Te Kete Ipurangi Navigation:

Te Kete Ipurangi

Te Kete Ipurangi user options:

Firewalls and filtering

Red brick wall

This page outlines what needs to be considered when thinking about the firewalling and internet filtering needs of New Zealand schools. Firewalling and internet filtering, along with an effective digital citizenship strategy, are the primary means by which schools ensure the digital safety of learners. The rapidly evolving nature of technology means that schools should consider how firewalling and internet filtering can promote ethical and responsible digital citizenship of students and staff both in and out of school.

About firewalls and filters

What is a firewall?

Firewalls are specialised computers, placed at the edge of a computer network, that control and monitor the internet traffic that enters and leaves the network. They often have additional functions to allow remote access to the network (for example, a Virtual Private Network (VPN)) or provide IP addressing  functions (for example, DHCP  and DNS ). Firewall functions are usually combined with routing functions and the terms "Router" and "Firewall" are used interchangeably. In simple terms, firewalls prevent unwanted internet traffic from entering a computer network while simultaneously allowing permitted traffic to leave. Firewalls should be configured so that the allowed/not allowed internet traffic meets the needs of users.

What is web filtering?

Web filters work by routing internet traffic through a specialised device that inspects what internet sites are being requested by the user. The filter checks each request against a set of policies that have been defined for each school (or group or user if group/user filtering is in place) and accordingly allows or rejects the request. This process is usually invisible to the end-user. Web filtering allows schools to monitor, and accordingly restrict or allow, what users can access when browsing the internet. Web filters typically have the ability to filter sites based on:

  • individual sites (for example, ABC.com)
  • pages within a site
  • categories of sites (for example, gambling, games, and so on)
  • IP addresses
  • keywords (for example, swear words)
  • applications (for example, chat functions within websites).

Schools implement internet filtering for two main reasons:

  • To help prevent access to sites and applications not appropriate to a school environment.
  • To help prevent sites or applications that act as a source of distraction or time-wasting.

Web filtering considerations and the importance of digital citizenship

Responsibilities of schools

Schools have a duty of care toward students. Internet safety could be seen to be an area of school activity covered by National Administration Guideline 5  – “provide a safe physical and emotional environment for students.”

The New Zealand Curriculum’s Key Competencies  are also relevant to how schools approach this topic. Additionally, the Code of Professional Responsibility and Standards for the Teaching Profession  requires teachers to “Manage the learning setting to … maximise learners’ physical, social, cultural, and emotional safety”.

Schools have a responsibility to ensure that students are safe when using the internet. How individual schools do this will vary but requires a combination of two complementary approaches:

  • Educational: digital citizenship: guiding young people’s learning in the digital world.
  • Protective: web filtering: mitigating or buffering risk by protection, support or, intervention.

Web filtering must be balanced with strategies that promote:

  • development of skills and knowledge for safe and responsible use of digital technologies
  • opportunities for students to be involved in decisions about the management of digital technologies at the school
  • development of a pro-social culture of digital technology use
  • cooperation of the whole community in preventing and responding to incidents.

Internet access on student devices

In the past, schools were confident that once at school, students’ access to the Internet was always through the school’s connection. This connection was often faster than the connection that students had at home. Typically the school firewalled and filtered the connection. This ensured the students were protected while at school. It also gave the school a degree of protection: it was clearly seen to be proactive and acting responsibly.

Recent advances and availability of mobile data connectivity mean that this approach is no longer effective, particularly in secondary schools. A smartphone can access the Internet at speeds similar to or faster than the speed offered by the school’s network and the connection may be shared with others by creating a wireless hotspot. In almost all cases, the mobile data connection will be unfiltered.

Schools have a responsibility to ensure students are safe while at school and this responsibility extends to student use of mobile Internet connections. Additionally, unless it is clearly endangering the emotional or physical safety of other students or detrimentally affecting the learning environment, school staff cannot ask to search a student-owned device, nor ask for the password to any device to access the content (for more information, see the Ministry’s guidelines about the Safe and Responsible use of Digital Technologies in schools ).

This means that the school cannot easily monitor the use of cell phone Internet access so the only way to ensure the school meets its digital safety obligations is to implement a comprehensive digital citizenship strategy. This is because effective digital citizenship:

  • guides people at home and at school
  • guides people on mobile data or school Internet connection
  • guides people on any device they choose to use.

What role does Internet filtering have in a digital citizenship strategy?

An appropriate level of internet filtering can help students develop Key Competencies and be a useful part of a digital citizenship strategy by:

  • providing learners with opportunities to exercise digital citizenship skills in a supportive yet safe environment
  • encouraging learners to use the school’s internet connection while at school, rather than using unfiltered, personal mobile data connections
  • using the reporting functions of your filtering solution to prompt conversations about online behaviour with users.

Managing self – what does it really look like?

In the context of digital technologies, a student who is able to manage themselves will be able to:

  • manage their time so that it is used efficiently and productively
  • know the difference between appropriate and inappropriate content, that this varies contextually and make good decisions based upon the context
  • actively make decisions to "do the right thing".

Older learners should be able to manage themselves more effectively than younger learners, and be more discerning about what self-management means for themselves in different contexts. Using your filtering reporting tools to inform conversations with learners about how they manage themselves can be a useful technique to allow students to increase their ability to be discerning digital citizens.

Firewalling and web filtering in New Zealand schools 

Funded firewalling and web filtering from The Network for Learning (N4L)

Since 2004 the Ministry has given schools the option of a funded firewalling and web filtering solution. In 2013 the Network For Learning (N4L) started to roll out Ultra Fast Fibre (UFB) connectivity including a hardware firewall/router. The N4L solution includes a web filter that can be customised to fit the needs of schools. It has the ability to filter based on individual sites, categories of sites (for example, gambling) and IP addresses. These filters can be applied to individual or groups of devices and individual or groups of people.

The N4L firewall is fully managed at no cost to schools. This support includes configuration changes and software and hardware upgrades. N4L has expertise and experience in working with schools to ensure their internet and firewalling needs are met and that they support teaching and learning. The N4L service, because it is a managed service, has some unique advantages that a custom firewall does not have:

  • The firewall rules that N4L implement as standard mean that common applications such as Google Hangouts, video-conferencing, and Skype will not require extra configuration by your school.
  • Teachers and students are more likely to be able to use the applications or sites they want without requiring technical support or intervention.
  • If a change is made by a service provider (for example, Apple, Google, or Microsoft) that will require a firewall change to be made, the N4L will make those changes on your behalf in order to ensure that teaching and learning can continue.

Schools may make requests of N4L to change firewall rules. For example, a school may require an on-site server to be capable of being accessed from the internet. N4L actions these change requests quickly, but also audits them to ensure they achieve their intended purpose securely. N4L is keen to work with schools that may require custom or specialised firewalling and will work to ensure the N4L service meets their needs.

Alternatively schools are able to procure their own firewalling and web filtering solutions.

Alternatives to using N4L firewalling and web filtering

Schools are able to use the N4L connection, but to substitute N4L’s firewall and filter with their own firewalling and filtering solutions. If a school is considering whether or not to provide their own firewall and filtering solution, the key question to consider is: “given it is provided at no cost, will the provided N4L solution meet our needs?”. To help to answer this, the N4L firewall should be evaluated against any alternative firewall using criteria such as:

  • Functionality – is the firewall capable of doing the job required of it? Will additional advertised features, such as more granular reporting or bandwidth management, actually be used? 
  • Ease of use – will it be easy for any setup or configuration changes to be made?
  • Cost – what is the cost of the hardware, subscription, and time or labour charges for installation, support, and configuration changes?
  • Support – what is the availability, quality, and type of support? For example, is the support proactive (anticipates issues before they happen), reactive (responds to problems reported by users), or both?
  • Overall value – is the alternative firewall better value than the N4L's fully funded firewall solution?

HTTPS/SSL – What’s the fuss?

It has been increasingly common for websites and internet-based services to use encryption to ensure that communication between the user and the website or service is secure. This is commonly called HTTPS (the "S" stands for secure) or SSL (Secure Sockets Layer). A detailed explanation of how SSL works  is available for those who are interested. The impact of HTTPS/SSL on school internet filtering is significant. This is because of how the encryption prevents web filters from inspecting the contents of web communication. In practice, encryption prevents filtering systems from reading any part of a URL (internet web address) beyond (to the right of) the initial site address.

For example, a Google search for “cars” sends the following URL to Google:


Ordinary internet filters cannot read any part of the URL to the right of https://www.google.co.nz/

This means that the filter cannot know if the user is searching for “cars” or for anything else. So, students could search for, and access, inappropriate content without detection or being blocked by the filter.

Search engines like Google and Bing provide "safe search" options. These are enforced by the N4L filter by default. They provide an additional level of filtering of the results that a particular search will produce. However, they are by no means completely safe: search results can still include images or links that are inappropriate.

Filtering HTTPS sites is possible if you wish to block the whole of a domain. For example, it is very easy to block the whole of facebook . Unfortunately this is not very useful as most students need to use HTTPS sites for learning.

An alternative approach that allows both inspection and filtering of HTTPS sites is by deploying certificates. Certificates are digital fingerprints that identify a computer and are used to decrypt and encrypt communications. Adopting a certificate based inspection and filtering system allows the filter to work with HTTPS sites. Using the example above, the filter would be able to see that “cars” were being searched for, and apply (probably allow) filtering policies to the request. N4L is able to support such Secure Website Inspection . Contact N4L if you wish to enable this for your school.

Keep informed

Subscribe to the newsletter.