I tried other filtering programs, and Chaperon is the only solution that truly delivered on what it promised. CornerPost’s tech support is the best in the business, and they are always willing to ...''
James Mahnke
Talk Radio News' Ellen Ratner discusses Internet porn in America and Chaperon@Home
Chaperon@Home Usage, Number of Chaperon Servers Increased
Greeneville City Schools Launches Chaperon Fundraiser
more news...
Free Trial
Chaperon for ISA 2004/06
Surrogate Socket
Lemon Grove Schools Use ISA Server, Chaperon For Internet Filtering, Improved Bandwidth
With its infrastructure and instructional innovation expanding, Lemon Grove School District in California needed a powerful solution to ensure its K-8 students did not engage in inappropriate Internet use. Its solution: Microsoft Internet Security and Acceleration (ISA) Server 2000 in combination with Chaperon 2000 (C2k) from CornerPost Software.

Duffield, VA - March 1, 2001 - The solution not only filters from a list installed into ISA Server but also monitors cached sites to dynamically add URLs to its list. When the solution senses that a student is deliberately attempting to access inappropriate sites, it sends an instant notification to the student’s principal, allowing the administration to take counseling or disciplinary action. Because ISA Server caches popular Web sites and uses RAM in addition to hard disk space, network performance has nearly doubled. The district plans to expand its solution with a Web-based tool that will allow teachers to query the SQL database that stores ISA logs, enabling them to gain valuable reports on how – and how well – students are using the Internet as a teaching tool.

It was the success of Lemon Grove School District’s LemonLINK project that caused the problem. The 4,600-student, K-8 urban district in southern California, with six elementary schools and two middle schools, earned a $3.3 million technology innovation grant from the U.S. Department of Education in 1997. The result: Project LemonLINK, a comprehensive learning community for the district that links all schools via a high-capacity fiber- and wireless backbone using state-of-the-art microwave links. The district has category 5 drops in every classroom, with the typical upper grade classroom (grades 4-8) hosting four multimedia computers and 12 Windows terminals. Lower grade classrooms host three computers and eight terminals. Seventeen Windows Terminal Servers at the central office host terminal services, application servers and curriculum servers. LemonLINK has been so successful that its infrastructure has been extended to serve another 16 municipal sites and the project has been cited by Business Week magazine as a “top 10 for instruction innovation.” All of this in a relatively poor district where 70 percent of students are on free and reduced lunch programs.

In that context, Lemon Grove’s problem is one that many other districts would envy: The broad access to the Internet was making it difficult to effectively block students from viewing inappropriate Web sites, and existing solutions all had drawbacks.

“We were subscribing to a filtering service that updated nightly, but there were limits to the length of the filter list we could support, so we went to generic blocking, but that kept out too much information,” says Darryl LaGace, director of information systems for Lemon Grove School District. “We were using Proxy Server but it maxed out for us at about 200 users an hour and started to become sluggish.”

The district also needed a solution that would provide superb firewall protection, one that would prevent hacker penetration and notify managers immediately of attempts to penetrate the security. 

“You wouldn’t believe what these kids can do to a network,” says Paul Elswick, president and CEO of CornerPost Software LLC, the Microsoft solution provider working for Lemon Grove Schools. “You would not believe the technical skills of these students. Unsupervised they can really damage a network.”

Installing the ISA Server/Chaperon 2000 Solution

In response to these requirements, Elswick suggested that Lemon Grove Schools become a beta testing site for Microsoft’s then-unreleased firewall and cache solution, Microsoft Internet Security and Acceleration Server. This successor to Microsoft Proxy Server version 2.0 combines a full-featured enterprise firewall and a scalable Web cache server. Elswick proposed using ISA Server in combination with CornerPost’s own Chaperon Internet management tool and filter, which updates itself automatically on the fly and notifies the Internet manager when users attempt to defeat the filter.

In September, CornerPost installed two servers running Windows® 2000 Server and ISA Server. The second ISA Server provides redundancy should the first server fail. Both ISA Servers run CornerPost’s Chaperon 2000 software, and load balancing functions. The next step was to implement Active Directory™ service, which would enable the district to set varying security policies for different groups of users – for example, allowing teachers to have broader Internet access than students, should the district wish to implement such a policy. 

The company then implemented authentication of user names and passwords and built a trust relationship between the Windows 2000 domain and the existing Windows NT 4.0 domain. (Lemon Grove is preparing for a full migration to Windows 2000 this summer.) By changing a single line of code in the batch scripts for Windows Terminal Services, CornerPost was able to migrate Lemon Grove users from the existing Proxy Server to ISA Server in blocks of 500. 

“We were worried that there might be some trouble configuring ISA Server to have a trust relationship with the Windows NT 4.0 domain, but it was a no-brainer,” says Elswick. “The entire process took half a day. We did it onsite but it was so straightforward that we can even implement the solution remotely.”

Leveraging ISA Server

Chaperon’s “Agility Filter™” is loaded into the ISA Server database with approximately 1.5 million blocked Web pages and goes to CornerPost’s Web server every two hours to download additional sites. ISA Server creates a text file log that records the Web sites being accessed. Chaperon copies the ISA Server log to the log on SQL Server. All information about the student’s Web use – e.g. all URLs visited, blocked sites hit, number of times that attempts are made to hit blocked sites – are recorded in SQL Server. 

When a student’s attempts to hit a blocked site exceed an absolute threshold level established by the district or a relative threshold compared to other online users, Chaperon sends a notification to someone, usually the student’s principal or teacher, by leveraging information stored in Active Directory. The notification allows the principal to view the relevant portion of the log and to interact with the student to clear up the problem. The notification feature – which engages school administrators in the filtering process – is key to the CornerPost philosophy and contrasts with static filters that operate automatically without human agents.

“We want notification of Internet abuse going to our administrators because that allows administrators to act directly on the information,” says LaGace. “The alternative is wading through logs after the fact, which isn’t very efficient. Students need to know that there are immediate consequences to Internet abuse. And once you get beyond that, notifications and reports allow your administrators to see if the Internet is being used in a positive way. Are students spending time researching material assigned to them or just surfing the Net? Logging to the SQL database allows us to do statistical searches to find out, that’s a level beyond merely blocking access to objectionable sites. Before ISA Server and Chaperon, we couldn’t do this."

Blocking Inappropriate Access at Lemon Grove

For the month of September 2000, Lemon Grove users hit the Internet 6.7 million times, according to reports based on the SQL Server logs generated by ISA Server and Chaperon. Some 32,420 of these hits were blocked with a notification generated and sent by Chaperon to an administrator. Not every hit to a blocked site generates a notification. The Chaperon engine assumes that some of those blocked hits are accidental; but if the intent of the user appears to be deliberate (e.g., the user attempts repeated hits of a blocked site in a short period of time), then the action generates a notification.

“Our review of the first month’s use of ISA Server and Chaperon showed us three ways that Lemon Grove students were trying to overwhelm or defeat the filter,” says Elswick. “What we learned enabled us to strengthen the solution and give Lemon Grove even better Internet security.”

For example, during one two hour period from midnight to 2 am, a student connecting to the district from his home-based Windows terminal was blocked by the filter from hitting listed sites 1,762 times. To attempt to get around the filter, he would go to an Internet search engine, obtain search results for a provocative request– and then use a special key combination to open up to 15 browsers at once. Since all filters inadvertently allow some inappropriate sites to get through, the student identified sites not caught by the filter and then shared them with classmates via a chat room. In another case, a student distributed an email containing inappropriate URLs that he and his friends accessed with the expectation that, because no Web search was generated, they would gain access undetected. In a third case, a student ran a search using key words not in themselves offensive – e.g., “teenagers” – but that were likely to turn up inappropriate results. 

In all three cases, Chaperon’s Agility Filter not only alerted administrators but also scanned the sites when they were stored in ISA Server’s cache. As a result, Chaperon added the sites to its filter list, strengthening the solution by preventing further access to the inappropriate sites. Further, the URLs were uploaded to CornerPost’s site for distribution to other Chaperon customers – with Lemon Grove’s prior approval – strengthening their filters as well. The Lemon Grove students behind these attempts, meanwhile, were counseled by school staff on appropriate use of the Internet, in some cases temporarily lost their Internet privileges, and, for their efforts to beat the filter, ended up improving its quality for customers worldwide.
Benefits Beyond Filtering

ISA Server, alone and in combination with Chaperon, gives Lemon Grove a range of benefits beyond agility filtering and instant notifications. For example, the cache, by storing requested Web pages locally, minimizes the need to actually access the Internet, speeding performance and enhancing the Internet responsiveness and experience for users. Because ISA Server stores Web sites in RAM, in addition to 7GB on disk, it boosts performance beyond that of other cache solutions. In addition, the solution’s filtering of banner ads eliminates about one third of network traffic, boosting bandwidth even further.

As a result, ISA Server is supporting an average 39,000 hits per hour and a maximum 123,000 hits per hour, or a sustained load of 34 hits per second. These performance figures are about twice as high as Lemon Grove achieved under its previous, Proxy Server solution – and they’re being achieved with just 25 percent utilization rate of the dual-processor, Pentium III processors in the servers running ISA Server and Chaperon. That gives Lemon Grove plenty of room for growth and scalability.

“The higher performance is a real plus for group activities,” says LaGace. “For example, we can have 300 or 400 students going to a Web site at the same time as part of a campus-wide event. Now, we can do that without swamping our network.”

Looking ahead, Lemon Grove and CornerPost plan to develop a Web-based tool that will give classroom teachers detailed reports on how their students are using the Internet. Teachers will be able to fill out various fields that query the SQL Server database. Beyond addressing the question of inappropriate sites, this tool will allow teachers to understand how their students are researching assignments, whether they have mastered research techniques, and more broadly, whether they’re researching or surfing when they go online. 
“As we’ve grown, expanding LemonLINK and giving our students greater Internet access, we’ve been concerned that that Internet access could be misused,” said LaGace. “With ISA Server and Chaperon, we have a solid response to those concerns that will serve us for years to come.”

©2001 Microsoft Corporation. All rights reserved. 
This case study is for informational purposes only. MICROSOFT MAKES NO WARRANTIES, EXPRESS OR IMPLIED IN THIS SUMMARY. 
Microsoft, Active Directory and Windows are either registered trademarks or trademarks of Microsoft Corporation in the United States and/or other countries. 
The names of actual companies and products mentioned herein may be the trademarks of their respective owners.
Chaperon for ISA 2004/06
Surrogate Socket
There is no doubt that the Internet has made our world smarter, more connected, more productive. Experience has also proven how dangerous the Internet can be when it is used “unchecked” by good judgment.
  About CornerPost || News & Events || Industry Solutions || Contact Us Copyright 2004 CornerPost Software, LLC
Privacy Statement || User Agreement