Controller Based WLANs

How To Enforce Safe Search for Google, Bing and resticted mode for You tube in AOS
Requirement:

All the internet search providers have now switched to using HTTPS (encrypted) for all communications to their engines, it is no longer possible to look into the clear text of the request from the client and alter the request to force the search engines to return content and images suitable for display at work or in schools.

When the search results are displayed the pages for images and videos frequently have thumbnail pictures which could be unsafe for children or the work place.

It is not possible to block these thumbnail images or videos as these are returned directly from google over the encrypted channel - but clicking on them would then launch to the website which can be blocked by conventional firewalls or content firewalls.

So the aim of this article is to inform how to force the search providers not to send these thumbnail images in the first place - this is called Safe Search.

It is possible to manually configure each client to enable 'Safe Search' but for obvious reason this is not workable when there are thousands of devices, and what about the BYOD devices - configuring these is something which is just not possible.

 

So Google recognize this is a significant issue and have come up with another way which is to change any request to 'google' to get a DNS response forcing the client to forcesafesearch.google.com traffic to forcesafesearch.google.com does exaclty  what it says always returns safe search content.

Google has over 190 DNS TLDs so each one has to redirected.

 

Google have also implemented the same for You Tube - forcing it to 'restricted mode' - restrict.youtube.com (note same VIP as forcesafesearch.google.com)

Bing have also followed suit and they have a Safe Search VIP - strict.bing.com

Yahoo as far as I can tell do not support DNS mapping to a Safe Search VIP.

 



Solution:

Although the controller does not have a DNS server and its not possible to re-write DNS requests forcing to the safesearch VIP's, It is possible to listen to these DNS requests and responses and then use an ACL to look for the destination IP addresses.

The solution is to configure netdestinations and then to apply these destinations to ACL rules which can then destination NAT to the 'Safe Search' VIP.

 

Google

forcesafesearch.google.com =  216.239.38.120

 

You Tube

restrict.youtube.com = 216.239.38.120

 

Bing

strict.bing.com = 204.79.197.220

 

 

 



Configuration:

The configuration requires that the controller has the PEFNG license installed.

 

From the WebUI create the following 'Destinations'

 

Google;

 

You Tube

 

Bing;

 

Then create a policy and create the following rules

 

 

Then apply this policy to the users authenticated role.

 

 

Example from the CLI;

 

netdestination Bing-SafeSearch
  name www.bing.com
!
netdestination Google-SafeSearch
  name *.google.
!
netdestination YouTube-restricted
  name www.youtube.com
  name m.youtube.com
  name youtubei.googleapis.com
  name youtube.googleapis.com
  name www.youtube-nocookie.com
  name www.googleapis.com
!
 

ip access-list session SafeSearch
  any   alias YouTube-restricted any  dst-nat ip 216.239.38.120
  any   alias Google-SafeSearch any  dst-nat ip 216.239.38.120
  any   alias Bing-SafeSearch any  dst-nat ip 204.79.197.220
!
 

user-role authenticated
 access-list session global-sacl
 access-list session apprf-authenticated-sacl
 access-list session SafeSearch
 access-list session ra-guard
 access-list session allowall
 access-list session v6-allowall
!
 

 

 



Verification

To verify the configuration it is possible to view the DNS name to IP mapping on the controller and viewing the session table it is possible to see the destination NAT sessions.

 

(Aruba3200) #show firewall dns-names

FW DNS names
------------
Name                      Id  InUse  List
----                      --  -----  ----
*.google.                 13  1      216.58.213.174 216.58.213.163
youtube.googleapis.com    9   1
m.youtube.com             7   1
accounts.google.com       1   1
www.youtube.com           6   1      64.233.167.91 64.233.167.93 64.233.167.136 64.233.167.190
graph.facebook.com        3   1
www.bing.com              12  1      204.79.197.200
www.youtube-nocookie.com  10  1
ssl.gstatic.com           2   1      216.58.213.163
youtubei.googleapis.com   8   1
www.googleapis.com        11  1      216.58.213.138
facebook.com              5   1
fbstatic-a.akamaihd.net   4   1

(Aruba3200) #

(Aruba3200) #show datapath session table 192.168.254.252


Datapath Session Table Entries
------------------------------

Flags: F - fast age, S - src NAT, N - dest NAT
       D - deny, R - redirect, Y - no syn
       H - high prio, P - set prio, T - set ToS
       C - client, M - mirror, V - VOIP
       Q - Real-Time Quality analysis
       I - Deep inspect, U - Locally destined
       E - Media Deep Inspect, G - media signal
       r - Route Nexthop


Source IP       Destination IP  Prot SPort DPort  Cntr    Prio ToS Age Destination TAge Packets    Bytes      Flags
--------------- --------------- ---- ----- ----- -------- ---- --- --- ----------- ---- ---------  --------- ---------------
192.168.254.254 192.168.254.252 17   53    64288  0/0     0    0   0   tunnel 10   1    1          242        FI
192.168.254.252 192.168.254.254 17   64288 53     0/0     6    0   1   tunnel 10   1    1          61         FCI
192.168.254.252 216.58.213.163  6    49411 443    0/0     0    0   0   tunnel 10   2    72         7650       NC
192.168.254.252 216.58.210.67   6    49412 443    0/0     0    0   0   tunnel 10   1    21         2104       NC

216.239.38.120  192.168.254.252 6    443   49411  0/0     0    0   0   tunnel 10   2    60         34224      S
216.239.38.120  192.168.254.252 6    443   49412  0/0     0    0   0   tunnel 10   1    17         5776       S

(Aruba3200) #

We can see that DNS requests are marked for Deep inspection (I) and data going to google is being Destination NAT'd (N)

Version History
Revision #:
2 of 2
Last update:
‎01-27-2016 02:37 AM
Updated by:
 
Labels (1)
Contributors
Search Airheads
Showing results for 
Search instead for 
Did you mean: 
Is this a frequent problem?

Request an official Aruba knowledge base article to be written by our experts.