About Content Restriction
Major search engines and content delivery services provide features that allow you to restrict search results and website content. For example, schools use content restriction features to comply with the Children's Internet Protection Act (CIPA).
When implemented by search engines and content delivery services, you can enforce content restriction features only for individual browsers or users. The Firepower System allows you to extend these features to your entire network.
The system allows you to enforce:
-
Safe Search—Supported in many major search engines, this service filters out explicit and adult-oriented content that business, government, and education environments classify as objectionable. The system does not restrict a user's ability to access the home pages for supported search engines.
-
YouTube EDU—This service filters YouTube content for an educational environment. It allows schools to set access for educational content while limiting access to noneducational content. YouTube EDU is a different feature than YouTube Restricted Mode, which enforces restrictions on YouTube searches as part of Google's Safe Search feature. YouTube Restricted Mode is a subfeature of Safe Search. With YouTube EDU, users access the YouTube EDU home page, rather than the standard YouTube home page.
You can use two methods to configure the system to enforce these features:
- Method: Access Control Rules
- Content restriction features communicate the restricted status of a search or content query via an element in the request URI, an associated cookie, or a custom HTTP header element. You can configure access control rules to modify these elements as the system processes traffic.
- Method: DNS Sinkhole
- For Google searches, you can configure the system to redirect traffic to the Google SafeSearch Virtual IP Address (VIP), which imposes filters for Safe Search (including YouTube Restricted Mode).
The table below describes the differences between these enforcement methods.
Attribute |
Method: Access Control Rules |
Method: DNS Sinkhole |
---|---|---|
Supported devices | Any | Firepower Threat Defense only |
Search engines supported |
Any tagged safesearch supported in the Applications tab of the rule editor |
Google only |
YouTube Restricted Mode supported | Yes | Yes |
YouTube EDU supported |
Yes |
No |
SSL policy required |
Yes |
No |
Hosts must be using IPv4 |
No |
Yes |
Connection event logging |
Yes |
Yes |
When determining which method to use, consider the following limitations:
-
The access control rules method requires an SSL policy, which impacts performance.
-
The Google SafeSearch VIP supports IPv4 traffic only. If you configure a DNS sinkhole to manage Google searches, any hosts on the affected network must be using IPv4.
The system logs different values for the Reason field in connection events, depending on the method:
-
Access Control Rules—Content Restriction
-
DNS Sinkhole—DNS Block