Controller-less WLANs

 View Only
last person joined: one year ago 

Articles relating to existing and legacy HPE Aruba Networking products and solutions including IAP, Central / HPE Aruba Networking Central, MSR, and Outdoor Mesh
Back to Library

How to enforce Safe Search for Google, You Tube, Bing 

Jan 08, 2016 11:18 AM

Requirement:

Now all the major search providers have switched to HTTPS all requests to the search engines are encrypted - it is no longer possible to use a firewall to look at the URL and modify it to switch the request to a safe search request.

This means that most search engines will return non safe results.

This is a big deal especially for Schools and guest networks - you don't want children seeing non safe content, same for guests - you don't want them having access to non safe content in a work environment.

 

Google, You Tube and Bing recognize this is a significant issue and offer a 'safe search' VIP, it is then possible to change the DNS entries for all the Google TLD's to resolve to forcesafesearch.google.com.

Again the same thing is possible for Bing redirect to  strict.bing.com.

You Tube offer a restricted mode for video searches again using the restrict.youtube.com VIP.

 

https://support.google.com/youtube/answer/6214622

https://support.google.com/websearch/answer/186669?hl=en

 

http://help.bing.microsoft.com/#apex/18/en-US/10003/0

 

Note as of January 2016 it appears that yahoo do not offer safesearch via DNS.

 

If you don't want to play around with the DNS servers, the same configuration is possible on Aruba Instant.



Solution:

The solution is for Instant to be configured for access control rules which will destination NAT based on domain name.

i.e. if we see www.google.com change the destination IP to 216.239.38.120 (forcesafesearch.google.com)

 

The problem with google is they have ~190+ top level domains so they all need to be redirected. i.e www.google.in

Instead of 190 rules we can use the following wild card '.*'

our D-NAT rule would look like;

rule alias google..* match any any any dst-nat ip 216.239.38.120

 

 



Configuration:

The configuration can be done via both WebUI and Console.

Unfortunately we can't D-NAT to a domain name so we have to resolve the safe VIPs manually;

 

Google

forcesafesearch.google.com =  216.239.38.120

 

You Tube

restrict.youtube.com = 216.239.38.120

 

Bing

strict.bing.com = 204.79.197.220

 

wlan access-rule SafeSearch
 index 0

# redirect google searches

 rule alias google..* match any any any dst-nat ip 216.239.38.120

 

# redirect You Tube
 rule alias www.youtube.com match any any any dst-nat ip 216.239.38.120
 rule alias m.youtube.com match any any any dst-nat ip 216.239.38.120
 rule alias www.youtube-nocookie.com match any any any dst-nat ip 216.239.38.120
 rule alias youtubei.googleapis.com match any any any dst-nat ip 216.239.38.120
 rule alias youtube.googleapis.com match any any any dst-nat ip 216.239.38.120

 

# redirect Bing
 rule alias www.bing.com match any any any dst-nat ip 204.79.197.220

 

# Block Yahoo
 rule alias search.yahoo.com match any any any deny

# Allow everything else
 rule any any match any any any permit

 

 



Verification

To verify you are getting safe results, either attempt to search for non safe content, or check settings under google and change to non safe results and then search and then re-check the settings it should be back to safe results.

 

Statistics
0 Favorited
3 Views
0 Files
0 Shares
0 Downloads

Related Entries and Links

No Related Resource entered.