}
|'''''Opendium Web Gateway''''' and '''''Opendium UTM''''' provide a variety of tools to prevent circumvention of the system:

We provide an ''Anonymisers / Proxies / VPNs'' category to control anonymous browsing systems.

Both '''''Opendium Web Gateway''''' and '''''Opendium UTM''''' incorporate anti-spoofing technologies and utilise deep packet inspection to restrict VPN connections whilst allowing other applications. '''''Opendium UTM''''' provides additional protection by providing numerous predefined firewall rule bundles for common applications, which utilise deep packet inspection to prevent VPN connections from misusing ports that are required by legitimate services.

Our online safety systems do not rely on DNS filtering, so are unaffected by technologies such as DNS-over-HTTPS (DoH) and DNS-over-TLS (DoT). '''''Opendium UTM''''' also performs DNS and NTP interception to prevent VPNs from taking advantage of these important ports without getting in the way of legitimate systems that rely on them.

New VPNs are appearing all of the time and use a wide variety of techniques to mask their traffic. It is important for schools to understand that no system can block them with 100% accuracy, but we work closely with schools to rapidly provide a solution whenever a new threat is identified.
|-
|Control - has the ability and ease of use that allows schools to control the filter themselves to permit or deny access to specific content.
|{{UKSIC Pass}}
|The web based user interface allows school administrators to adjust settings from anywhere in the school, with immediate effect. All of our customers have direct access to our experienced engineers, who endeavour to provide high quality telephone and email support.
|-
|Contextual Content Filters – in addition to URL or IP based filtering, the extent to which (http and https) content is analysed as it is streamed to the user and blocked. For example, being able to contextually analyse text on a page and dynamically filter
|{{UKSIC Pass}}
|Real time content analysis has been a core part of our filtering technology from its inception.

A URL filter can tell that a user is looking at an online messaging forum, for example, but not that the specific message that they are looking at is extremist or promoting drug use. Nor can a URL filter spot when a legitimate website has recently been hacked and now contains links to pornographic websites.

So much of the modern web is made up of dynamic content that we believe a filter cannot be fit for purpose if it is unable to analyse content in real time to catch these types of scenario.

We use a combination of techniques to categorise content, including HTTPS decryption, content analysis and URL lists to provide the most accurate filtering.
|-
|Filtering Policy – a published rationale that details our approach to filtering with classification and categorisation as well as over blocking.
|{{UKSIC Pass}}
|Our filtering rationale is described in our knowledgebase. A description for each category, outlining the categorisation criteria, is provided through the system's user interface.
|-
|Group / Multi-site Management – the ability for deployment of central policy and central oversight or dashboard
|{{UKSIC Amber}}
|'''''Opendium Web Gateway''''' and '''''Opendium UTM''''' are designed for single-school installations and we therefore do not provide multi-site management. However, individual systems can be independently managed remotely from anywhere in the world.

We expect to provide a comprehensive multi-site management solution in the future.
|-
|Identification - the filtering system should have the ability to identify users.
|{{UKSIC Pass}}
|'''Opendium Web Gateway''' and '''Opendium UTM''' both support a variety of user identification methods, such as Kerberos single sign on for workstations and RADIUS accounting, WISPr and captive portal for mobile devices / BYOD.
|-
|Mobile and App content – mobile and app content is ofen delivered in entirely different mechanisms from that delivered through a traditional web browser. To what extent does the filter system block inappropriate content via mobile and app technologies (beyond typical web browser delivered content)
|{{UKSIC Pass}}
|By providing a comprehensive transparent proxy service with both passive and active HTTPS inspection and decryption, '''''Opendium Web Gateway''''' and '''''Opendium UTM''''' both allow the school to control apps that communicate using HTTP and HTTPS, and these comprise the vast majority of apps.

A minority of apps use entirely different delivery mechanisms, and '''''Opendium Web Gateway''''' provides a firewall that can control these on a per-network basis. '''''Opendium UTM''''' extends this capability to allow fine grained control over these apps by user group or individual user, in a similar way to web traffic.
|-
|Multiple language support – the ability for the system to manage relevant languages.
|{{UKSIC Pass}}
|The use of a wide variety of categorisation methods makes the system largely language agnostic, filtering both English language and foreign language websites alike.

Our textual content analysis system uses unicode to support all languages and character sets.
|-
|Network level - filtering should be applied at ‘network level’ i.e., not reliant on any software on user devices.
|{{UKSIC Pass}}
|'''''Opendium Web Gateway''''' and '''''Opendium UTM''''' both provide network level filtering and do not require software to be installed on user devices. This is provided through a combination of deep packet inspection, transparent proxying and both active HTTPS decryption and passive HTTPS inspection.
|-
|Remote devices – with many children and staff working remotely, the ability for devices (school and/or personal) to receive school based filtering to a similar quality to that expected in school

|{{UKSIC Pass}}
|Remote devices can be configured to route their network traffic via the school's '''''Opendium UTM''''' through a secure VPN. Children and staff working from home can therefore receive the same level of filtering whether they are at home or on the school's premises, as well as being able to interact with other on-premises services as if they were physically at school.
|-
|Reporting mechanism – the ability to report inappropriate content for access or blocking.
|{{UKSIC Pass}}
|When access to a website is blocked, the user is given an option to report a miscategorisation of the website directly to us. All reported web sites are manually examined and, if necessary, recategorised.

We also take underblocking very seriously and welcome reports of such instances. We continually work with our customers to address any concerns and improve the accuracy of the filters.
|-
|Reports – the system offers clear historical information on the websites visited by your users.
|{{UKSIC Pass}}
|'''Opendium Web Gateway''' and '''Opendium UTM''' keep historical logs and can generate a variety of reports to allow staff to drill down into the data.
|}

==Supporting Schools==
Filtering systems are only ever a tool in helping to safeguard children when online and schools have an obligation to “''consider how children may be taught about safeguarding, including online, through teaching and learning opportunities, as part of providing a broad and balanced curriculum''”. Our products have always been developed hand-in-hand with schools. Schools are on the front line and in the best position to know what tools they need and we always try to listen and develop those tools.

We provide a holistic service which goes above and beyond filtering. This includes training and advice for school IT and safeguarding staff, and consultancy services to improve schools' network infrastructure to cater for their ever changing requirements. However, we will never pressure schools into purchasing additional services and are equally happy to work with third parties to bring about any infrastructure improvements that our customers require.

==Certification Declaration==
In order that schools can be confident regarding the accuracy of the self-certification statements, we confirm:

*that our self-certification responses have been fully and accurately completed by a person or persons who are competent in the relevant fields
*that we will update our self-certification responses promptly when changes to the service or its terms and conditions would result in the existing compliance statement no longer being accurate or complete
*that we will provide any additional information or clarification sought as part of the self-certification process
*that if at any time, the UK Safer Internet Centre is of the view that any element or elements of our self-certification responses require independent verification, we will agree to that independent verification, supply all necessary clarification requested, meet the associated verification costs, or withdraw our self-certification submission.
[[Category:Knowledgebase]]

Installation Requirements

2022-11-10T11:07:30Z

Steve: /* User synchronisation */

In order for your Opendium system to integrate into your network, there some basic configuration of your existing systems needs to be carried out. The Opendium installation engineer will ensure that the necessary configuration is done at installation time, but it is documented here for your reference.

== Network topology ==
The Opendium system is designed to operate as a gateway device, situated between your network and the internet. Usually one of the Opendium system's network interfaces will be connected to your internet router and another interface connected to your internal networks. If your internet connection is delivered as a PPPoE connection (e.g. ADSL, vDSL/FTTC, FTTP), the Opendium system can terminate the PPP link, eliminating the need for the router.

If possible, the internal network connection should be a tagged VLAN trunk, which will allow the Opendium system to act as a gateway for multiple internal VLANs. We recommend that most wifi VLANs have a layer 2 connection to the Opendium system, rather than being routed by a layer 3 switch.

For larger sites, we may recommend that the Opendium system is connected to the internal network using an LACP trunk, which utilises multiple network links for improved redundancy and speed.

See the [[Network Topology]] knowledgebase article for more comprehensive information.

==Internet connectivity==
Opendium systems must be connected to an internet connection which provides a static IP address.

The Opendium system has an integrated firewall, and we do not recommend installing it behind a third party firewall since this adds unnecessary complexity. However, if it is installed behind another firewall, at least TCP ports 22 (SSH) and 80 (HTTP) must be forwarded to the Opendium system.

*TCP port 22 is used by Opendium engineers to access your system in order to provide technical support.
*TCP port 80 is used to automatically renew encryption certificates.

==External DNS records==
The following DNS records must be added to your external DNS zone:
{| class="wikitable"
|opendium
|A
|<external IPv4 address>
|-
|opendium
|AAAA
|<external IPv6 address>
|}
The addresses for these records are your Opendium system's external IP addresses. If your internet provider only supports the legacy IPv4 protocol, omit the AAAA record.

These records are required for:

*Offsite backups of the system's configuration.
*Monitoring of the system's health.
*Access by Opendium engineers in order to provide technical support.
*Automatic renewal of encryption certificates.

Depending on your wifi system, Opendium engineers may also recommend configuring the following DNS record:
{| class="wikitable"
|wifi
|CNAME
|opendium
|}
This may be required for automatic renewal of encryption certificates used by the RADIUS authentication server.

==Internal DNS configuration==
The following DNS records must be added to your internal DNS zone:
{| class="wikitable"
|opendium
|A
|<internal IPv4 address>
|-
|opendium
|AAAA
|<internal IPv6 address>
|-
|proxy
|A
|<internal IPv4 address>
|-
|proxy
|AAAA
|<internal IPv6 address>
|-
|wpad
|A
|<internal IPv4 address>
|-
|wpad
|AAAA
|<internal IPv6 address>
|-
|certcheck
|A
|<internal IPv4 address>
|-
|certcheck
|AAAA
|<internal IPv6 address>
|}
The addresses for these records are your Opendium system's primary internal IP addresses. If your network does not have IPv6, omit the AAAA records.

Although it is tempting to use CNAME records rather than A / AAAA records, this should not be done as unfortunately CNAMEs break some functionality, such as Kerberos single sign-on authentication.

If your internal DNS records are hosted by your Windows Domain Controllers, their global query block list must be disabled in order to allow the wpad record to be resolved. This must be done on all of the domain controllers, not just the primary one, using the following command:
dnscmd /config /enableglobalqueryblocklist 0

Your internal DNS servers should be configured to always forward DNS requests to the Opendium system. On Windows systems, this can be done by adding forwarders into the DNS server properties in DNS Manager. Ensure the "Use root hints if no forwarders are available" check box is '''not''' ticked. This must be done on all of your internal DNS servers.

==Time synchronisation==
Many services require clocks to be properly synchronised. In particular, Kerberos single sign-on authentication if very sensitive to clock drift and will not work if clocks have drifted by more than 5 minutes. The Opendium system provides an NTP service and your domain controllers should all be configured to synchronise against the Opendium's NTP service.

==Trust relationship==
If the Opendium system is being installed into a Windows network, it requires a trust relationship with the domain. The Opendium installation engineer will configure the trust relationship, which will require a temporary domain administrator account. Once the trust relationship has been established, the temporary administrator account can be removed.

==User synchronisation==
If the Opendium system is being installed into a Windows network, it must synchonise its internal user directory with Active Directory. This requires a user to be created within Active Directory for that purpose. This user should not be an administrator.

The synchronisation user's DN and password are configured on the Opendium system in the [[User Sync Configuration]] page, together with the IP address of the domain controller and the domain's base DN. By default all of the users under the base DN are synchronised, but more specific OUs can be added here to be synchronised instead.

Appropriate group mappings must also be configured in the [[User Sync Configuration]] page, to ensure that users are mapped into appropriate Opendium groups, based on their Active Directory security groups.

==DHCP==
The following DHCP option must be added to all DHCP scopes:
{| class="wikitable"
!Name
|WPAD
|-
!Data type
|String
|-
!Array
|Unticked
|-
!Code
|252
|-
!Description
|<nowiki>http://wpad</nowiki>.<internal domain>/wpad.dat
|}

Replace <internal domain> with your internal domain.

This is because whilst the Opendium system can filter web traffic which is not sent via its web proxy server, there are certain capabilities that can only be provided by the proxy. It is therefore always best to use the proxy server where possible. It is possible to manually configure devices to use the proxy, but that can cause a number of problems, especially in situations where devices may be moved onto other networks, such as laptops which may be taken home. We therefore recommend using automatic configuration, which requires this DHCP option.

== Inspection certificate ==
In order for the Opendium system to be able to decrypt HTTPS traffic, devices on your network must have the appropriate certificate installed.

For devices connected to your Windows domain, this should be done through Group Policy by downloading the certificate from the [[Web]] tab and importing it into the domain's Trusted Root Certification Authorities. Please see [[Microsoft Windows Configuration#Shared devices|Microsoft Windows Configuration]].

The certificate will need to be installed manually onto stand-alone devices. There are a number of ways to make this easier, such as using the QR code which is displayed on the [[Web]] tab, or using the [[Web: Permissions & Limits#Display splash page for new devices|Splash Page]].

This certificate is unique to your Opendium system, and is separate from any certificate that is required to connect to your wifi network.

== Proxy ==
We recommend using automatic proxy discovery. If the Opendium system is being installed into a Windows network, ensure that Group Policy configures no proxy servers, and has "Automatically discover proxy settings" ticked.

However, if it is necessary to manually configure the proxy, the settings used should be:
{|
!Proxy address
|proxy.<internal domain>
|-
!Port
|3128
|-
!Use the same proxy server for all protocols
|Ticked
|}
You '''must''' use the address shown above, rather than the proxy's IP address, otherwise Kerberos Single Sign-on authentication will not work.

== Wifi ==
If you have any wifi networks which use WPA2-Enterprise / 802.1x authentication, they must be added to the [[RADIUS: Clients|RADIUS Clients]] page and configured to send RADIUS accounting data to the Opendium system.

The Opendium system also provides a RADIUS authentication service, so it may be desirable to configure the wifi networks to use the Opendium system for authentication.

We recommend setting up a completely unfiltered wifi network, to be '''only''' used for temporary testing and device onboarding. Since such a network is a potential risk, ensure that the password is kept secure, and consider restricting it only to certain parts of the school, such as the ICT office.

== Data protection policy ==
Since the Opendium system automatically examines network traffic, including encrypted traffic, you should ensure the users all agree to a usage policy that indicates that their network traffic may be monitored. Under data protection law, there are a number of requirements that must be met, which are discussed in our [https://www.opendium.com/blogs/gdpr-online-safety-your-school-compliant blog article] on the subject.

You are the data controller for the data which are collected directly by the Opendium system. Reports of miscategorised websites are passed directly to Opendium staff and Opendium is considered the data controller of those reports. Data for which we are considered the data controller are governed by our [https://www.opendium.com/content/data-protection-policy Data Protection Policy].

Some filtering suppliers put an onus on the school to ensure that the supplier's engineers are not given access to any personal data. With such a restriction, we do not believe that it would be possible to offer the level of support, and would inevitably lead to schools committing routine data protection breaches by giving access to the supplier's engineers. Instead, the contract between the school and Opendium includes a data processing agreement, and we are therefore considered data processors of the data which are collected by the Opendium system.

[[Category:Product Manuals]]

RADIUS: Reports

2022-10-14T12:12:00Z

Steve:

{{Stub}}

== Policy modelling ==
{{Missing information|scope=section}}

[[Category:Product Manuals]]

Firewall: Reports

2022-10-14T12:11:48Z

Steve:

{{Stub}}

== Policy modelling ==
{{Missing information|scope=section}}

[[Category:Product Manuals]]

RADIUS: Policy Modelling

2022-10-14T12:10:57Z

Steve: Redirected page to RADIUS: Reports#Policy modelling

#REDIRECT [[RADIUS: Reports#Policy%20modelling]]

Firewall: Policy Modelling

2022-10-14T12:10:20Z

Steve: Redirected page to Firewall: Reports#Policy modelling

#REDIRECT [[Firewall: Reports#Policy%20modelling]]

Accounting: Logs

2022-10-14T12:09:28Z

Steve: Redirected page to Accounting: Reports#Logs

#REDIRECT [[Accounting: Reports#Logs]]

Accounting: Active Sessions

2022-10-14T12:08:59Z

Steve: Redirected page to Accounting: Reports#Active sessions

#REDIRECT [[Accounting: Reports#Active%20sessions]]

Accounting: Reports

2022-10-14T12:08:12Z

Steve:

{{Stub}}

== Active sessions ==
{{Missing information|scope=section}}

== Logs ==
{{Missing information|scope=section}}

[[Category:Product Manuals]]

Firewall: NAT

2022-10-14T12:07:06Z

Steve:

{{Stub}}
{{Missing information|scope=section}}

== NAT address filter ==
{{Missing information|scope=section}}

[[Category:Product Manuals]]

Firewall: NAT Address Filter

2022-10-14T12:06:11Z

Steve: Redirected page to Firewall: NAT#NAT address filter

#REDIRECT [[Firewall: NAT#NAT%20address%20filter]]

Firewall: Rules & Policies

2022-10-14T12:04:57Z

Steve:

{{Stub}}

== Egress ==
{{Missing information|scope=section}}

== Ingress ==
{{Missing information|scope=section}}

== Internal ==
{{Missing information|scope=section}}

[[Category:Product Manuals]]

Template:Missing information

2022-10-14T12:04:30Z

Steve:

<center>
<div style="border:3px solid red; width:70%; background-color:#F5F5F5; padding:2px;">
This {{#if: {{{scope|}}}|{{{scope}}}|article}} is missing information.
</div>
</center><includeonly>[[Category:Articles with missing information]][[Category:To do]]</includeonly><noinclude>{{documentation}}</noinclude>

Template:Missing information

2022-10-14T12:02:57Z

Steve:

<center>
<div style="border:3px solid red; width:70%; background-color:#F5F5F5; padding:2px;">
{{{scope}}}
This {{#if: {{{scope}}}|{{{scope}}}|article}} is missing information.
</div>
</center><includeonly>[[Category:Articles with missing information]][[Category:To do]]</includeonly><noinclude>{{documentation}}</noinclude>

Firewall: Internal

2022-10-14T12:01:06Z

Steve: Redirected page to Firewall: Rules & Policies#Internal

#REDIRECT [[Firewall: Rules & Policies#Internal]]

Firewall: Ingress

2022-10-14T12:00:35Z

Steve: Redirected page to Firewall: Rules & Policies#Ingress

#REDIRECT [[Firewall: Rules & Policies#Ingress]]

Firewall: Egress

2022-10-14T11:59:59Z

Steve: Redirected page to Firewall: Rules & Policies#Egress

#REDIRECT [[Firewall: Rules & Policies#Egress]]

Category:Product Manuals

2022-10-14T11:57:54Z

Steve:

The Opendium Web Gateway is an appliance filter designed to provide filtering services for anywhere from 50 to 50,000 users. Based on our state-of-the-art dynamic deep inspection technology the Opendium Web Gateway provides everything you need to comply with UK government guidelines such as [https://www.gov.uk/government/publications/prevent-duty-guidance Prevent] and [https://www.gov.uk/government/publications/keeping-children-safe-in-education--2 Keeping Children Safe in Education]. To read about how Opendium systems perform against the [https://saferinternet.org.uk/ UK Safer Internet Centre's] [https://www.saferinternet.org.uk/advice-centre/teachers-and-school-staff/appropriate-filtering-and-monitoring/appropriate-filtering Appropriate Filtering for Education Settings] guidance, please see the [[Appropriate Filtering for Education Settings|knowledgebase page]].

Opendium UTM provides the same functionality as Web Gateway, but with additional unified threat management capabilities, such as per-user control of non-web traffic, control of traffic between internal networks and support for site-to-site and remote worker VPNs.

The first few pages in this manual should be read first in this order:

* [[Installation Requirements]]
* [[User Interface Overview]]
* [[Recommended Minimal Configuration]]
The remaining pages are organised here in a similar way to the Opendium user interface.
* [[Filtering Categories]]
* [[Firewall]]
** [[Firewall: Rules & Policies|Rules & Policies]]
** [[Firewall: NAT|NAT]]
** [[Firewall: Rule Bundles|Rule Bundles]]
** [[Firewall: Services|Services]]
** [[Firewall: Zones|Zones]]
* [[RADIUS]]
* [[Release Notes]]
* [[Reports]]
** [[Accounting: Reports|Accounting]]
** [[Audit Log]]
** [[Automatic Reports]]
** [[Firewall: Reports|Firewall]]
** [[RADIUS: Reports|RADIUS]]
** [[Web: Reports|Web]]
* [[Time Periods]]
* [[Users & Groups]]
** [[Import Users]]
** [[User Synchronisation]]
** [[Virtual Groups]]
* [[VPNs]]
* [[Web]]
** [[Web: Filtering|Filtering]]
** [[Web: Permissions & Limits|Permissions & Limits]]
** [[Web: Reporting Categories|Reporting Categories]]

Web: Reporting Categories

2022-10-14T11:56:06Z