As you might recall, the U.S. House of Representatives passed an amendment over the summer requiring schools receiving federal money to install content filters on their internet connections. The amendment was part of the House Juvenile Justice Bill, and at press time, members from both the House and the Senate were convening to hash out a final version.

Although I oppose such a law for many reasons, I think it would be prudent for network administrators who have not yet installed filters to begin looking into the pros and cons of different systems in order to find a product that best suits their needs. This month, I’d like to look at features offered in various filtering systems and discuss why they might or might not be valuable.

I don’t intend this column to be a product review or endorsement. There are many ways to accomplish good content control, and a product that works well for one school or district might be completely unsuitable for another. The issues below, however, demand consideration by anyone who wants to install a filter.


The first thing I would consider in the installation of a filter is its placement in your network. Some filters are installed right on the local machines. Often, these are less expensive and more straightforward to install, but they are also the most vulnerable to defeat by tech-savvy students. If you are filtering a machine that has only a dial-up connection to the internet, this is your only choice; but if you’re trying to filter an entire network, I would recommend going with a proxy server-based filter.

A proxy server is a machine that stands between your students’ computers and the internet. The browser on the client machines is configured to direct all requests to the proxy server, and it is the proxy server that actually goes out to the internet to fill those requests. Most proxy servers also cache the content they retrieve, so subsequent accesses of the same page from your network can be served at 10 or 100 Mbps instead of 1.5 Mbps. Some proxies also perform firewall filtering at the data-link layer and network layers. Others can double as Virtual Private Network servers.

A filter installed on a proxy server is much harder to defeat because the students don’t have physical access to the proxy machine. The key here is designing your internet protocol (IP) network so students are forced to go through the proxy server. The most common way this type of filtering is defeated is by changing the browser and/or IP settings to circumvent the proxy.

To defend against this, network managers can use a combination of private IP addresses and an Access Control List (ACL) on the router connecting them to the internet. If a client computer can only get to the internet through the proxy server, changing browser settings will do nothing to circumvent the filter. I assign an address in the private range of through to all the machines in my network. These addresses work fine on our network, but will not route beyond our network. Therefore, the client machine has to get its internet content from the proxy server, or it doesn’t get content at all.

Even though Windows NT Workstation security prevents users from changing IP addresses—and the average student wouldn’t be able to guess a routable IP address even if he could—I have also configured our router to block all but two or three of our public addresses, just to be safe. These few routable addresses are to allow our eMail server and our web server to send and receive packets directly to and from the internet. If a student were savvy enough to guess one of these routable addresses and to actually change the address of his machine, the OS would detect that it is already in use on the network and disable it.

Filtering method

Another major consideration in choosing a filter is the method used to filter content. Some filters use keyword-based filtering, which blocks pages and searches that contain particular words. Filters such as these will keep up fairly well with new sites as they are created, but they are invariably prone to errors. They are not yet smart enough to accurately determine context and erroneously block things like the Essex County home page. Last year, Jamie McKenzie’s From Now On site was blocked by a keyword filter because of his page on “Adult Education.”

Because of these relatively unpredictable types of errors, I prefer a filter based on a database of sites which have been previewed and rated by a human being who can determine the context of the content. While I don’t always agree with their ratings, these types of filters are not prone to blatant errors such as blocking “Essex” or “Adult Education.”

The weakness of these filters is that it’s impossible to view and rate all the sites on the internet as their number grows exponentially. Some companies also offer a subscription service where, for an annual fee of about $1,000, you can download monthly updates to the company’s block list.

Schools should also consider whether or not search engine results are filtered. Sometimes the content placed in a page’s meta tags can be just as offensive and distracting to a class project as the page itself. Some filters will scan the results of a search engine query for inappropriate words or phrases, while others will prevent users from submitting queries containing certain words. These, too, are susceptible to context-based errors, but as artificial intelligence technology improves, so will the accuracy of these filters.


The flexibility of filtering rules is of critical importance, especially in schools or districts serving a wide range of grade levels. You may wish to filter different content for your middle school than you do for your high school, for example, or you may want your kindergarten to only have access to a certain number of pre-selected sites. A well designed system should support the following types of rules:

• Different access based on login name

• Different access based on IP address or subnet

• Different access based on time of day

• Filtering by access type (ftp, http, etc.)

• Override of blocked sites

Administrators should be able to combine these rules to block access to inappropriate sites from students, while leaving access open for administrators to review sites to include in coursework if they so choose. Your system should also have the flexibility to block access to the internet completely from a single lab during a class when the teacher doesn’t need it and wants to minimize distractions, without disrupting access from any other labs.


Because our filter uses a database of previewed sites to filter content, the easiest way to defeat this type of filter is for a user to continuously search for inappropriate sites until he or she finds one that isn’t in the database. Even with monthly updates, it is impossible to keep up with the growing number of web sites on the internet.

Because of this, reporting has been a critical tool in the enforcement of our acceptable use policy. If the usernames of people who violate the filtering rules are recorded to a log which is checked on a regular basis, students who try to defeat the filter by “brute force” are easily identifiable. We can then disable the accounts of students who try to defeat the filter, and we can block all internet access indefinitely for repeat offenders or call in parents for conferences when necessary.

I like this type of setup because it goes beyond technology to put more responsibility on the human beings involved. Administrators can check logs to find sites that are being blocked erroneously and edit override rules accordingly. Students know they are being held responsible, not to a machine or program, but rather to the adults in their school and ultimately to their parents. This is filtering at its best.