 Hi, good morning, and welcome to this week's edition of Encompass Live. I am your host, Krista Porter, here at the Nebraska Library Commission. Encompass Live is the commission's weekly webinar series where we cover a variety of topics that may be of interest to libraries. We broadcast the show live every Wednesday morning at 10 a.m. Central Time, but if you're unable to join us Wednesdays, that's fine. We do record the show as we are doing today. And it will be available for you to watch on our website later at your convenience. I might show you where that is later today at the end of today's show. We'll see. Anyway, both the live show and the recordings are free and open to anyone to watch, so please do share with your friends, family, neighbors, colleagues, anyone you think might be interested in any of the shows we have on Encompass Live. For those of you not from Nebraska, the Nebraska Library Commission is the state agency for libraries. So we are similar to your state library. So we provide services and training and resources to all types of libraries in the state. So you will find shows on Encompass Live for all types of libraries. Public, academic, K-12, corrections, museums, archives, historical societies, really anything and everything. Our only criteria is really that it is something to do with libraries. Something cool libraries are doing, something cool we think they could be doing. We do book reviews, interviews, mini-training sessions, demos of services and products, all sorts of things. We sometimes bring on guest speakers from across Nebraska and across the country actually, but we also have library commission staff that do presentations for us. And the last Wednesday of the month is always pretty sweet tech day, which is when Amanda Sweet, who is our technology innovation librarian. Good morning, Amanda. Good morning. She always comes on on the last Wednesday of the month to do some sort of a session about something techy related. So if you're a tech type person or if that's your focus, something you're interested in, definitely look at the last Wednesday of the month. We have techy things other times during the month too, but it can always be, you know, sure there'll be something on the last Wednesday. But today we have another commission staff person with us as a guest presenter, Sherm, Andrew Sherman. Good morning, Sherm. And he is our newest employee here at the commission as of January, correct? Yep. On our IT, our technology, computer technology team, whatever they call themselves. And he did a session last month on. Securing the public security. Yeah, so similar related to securing your computer. Last week was kind of securing the public computers. Now we're going to talk this week, this month, a little more on the network security. Right. So they go together both these sessions, I think definitely, they're a set. So you definitely want to go back and look at the recording from last month. But today we're going to talk about internet filtering, which can be used, of course, an E rate, which is something I handle here at the library commission. I am this in one of my duties here also is I'm the state E rate coordinator for public libraries in Nebraska. So I handle all the training and holding and consulting with any of our public libraries who are applying for E rate. And a SIPA is something that's required for that, but it's also useful for other things too, though, not just for E rates are the reasons you would be filtering as well. So, but I'm going to hand it over to Sherm to tell us all about it and how we can keep everything safe in our libraries. All right, and everybody can see my desktop right my presentation. Yep, I see your slides. So today we're going to talk about internet filtering. Obviously the E rate SIPA compliance is a big, big part of that. But I don't know that a lot of people are familiar with filtering is a long standing network security feature. If you have firewalls in your library, you're filtering. I don't know that a lot of people understand that filtering has kind of a bad rap back from the early days when a lot of it was what we would call a keyword based. So you would put in keywords that would be blocked, which resulted in a lot of stuff getting blocked that. So if you block sexuality, it blocked any website or anything talking about it. So the filtering technology is obviously improved. I'm curious to see what might be happening with all the AI technology coming online now too. If that will be also applied at some point to help improve that technology, but we're going to go ahead and get into it. So we're actually going to talk about initially some of the different technology protocols that are occurring in the router you have from your ISP, because they're all interrelate in how the filtering technology works. We'll cover methods. We'll talk a little bit about the cybersecurity. And then the last slide I saved is for E rate. And I'm hoping Crystal will feel free to jump in there as we talk about the E rate requirements, the SIPA requirements. There's multiple government agencies that all have their web page that talks about it, and they're mostly the same, but there's a few differences. I don't know that we'll get into that a whole lot, but probably the USAC side is the one I'm going to concentrate on since that's where you get to go to get your funding. So that's what we'll talk about there towards the end. So the router, if you're not familiar with the router, it's a little black box that your connection from your ISP connects to to serve your take your local area network that's wired or Wi-Fi in the library and connect it to the internet. And that your ISP generally provides a router. Some of you may or may not pay a monthly fee. If you have consumer grade service, you can save some money every month. If you purchase and utilize your own router, of course, you have to have the skill set to set it up and manage it, which some may do. That's what I've done at home. And that router acts initially is what we call it as a modem that kind of goes back to if you remember the old dial up days. Even though it's not that type of technology, we still generally refer to the modem and it acts as that connection then, like I said, between the ISPs network, which is the internet and your local network. The second technology comes into play is called DHCP, Dynamic Coast Configuration Protocol. What that basically is is in the old days, we used to have to physically assign the IP addresses to all the devices on our network when we first started using TCP IP. This is a technology that when your device boots up and connects to the network, it will provide it an IP address and provide all the other addressing that goes with it to be able to make it connect to the network, do printing, get out and surf the web. So that's DHCP. So DNS is your name, name server, and this is where the filtering we're talking about today comes into place, DNS filtering. You'll notice I have the port there. I just want to mention ports. I'm not going to get a lot of that technology. We are going to talk a little bit about firewalls. Filtering is kind of the first moat in security. It's been around the longest. So even if you have a firewall in place, I guarantee you that firewall technology provider has filtering is kind of that first moat or first wall for their protection with the firewall. Now the big difference between DNS filtering and the firewall is the DNS filtering is just going to provide filtering for the website domains you're going to. It doesn't protect you from inbound attacks from the internet. It only is going to protect your surfing to connecting to domains. So if the domain is on a naughty list somewhere, it'll block. If the domain is not on a naughty list, you'll be able to get to it. Firewalls are much more capable. DNS filtering, if your library does not have the firewall or the funds to invest in a firewall, and then also there's the management of the firewall. DNS filtering should, I think, at least be a minimum set for the cybersecurity piece. So at least you have some basic cybersecurity protection. Again, I would recommend if we're talking about e-rate, category two. If you need to upgrade your firewall or you don't have one, definitely consider taking advantage of the category two funding to get a firewall in place. It's much, much stronger cybersecurity. DNS is referred to as the internet's phone book. So when I put in Google.com, it's actually using the DNS server to resolve that domain name to an IP address that then allows me to get the session on the website and communicate. One thing about domain name services is they're put out in multiples for redundancy because you can't get to anything on the web without a DNS server to do that translation for you. So one of the things about DNS filtering I want to mention is all your DNS servers are cached for speed. So they kind of, every time they make a request, they cache that away and store it. If we would make a change in the filtering either to block a security threat or to unblock a site that's getting blocked by say our adult filter, it can take a little bit for that to propagate through the DNS system since those servers are cached to give them better performance. So it may take a few minutes used to be, you put that change in and it could take a while now within a few minutes you should see that block, or that unblock occur. So now we'll talk about network address translation is this pervade comes into play to if you're familiar with what Nat is this is what a technology was invented because we knew we were going to run out of what we call IP for internet addresses which technically were out of them today. So what this technology allowed us to do is if you ever do what is my IP address in your browser at the library, you'll get the address that the ISP has assigned to your router on the internet. And what this allows us to do then is we don't have to have registered public IP addresses on all the devices are network we can use private IP addresses, which there's several range that are kind of the standard. And this network address translation will actually using the hardware address of the device in the network in its private IP address acts as a translator. So all your devices out on the internet look like your public IP address once that traffic's flowing out there, but allows us to share that with a multitude of devices behind it. So that gets in then to what we call static or dynamic IP addresses. So maybe in the old days, when all the businesses had our web servers on site running on a server. We had to have a static IP address so somebody's trying to get to our website. It would resolve with the DNS server out the internet. It would point it to the, the registered IP address that we pay for most ISPs if you have a static IP address will charge you an additional monthly fee to have that. Maybe it wasn't a big deal to get one. It can be now if your library has what we call consumer class internet access. A lot of times you cannot get a static IP address for that. The business class services, generally, you can with an additional charge. So that causes some issues with filtering that they have sort of resolved and we'll get into that and do a little bit. One thing I want to talk about back in the day when I was first working as technology library, my library got the letter. I don't know if anybody else remembers the day we were getting the $10,000 fine letters from our IAA saying somebody had come into library and used our network to download illegal music or the MPA would send you the same kind of letter because somebody downloaded an illegal movie. So one of the common things I would do at my library on the firewall when we got our letter, our city attorney said, we're not paying you $10,000 we're a public library, but I have instructed our technology person to block BitTorrent. BitTorrent is a firewall transfer protocol that's commonly used for illegal purposes. So almost anybody managing a firewall will block BitTorrent. The nice thing is some of the filtering services have added some very limited application blocking to their technologies. If your library receives, now it used to be that letter would come from RIAA or MPA. They've pushed all that responsibility off to the internet service providers now. So if somebody is using your library network to download pirated movies or music, you'll probably get a letter at some point from your ISP saying, hey, you have to fix this. The easiest way to do it is you go into your filtering or your firewall and you block the BitTorrent protocol application and then you just don't have to worry about it anymore. The Wi-Fi server, so if you have Wi-Fi in the network and it's being provided by the router that your ISP provided that can be running on that. VPN Virtual Private Network, that was something nobody really knew much about until the pandemic and we all went remote. So that feature got turned on at a lot of places. And what happens is, as you see at the top of the slide, your router is super busy. It's serving a lot of stuff. So if one thing I'll throw out here is suggestion, if your Wi-Fi seems slow, even if you have pretty respectable internet speed, it's a good chance that your router is just overcast. It's trying to do too much. And what you may want to consider is you can add what we call an edge router where you move all these services we talked about to it. So then your Wi-Fi router is just serving Wi-Fi. It takes a big load off of it and can really improve your Wi-Fi performance. Or you add what we call a WAP, wireless access point, where it's basically a Wi-Fi router and all it serves is Wi-Fi. You can shut the Wi-Fi off on the router you get from your ISP. And then again, that should dramatically improve your wireless performance. So I just want to throw that in there while we're talking about that tech. Did anybody have any questions for me so far on any of that? We do have a question. I don't know if it's on any of that specifically, but it's a general question and maybe something I'll address later. Someone wants to know what are your views on a managed services from your ISP where they manage the firewall and other network devices rather than you doing it yourself? I always manage it myself so I don't have a lot of experience with having an outside entity do it. It's a huge moneymaker for them to be able to offer those professional services and I'm sure they do a good job with it. If you don't have the knowledge of how to go into a firewall and configure and set that stuff up, you know, that's a great thing to have. Generally you and Chris would jump in here if I'm misspeaking, but if you're using e-rate in Category 2, when you make that initial firewall purchase, if there's professional services that have to be part of that, you know, you could add that into the bid from that vendor and cover that cost for them to maintain. And so if you have an issue with your firewall where you have a site that needs to be unblocked or blocked, you can call them and they will make that change for you. Or if you get the BitTorrent letter because they didn't set BitTorrent on, which again when we talked about last week, unique things to libraries, people love to use the library networks to steal stuff off the web. It's just kind of like in the old days where you used to be able to go to the library and get the music CD and then you took it home and ripped it. And then you had the music illegally on your computer at home and then you could just return the CD to the library. So now people do it on the web where they go out to Pirate Bay or somewhere like that. You can download movies, you can download music. And if it happens often enough, I guarantee your ISP is going to send you a letter to make it stop. Yeah, but if your ISP is managing that for you, they probably will just continue to say, hey, we're going to make it stop. Yeah, hopefully they would communicate with you first. But they may just send you a letter says, hey, we got a complaint and we blocked it. Let's have a conversation. It's possible. I mean, people do use BitTorrent for legitimate purposes, but it's been so much, it's been so much the standard for illegal stuff that everybody pretty much blocks it right out of the gate. Yeah, yeah. But yeah, and you are correct. The managed Wi-Fi from an ISP is something that you can receive an e-rate discount on. Yep. So if you do e-rate definitely and you want and you don't have the staff or the knowledge to do it, definitely look into it and then make sure if you are doing e-rate, you apply for a discount on that additional service. Taking advantage of that category too can save you so much money. Absolutely. Yes. And while we're on this slide, there is a question that I get a lot about with the new Windows Defender firewall options, is it good enough to use the free firewalls or is it actually required or worth it to buy one? Windows Defender kind of just protects your computer and where Windows Defender will come into play is it really doesn't help you out on the browser side. Windows Defender is more protecting the PC at an application level. So if you've installed a new piece of software, I'll tell you, I'll give you a great example where I run a Windows Defender. Let's say I'm running reboot restore software on my public computers and I'm using a management console running on my front desk computer. When I install that reboot restore software and it talks to my management console, a lot of times if you have Windows Defender firewall, it'll pop up and say, hey, this app is trying to talk to something and I'm not familiar with this. Do you want to block it or allow it? And so a lot of times when you install that reboot restore software, if you're using the Windows Defender firewall, you have to say you can allow this app to talk to other devices on my network. So that's kind of where the Windows Defender firewall comes into play is more of an application level. So if somebody gets a virus on your computer and then attempts to talk out to the command and control server or something, Windows Defender will see that traffic and say, hey, this doesn't look right. Should it be allowed or not? So out browsing the web, it really doesn't come into play there. It's the browser settings that come into play there and we'll get into that in a little bit. Thanks. Those are the questions we have right now. So DNS filtering methods. So the device level, which is kind of how we used to do it in the old days, you would set it up on all the computers in the library using maybe the old app. I don't know how many of you remember CyberCitter. That was hugely popular. We had it loaded across all your PCs. With the advent of the firewalls, as libraries started adding firewalls, they could get that filtering onto those. So what happens to the device level is when your PC boots up, it'll use DHCP. DHCP will hand it the address of your DNS server and it will use that DNS server to start resolving your IP to domain names. So what you can do is even if when you're using the router from the ISP, the default DNS addresses are the DNS servers that that ISP provides to you. That's what will load up on your router by default. So you can change it on the PCs. Let's say, and a good example is let's say you have children's computers. So your library does not filter, but you want to maybe you have dedicated children's computers you want to have some protection on. In the old days, you could just like load CyberCenter on those, or if you have a filtering service, you can set just those PCs DNS servers to point to your filtering provider, and only those computers will be filtered. So the rest of the network, rest of the devices are not filtered. The PCs that you've modified the DNS server settings for are it's very easy to do. I have a hyperlink on how you do that in Windows. One thing I like to point out is I get a lot of questions about safe search edge and Chrome both have safe search. It is not a SIPA compliant filter. All safe search is doing if you turn it on is it's filtering your search results. So if I Google pornography and I have safe search turned on, I will not return any sites that meet Google's pornography filter. So my search results will not have it. If I type in porn hub.com, I will go right to it because I'm not using my search results. I've put in the URL it will resolve and go. So if you believe that your safe search is a SIPA compliant filter, it is not. The network level. This is where I always like to do it. So I just didn't have to deal with people using the library or their personal computers in the library to view porn. You can set the DNS server addresses on your router. So anybody on your network will receive the DNS server of your filtering service. Pretty much if you're using a firewall, your firewall is acting as your DNS server. That's just part of a standard firewall setup. So if your firewall has filtering engaged in that, that's all going to be taken care of by the firewall. I talk about VLAN here. I'm not going to get deep into it, but virtual local area networks allow you to set up what is basically a virtual network. You have to have a pretty high end router or firewall to have that capability. And what that allows you to do is you could create a virtual network and you just do the filtering on that virtual network and then just assign the devices you want filtered to that virtual network. That would allow you to, for example, you could leave your public Wi-Fi unfiltered. So if people are using their own device, they're not encountering any filtering, but you could go to your library devices are filtered. This is again the instance where you just want to filter children's computers. You can create a VLAN called kids children set filtering up on it and it's only allows and the kids filtering you may want to do more than the adult. Maybe you want to block violence and hate speech and all that stuff. You can do all that and you could really lock down your kids computers if that's what you want to do. Cloud based. This is the products we're kind of talking a lot about today. So it used to be when I was in library land open DNS was free to schools and libraries. It was a great filtering solution. It worked very well. Cisco bottom and really changed their whole thing. I did go back and look at open DNS again in my research and it looks like they have actually have some limited abilities where you can go in and change some of the categorization. But the problem with the free filters is they tend to be way too restrictive. A lot of the free filters automatically lock you into safe search. So if you're using Edge or Google, it just does say search whether you have it set in the browsers or not, which can be extremely extremely limiting to your customers when they're out looking for stuff. So yes, there's some free filters out there you can use. There's a new startup called next DNS, which you can you can use for free right now I think they're going to do kind of the bait and switch is once they get enough business going they will start charging you for their service. Service I really like I've used it at my previous libraries and it's a new offering if you saw the email that came out from the NLC is DNS filter. We are providing that as a solution on behalf of Nebraska's libraries to try and remove a barrier from E rate adoption, but it does have some significant cybersecurity benefits if your library is not using a firewall. So definitely if it's something you're interested in contact me and we can talk about that further. Cisco umbrella, which is bought open DNS Cisco has since evolved that product to almost a cloud based firewall. It's not quite as good as a hardware based one but as the internet speeds come up and get better. Especially if you're running only kind of fiber connection where you have high speed internet, a product like this really kind of comes into its own where you're using a cloud based firewall, rather than a hardware based firewall and I think you're going to see that technology continue to evolve. It's a great product. It's very very expensive. But it's a really strong product. If you're looking for a filtering solution. What a lot of the vendors have you go to the website they have like their base pricing for if you're going to set this up at home. I recommend you call them let them know you're a library. A lot of vendors treat libraries like schools they will have educational discounts, or possibly some special pricing, if you're a library environment. So, even though the website says okay it's going to be $50 per user per month libraries that the model doesn't really fit because we have public computers that can have multiple people using today. A lot of times they have a special deal where okay we're going to charge you by device instead of per user. And you can set that up with them and usually get some much better pricing than their advertised rates. At a minimum, if you're do not have a firewall in place and you do not want to pay for filtering service or utilize the DNS filter we're offering. Quad 9 is an organization based out of Switzerland, and they offer one of the most highly used cybersecurity filtering web based cloud based products in the market. A lot of the vendors out there that do firewalls or other filtering products utilize cloud nine's filtering list. And I can't recommend if it's very simple to set up you can get on your home network even if you have a home network. I would recommend setting your home router to use the quad nine DNS servers just because they provide a significant boost and cybersecurity if you don't have anything in place. Local device based firewalls firewalls are the best cybersecurity product still on the market today. One I want to point out there's a company called ubiquity that makes extremely affordable network gear. They're very popular with the home hobbyist. I have some of their gear, a lot of vendors like it because it's so affordable, and they can, they can buy it on your behalf and mark it up and it's still super super cheap. Their ubiquity dream machine which is their low end, low cost firewall has filtering but they use, they basically earn an agreement with an outfit called clean browsing. So your filtering capabilities through the dream machine are terrible clean browsing is super restrictive, and I couldn't wreck I would not recommend it for library environment. So if you're using an ubiquity dream machine, their DNS filtering right now is really not up to par. The price is super attractive it does a lot of other great stuff because it is a firewall. But if you're going to save a lot of money with ubiquity dream machine or that's what your vendor ISP wants to put in, you'll probably have to pair another filtering solution with it. App on the PCs. So that hyperlink I have there brings up a list of apps that can do it at the PC level. Cybersitter is still out there still popular. They have a new hardware based device called Cybersitter Black. I know some libraries are using SquidGuard so I included it here. Raspberry Pi, if you're not familiar with those it's a little, basically a little computer that uses a mobile phone processor, and you can set them up to do various tasks in your network. They're super popular with the home hobbyist to use as ad blockers, and then they've taken ad blocking and added some security filtering family level filtering so your kids can't get out to the naughty stuff and things like that. That Cybersitter Black is a new device. I don't have hands on with it. So they've taken all the complication of buying your own Raspberry Pi and configuring all yourself. You can just buy that box from them, put it on your network, make it your DNS server, and it will do all the kind of filtering that you would need to do for compliance too. And it's a really great cost, 200 bucks, and you're done. You just set it up, and it's off to the races. I'm hoping at some point to get my hands on one to try it out, but haven't done that yet. So Modify DNS Network Settings, yeah. Yeah, and while you're mentioning on that previous slide of the links and everything, I want to let everyone know this slide presentation will be available afterwards along with the, when we get the recording archive up. So you all will have access to this and all of the different links that Shurm has put into his presentation. So just a quick screen here. So on the left, this is what modifying the DNS servers on your Windows PC looks like. And then I used just a home router, my home router might it go or be to show you what it would look like if you went into the admin console of your router and modified your DNS servers there. So it's basically telling it instead of using the automatic ones to use manual ones, you put the manuals in and you save it. And all of your DNS requests will be utilizing the filtering service or the filtering device that you have in place. So DNS filtering is really only going to protect you. And I call it outbound, but if you have somebody is connecting to a website where they're going to try and download crypto software or viruses or botnet software. So DNS filtering in place and those domains have been identified they will be blocked if you have the cybersecurity feature of your filtering process up and running. So talking a little bit about that is domains. So domain name Google.com Wikipedia.org our domain names. My wife is a school teacher in her school network blocks Facebook. So I guarantee in their firewall they've added the domain Facebook.com, and you cannot get to Facebook that domain is completely blocked. So there are some some things there where you could do sub domains. So if you put in www.google.com in your filter or your firewall, that's technically a sub domain, you're only blocking that sub domain. Other Google domains will still work. For example, if you're on the English version of Wikipedia, that sub domain is en.wikipedia.org. So a lot of firewalls and filtering process if I put in Wikipedia.org, I'm blocking all of Wikipedia. If I put in en.wikipedia.org, I'm only blocking the English version of Wikipedia. So that's kind of how domains and sub domains work. What used to be super popular back in the early firewall days was top level domains. So one of the things I used to do when I set up a firewalls, I would block Russia, North Korea, China, Iran. And what that does is it really doesn't offer you any cybersecurity anymore because the hackers are smart. It's like, okay, if I set my command and control server up with a Russian domain, that's almost always going to get blocked. So they will get a domain that's European, American, whatever, and attack you through that. So that doesn't really do much good anymore. Why a lot of security people still like to set top level domain blocks for Russia, China is as a security guy, you have to review the logs on your security devices to see who's attacking you. And if you just block those top level domains from countries that have high hack traffic like Nigeria, then they don't show up in your logs and that's just a bunch of stuff you don't have to sort through. So it's more of an administrative use than really any security today. IP addresses, we'll talk a little bit about that. IP four is a 32 bit address, which has a much smaller number of available IP addresses than IP six. IP six was developed because we were going to run out of IP four addresses, but then with network address translation and some of the other technologies just came along. We're still doing pretty good with IP four addresses IP six addresses are the future at some point we will be going over them completely, almost any year filtering or firewall devices day candle both IP four or IP six. If they don't, they will be shortly. So again, the IP four address of your DNS filters so when you've signed up with the filtering service, or using the filter in your firewall. They will be using the DNS server IP address as the primary and secondary. So if the primary is not responding tell you it'll try the secondary for backup. And that's the IP address you will get from your vendor, put it on your router, put it on your PCs, so that you're doing all your DNS resolution resolution through them for filtering. So we have what we call white white list or black list. A lot of vendors have changed that. So if you go into your firewall, you probably still see white list and black list since that tends to be more of a techie device. Using filtering vendors they may have it list is approved list or disapproval list, because people don't really understand white and black so white list are the good domains, the domains you always want to allow through. In the old days with a lot of keyword blocking. When I set up my white list, I would add the libraries domain. So if it's public library dot org, I would just add that to my white list. If I knew all the domains of the services my library had so like the vendor we use for a catalog out in the cloud, things like that. I would add all that to the white list just because keyword blocking was such a pain. A lot of that doesn't happen anymore. The vendors do a pretty good job with it, but the white list where if you have a site that's getting blocked that you don't want blocked, pop it on your white list, it'll never block it again. If you see somebody in your library at a at a naughty place and you go to tell them knock it off if you can see the domain there at you can add it to your black list and nobody will be able to get that anymore. That's what those two features do. Well, kind of get into this I have some screens after this slide so there's some issues with blocking technology as the web is advanced back when everybody was doing HTTP. There's no security really in place. So when you use a filter service and it goes to a block site. It will attempt to return a block screen that tells you this site is blocked by the public library. If you think this is an error, you know, you can usually customize your block screen so you can give them a phone number give them an email address. You can tell them to go to the front desk and talk to the librarian and they can do that if they want to with all the websites moving to HTTPS that is an encrypted connection on the internet and the part that them that's part of that security is what we call certificate. So the websites get a certificate from this authorizing authority and that certificate says this website this domain has a certificate that validates they are who they say they are so you can't spoof them with HTTPS because you don't have the proper certificate. That broke block screens initially for filtering technology. So what happens is if you're going to a website that uses HTTPS your block screen would block it and then attempt to return the block screen but your browser go whoa whoa whoa whoa. The certificate for the website you try to go to does not match the return I got because my filter vendor picked it up and try to send me a block screen you'll get the screen that just says the internet's the site for whatever reason is broken not available. So there's an additional step where now we have to download the certificate from our filter vendor onto our computers and that fixes the HTTPS issue. So if you go out to an HTTPS website that's blocked. It'll your vendor steps and returns their screen your computer's looks and says oh I have a filter for that vendor or I have a certificate for that vendor and will pop your block screen and you get the the person user creators informed. It's not because the website is broke because your your firewall your DNS filtering is blocking it. Talk a little bit about firewalls the best security solution please please please. If you're an e-rate library and you don't have a firewall take advantage of category two and get a firewall substantially better cybersecurity firewalls block you from inbound attacks. Not the filtering is part of it but if we talked about ports when you have what we call ports open on your network that allows things like VPN and that to work hackers will try and hit find those open ports and attack you firewalls protect you from that. So the firewall is still the preeminent cybersecurity solution and I can't stress enough take advantage of that category two money get a good firewall and you're going to have much much better cybersecurity protection. So the firewalls do DNS filtering. That's just kind of their first mode improves their performance. So rather than doing a bunch of packet inspection. If I can check the filtering and see that this is a domain that's bad. Then I don't have to worry about doing a bunch of inspection I'm just going to block it. So firewalls have evolved for what we had was stateful and stateless packet inspection. So stateful it actually firewalls are so powerful now they will actually crap crack open the packets that are being sent and they will search them for virus signatures and things like that. The faster your internet connection the faster your firewall has to be to keep up with that. So firewall that works for a 50 megabit internet connection is going to be a lot cheaper than a firewall that has to support a one gigabit like if you went fiber at your library and you still have an old 100 megabit what we call throughput firewall you're going to get limited on your speed because your firewalls doesn't have a fast enough processor to do all that packet inspection to give you the performance you're paying for. So if you use the rate to do special construction and put a gig of connection into your library. You're going to have to spend been the money on a really nice firewall that has the performance to keep you running and what a lot of a lot of the firewalls now if you have a gig network. A lot of the firewalls are still going to bottleneck you probably at 700 or 800 megabits as they do all that packet inspection to secure and protect your network. And they're well worth it. Stateless or stateful was a packet inspection stateless is back in the old days where hackers would modify a packet to try and sneak it in. And the firewalls would say ooh there's something weird with this packet they've they've done something to it it doesn't look right. And it's supposed to be this format and it's got some extra stuff in it I'm just going to drop it and block it. App and port blocking is again is something you do in the firewalls so the firewall we talked about BitTorrent should just be blocked. You can block ports so if you have services you're not using your firewall should just block those ports so attackers can't attack you through them. The new standard the firewalls is deep inspection. So they've gotten so sophisticated now they were literally if you have a high enough in firewall it will rip that data packet apart. And it will look for all kinds of stuff and it will do it amazingly fast. Obviously that performance and capability comes with a cost. So to have what we call a next gen firewall it's the best security you can buy but it will have the price tag that goes with it too. The faster your internet connection is the more powerful firewall you have to have to do that inspection and keep your internet speed up. Some of your routers may have the capability to turn on intrusion protection prevention services and application control. If you're using a router from your ISP and it has those features a they won't be very strong features and that turning those on will absolutely kill the performance your router. So back to the original slide where we talked about how busy your router is. If you have a high end router that has those features you turn them on your Wi-Fi network is going to just slow to a crawl. So be aware of that be cautious. If it's if you want NGFW security go buy a firewall don't turn it on on your your router from the ISP if it's there because it's just going to clobber the performance. So here's what we talked about this is using these these screenshots are from DNS filter the service we're offering. So here's a website. So if this was an HTTP website or it's an HTTPS website and we have the DNS filter certificate installed on the installed on that computer. This is our default block screen that will come up on your computer. You'll notice I have a little red box at the bottom. There is a bypass block. So if the person says hey why is this website getting blocked depending on how you have your filtering turned on. If you're if you pull out your iPhone and you're on the library's Wi-Fi network and it's blocked. You wouldn't be able to check the website which you may want to do is maybe have turned your phone over to use the mobile. Go to that website see what it actually is. You can click that bypass block you can use the password that you set up with the filtering vendor you're using or the password we provide to the libraries that use DNS filter with us. And that will turn off the filtering on that computer you're not just bypassing the website they want to get to you have shut off any filtering for that session in the browser and it will stay active until the browser is shut down and restarted. So here's the air screen we get so if you're going out to a website using HTTPS and the certificate from your filter vendor is not provide. You're going to get this error message. And if you click on advanced and say go to the website anyway you're going to get this again because what's happening is HTTPS cannot resolve the the interruption it's getting from your filter vendor with the certificate it's expecting from where you're trying to get. So, again, installing the DNS filter certificate or the certificate that your vendor provides on your computers will fix this block screen problem. This is where static and dynamic IP address is coming to play. So, I have a consumer grade internet service at home. So it's dynamic IP address. Unfortunately, my power goes out at my house briefly every other morning this summer I don't know if it's load or what's going on. What happens then is all my networking gear resets because I don't have UPS on my home stuff and my IP address assigned to me for my SP changes. So what happens is is when I set up the filtering with my with DNS filter or your filter vendor, you're telling them here's the IP address that will be talking to your DNS servers, and I have an account and login and I'm paying for it. If your IP address changes. This is what you see and unfortunately your internet access is completely broke because remember your filter vendor is your DNS server. So if your IP address change from what you used when you set up your filtering account, the DNS vendor does. I don't know this IP address. I don't know who you are. We're just going to be broken until somebody logs into your filter account and upset the IP address. There is a technology called dynamic DNS that can be utilized as a workaround for this. So if you're a library, you have consumer level internet service, there is no kind of business level service you can move up to to get a static IP address. Dynamic DNS can be used. I won't get into that really deep, but I have dynamic DNS enabled on my home gear. So my IP address changes. This is a workaround for that. I actually have a domain name that's assigned to my IP address. So my filtering inventor sees my domain talking to them, not my IP address. Any questions I had so far it was kind of deep kind of technical, but it kind of gives you the idea of how this all intertwines and works together. Well, that's what we're here for the deep technical stuff today. You might be about to get to this anyway, but another question that I get a lot is all this cybersecurity stuff and all the settings are really confusing. Can you recommend the safest settings that I can use to protect devices for kids that come into the library because I'm getting challenges. Yeah, it's hard. The way DNS filtering and the filtering in your firewall works work is their first level is what they call categorized and we'll talk a little bit about that. So when you go into your filtering settings on your firewall, or you log into your filtering service on the web, they have a bunch of categories you can turn on. So SIPA compliance, they'll have an adult or pornography, you click that on it blocks any sexuality sites of a level of pornography. So pornhub.com, things like that would be blocked with that setting. Then there's additional categories you can turn on you can turn on some of the vendors will have a category for violence, a category for but they're all different. There's no, I guess the easy way to I like to use it with librarians as you know your children's books you have the easy reader levels. And then the family comes in from school and they're adamant that their kid can only read books at this easy reader level, but the vent the vendors the publishers assign those. So what one vendor says is a for another vendor may have as a six, and she kind of got to open the books up and see what's going on. Categories the same way every vendor has kind of a different mix of what they're including or not including in their category. What's nice is a lot of them have a lookup tool. So if you log into your account go to the lookup tool put in the domain name, it'll display to you what categories they have assigned to that domain. And you can kind of use that to figure out how restrictive that category setting is going to be. So on kids PCs. You may want to enable the safe search. So they're not even seen nasty results if they're googling stuff. There's a ton of different categories you can turn on the schools. If you've been to school lately your Facebook won't work, your tick tock won't work. So block all that distraction app if you're at work. You may see filters that have the not appropriate for work filter where it's not hardcore pornography, but they don't want their employees looking at that stuff all day. A lot of a lot of schools and workplaces will block anything gaming related because they don't want employees playing games on the computers while they're on the clock. So you have is something that we get to any streaming sports websites. Yeah, gambling is another one that almost every employer turns on. So you can't get out to any gambling websites. There may be a sports setting. So you can't do your fantasy football while you're at work. There's a ton of categories out there. And it's just a matter of going in, looking at the description, looking at the list of what they have blocked under that that category. Everybody's is different on the categories they offer and what level of kind of blocking it is. So you just kind of got to do a little dig into it and figure out what's going on. So I there's not like a blanket setting I could tell you are blanket categories you should use. It's all going to depend on the vendor using the DNS filter solution that we're offering. We have for civic compliance we block what they call their adult setting, and that should take care of pornography. And a lot of the filtering vendors kind of air more on the caution because initially they just blocked all kinds of stuff and they got a bad rep for it. So they've gotten a little looser. So some things that can get sneaked through. So if you're blocking pornography. As librarians, I think we're all familiar with like hentai because it's animated and or comic book. You'll have hentai sites that even it might like I run when I'm I testing I ran across one called hentai city, and it lets you right through. I had to send an email to DNS filter and add it to my blacklist, and then they did they within a day they recategorized it is adult pornography and blocked it so you can't get to it anymore. I think that's one of the things that people that I think. I think possibly Amanda related to your question librarians and people are looking for an easy one shot boom it's done. And I never have to think about it again. But that's not how this is going to work there's always going to be sites that get through or sites that nobody, the vendor didn't know about because there's always new websites coming up. They're finding new ways to know changing their URL or their domain or something. And it's going to be something that you do have to monitor on your own and you might not know until someone gets to one of those sites that it was actually getting going to get through. And then you just go through your process, have a policy. This is what I was going to say, have a policy in place, write up a policy that explains, we are using this particular service and this is how it works. However, we know that none of these are perfect and 100% and this is what our process will be. If anything that is should not be getting through gets through right more legally written than that but yeah. So you read my mind you mentioned new websites and almost any threat or cybersecurity category you turn on, they block new websites, and a lot of them will block a website if it was created when the 24 last 24 hours up to they will block any new websites that have been active for only a month. They may even block them longer than that somebody may register website, and it just sits idle and it's not being used. It may get blocked by your security category. DNS filter has one called threats, we default by default we block, we block new websites because that's what hackers do. Once their domain gets block, they just fire up a new domain and move all their stuff to the domain name and they're back in business. So common signature feature for cybersecurity is to block new websites, and I ran into that doing during my testing here in Omaha we had a new music venue open up called steel house that's a live music venue. And when I had my home network on for testing, I wanted to buy tickets to a steel house show, and guess what, it got blocked because their website had just come up, because they had just opened. So I had to go into the filter, add it to the whitelist, and then I send an email to the DNS filter support saying this is a actual business that just opened up in Omaha, gave them a link to the URL. And the next day was now on the business category it wasn't on the new web list. Yeah, these companies are very responsive, I think to those kind of things. They have to be. There's a lot of competition in that market so they tend to be pretty good. We have to have a couple of questions coming in now. I think we'll do and if anybody doesn't need questions go ahead and type them in. We're almost at 11 o'clock but that's okay. We will go as long as it takes to get looks like we're getting towards the end of your slides here. But we'll whatever takes for sure to get through all of his slides and for all of you to get your questions answered so do stick around put your questions and get them asked. If you need to leave at the top of the hour at 11 because you only had a lot of that amount of time that's fine. We are recording the whole show you can always come back later and watch recording and see anything you missed. So, one of the questions we have that just came in is, and you just mentioned VPNs earlier, so let's know should I block VPNs, someone was using a VPN to get around our DNS filter to access photography. But if you are not using VPN, and you have a firewall block VPN block that port block that app do not allow it to be used because if I can come into the library, even though you're filtering. Maybe on your Wi-Fi network once I establish that VPN connection, I can then run to a the VPN will replace the DNS settings and stuff, and I can kind of do whatever I want. I always blocked across the network, and you can block VPN. So if you're using VPN to connect into your work computer from home, you can set up your VPN where you can still get in and out, but nobody else can use it. So, just be aware that that the VPN if you're not using it all it should be totally blocked. If you are using it, it takes a little bit of work so that you're the only one that can use it, but nobody else can. So just be aware of that. Another one that comes in the libraries is a lot of threats will block translation sites by default. If you, it's actually with DNS filter translation is actually a category under their threats, because if you this kind of falls back into the old keyword filtering that used to happen. So if you're blocking a sexual act in English. I'm just going to do the same thing, but I'm going to use a different language for that session black and see if I can get through your filters. So, for a library setup like how we set up DNS filter. I don't block translation services just for the fact I've had so many customers that come in and we show them how to use Google translate and stuff. So they got an email from somebody they want to translate it. If you block translation services that stuff's not going to work so you got to got to know your community got to know what people want to use when the library and adjust your filters accordingly. Yeah, this is going to be very local specific to each of your communities for some of these things. Yeah. All right, so next question. And I think I can help answer some of this. What responsibility do we have for any device that is checked out and used away from the library. That one I kind of did some research on. So, Krista, we got the erate screen up now we can talk about it. Yeah, it, it's kind of ambiguous. So you're supposed to be blocking any library owned device. That's kind of what they said but I think when they made that statement on the USA screen they weren't talking about if we lent the device out and set it out the door where it's not on the library's network now it's on their home network or we sent a hot spot out the door with it or something. That is problematic. I'm not sure how you want to do that. Some of the filters of vendors do have clients that you can download on that device. And then you that when that device is fired up the DNS settings are set for your DNS filter that clients on there. So it will still allow you to have filtering control over that device, even if it's out in the wild. The bad thing is they charge you extra for that. That's where you'll get into per user per device licensing. And there'll be an extra cost to have that capability to have filtering work on that device when it goes out the door. There are some devices that started baking it in more for free and automatically like the Chromebook. If you have the administration accounts set up in Chrome, you have pretty good control over stuff like that. Apple has an admin app too that the schools use for iPads that again use you some pretty significant control over those. So we distribute Chromebooks and I set it up at the device level using the family account just because I didn't want to deal with the nightmare. And if you set the settings on that device to use your filter vendor. That's great. But then again, the filter vendors expecting this traffic to come from this domain or this IP address, and if they're out in the wild. Yeah, it's it's hard. It's like one. Yes, I think yeah it is. It is a hard answer there. I think the answer would be, there are ways to put filtering on the device itself so the filtering goes with the device wherever it goes. So you could do that. Also, as far as the responsibility, you can also explain or have it in writing somewhere, or an agreement when someone does check out the device saying, when you take this device away from the library's Internet, you are using someone and we don't have control over what they're filtering or not filtering. So you're on your own, and just explain that that is how it will work. So you have those two options put a device with something on the computer itself the device and that will filter however filters, or just say, not our responsibility because you're taking it somewhere else we will keep our Internet safe and filtered, but we have no control over what the Starbucks is filtering, or what you have at home. So you can also create child versus parent accounts and child versus adult accounts on different devices. So if you choose the right device you can have better control over what people can access. And if people don't have the login information to be able to get into the other account. It gives you a better shot. I haven't been doing it so far, but carry on with the right. I filtering specific questions here. Let's get into these first and then we can wrap up with the e-rate because these are not e-rate related questions and we're in the filtering so before you write. I had a situation where kids went to a popular children's gaming site, but it had adult advertisements on the homepage. Is there a way to block these advertisements without blocking the site? Yeah, some of the filter companies, the CyberCenter or the Raspberry Pi we talked about, those actually started as ad blockers, where when you're at home and Internet was slow and expensive, you didn't want to waste your bandwidth on ad blockers. So there is ad blocking you can turn on that blocks those ads. The only problem is, is some of the websites earn revenue from the ads. And they've gotten to where they can detect that you have an ad blocker. And what may happen is your company access website and the website may say, hey, you're blocking our ads, so we're blocking you unless you're willing to view our ads. So that's it just that again that's a difficult one that just depends. Yeah, and there are ad blockers that I use at home on my home computer. Yeah, and it was interesting when I was testing something out for something here through the library commission yesterday the day before. And my home computer was doing something different than it worked. I figured out, I don't see ad blocker. So it's definitely a good thing to use and you can go in and I'm an unadblock site by site on the one that I can pause it like I can pause my ad blocker, and then it'll automatically restart the next time I go to a new website, or when I close that site and reopen it. Yeah, and some sites will say, we require that you allow our ads, otherwise you can't use our website. Some just say, we see you're using an ad blocker, and they kind of just ask you, it will be nice if you would unblock it please. And there's always usually an option yes, I'll go in and do that or no just let me go in this time. So some of them do not just say no you can't get it they just say please don't. You start ad blocking everything, are you going to have people coming up to the desk constantly saying, what's going on the computer's asking me or told me I can't do this I don't understand, and then you can explain ad blocking to them. It just depends. Yeah, and ad blocking is from my own personal reason when I did it is, it just cleans up the web pages. Sometimes they just look prettier because there's not all the ads around the stuff of the page. And the other nice thing is what I used to run into with people in libraries they would come in and bring up the web page and they want to print that web page, but they don't realize there's four pages of ads that are part of it because they don't scroll down. And they'll go to print the web page and then they go get it off the printer, and they're upset because they're not paying for the one page they're paying for five pages, one page of what they want and four pages of that. And if for some reason they had the color printer selected. Now we're paying for, you know, four pages of color, when I only wanted one page of color. So, yeah. All right. Next question is, how do we prevent our network being infected by a virus via someone using a personal device connected to our Wi Fi. Please give us the simple terms of what we need. That comes into a firewall so somebody has brought their own computer into the library and now they're using your own network to attack you. Your firewall will protect you from that. This technology will be just the straight up filtering technology will not because it's not a firewall it's simply going out the DNS server saying can I go to this domain can I not go to this domain. Where a firewall will not only block those attacks, but a good firewall, or if you have it outsourced to a vendor, they will get an alert that they are being actively attacked. And, and should we'll see it. They may or may not respond to it. But a firewall blocks that kind of stuff. That's what your firewall is. So firewalls are such a stronger option. Now the other thing to think about is what if somebody and we talked about this in my last presentation on securing your public computers. I brought a bunch of hacker crafting on my USB drive, and I'm going to plug it into the public computer and start loading up my hack attack stuff. They may be able to get control that computer while it's while they're using it and maybe make some changes to it. But if you have the reboot restore software on your public computer, and let me stress this again, you should, once that computer is rebooted any of the crap they did to it should get wiped and go away. So that's, that would be my take on that too. That's where we get into securing the boot process and stuff so they can't bring in a USB boot your computer off the USB. And now they're running probably Linux or something, and they have full control your device and then go attack whatever they want they can screw up the PC that reboot restore software prevents that from happening some libraries just you know I've had some libraries where they locked down the USB drives and if you want to access USB drive. They have to enable it for you. So it just depends on what's happening what's going on. My experiences have been. Do you have teens who like to hack. Most of my hacking experiences involve teenagers coming in, because maybe mom and dad had all the stuff turned on at home, so they couldn't do bad stuff. So let me go to the library and see if I can do bad stuff there. Yeah, they're trying to experiment what they can get away with you. Yeah, just like the school base. Yeah. And the last question we have right now. A general question, can a firewall or filter still do keyword blocking. You talked about. Still have that ability. So I think my hentai example would be a good example. You have a lot of hentai sites with the popularity of anime and that now with the kids. A few of hentai stuff that's sneaking through, and it's become such an issue. You just want to keyword block hentai. It depends on the solution you're using on the old cyber sitter that we used to use with the way back days. Loaded on the computers had a whole feature for keyword blocking where you could log into the cyber sitter software with your admin password, and they had a whole list of keywords and you could add your own keywords to it or you could remove keywords from it. A lot of modern filtering stuff is kind of moved away from that. So it would just depend if that's a feature their vendor still offers or not. All right. And I've caught up on all the questions we had so far. Let's go on to the E-rate part and anyone does have any questions go ahead. This is my last slide. So as you can see E-rate, SIPA Children's Internet Protection Act to get E-rate money for your library to pay for internet service you are required to have a filtering technology in place. That's pretty much all they state. And you can see I've got a list so the ALA has their own web page about SIPA, FCC has their own page about SIPA. We have a page that offers a lot of these links on SIPA, USAC, which is the funding organization for E-rate has their own page about SIPA. So since they're the people that hand the money out, there's definition is I think the best one to go with. Christa, I don't know if you have any input on that or not. Oh, yeah, I mean I link to all the different various things just for like background and history, but yeah, if you're going to be doing E-rate, USAC is going to be the one who you have to answer to. It all comes down from the FCC and the FCC is the one who's created the E-rate program and then they set up USAC to run it the day to day stuff. But they're the ones who are going to be who you have to answer to if you do not have your SIPA done correctly or not. So the next set of bullet points I have up is this is what the USAC has on their SIPA compliance policy. You have to have an internet safety policy. You have to do a public notice and hearing or meeting to announce and approve that policy and the fact that the library will be filtering. You have to have a technology protection measure in place. So DNS filter, open DNS, your firewall, tighten, there's a bunch of different vendors out there that do that. And that technology has to block or filter internet access, which pretty much means, can I get to this domain? Can I not get to this domain? Then they have a little definition of what it provides. So any vendor you go with, your firewall vendor, they will have a category that's adult, pornography, something like that. You click that category on and they will tell you on their websites, this is our SIPA compliant category. If you're need SIPA compliance, you enable this category and you have SIPA compliance. And then that is something that going back to Amanda's previous question or libraries are being challenged about what are you doing? Are you protecting us? That's what you can show them. Look, here's our protection measure and here's where I checked off the SIPA box. There you go. There's a little back and forth on this. The way I've treated it is that any library owned device with internet access has to have filtering on it. Now, again, this rule, I think nobody thought about the fact that libraries lend devices out now. So that gets a little, we talked about it, that gets difficult, it gets ambiguous. Okay, I loaned them the device but they're not using my network. Nobody knows how that applies or not. So, you know, do what you think is best. But if the device is in the library and on the library's network, I think you want to make sure that you have it filtering. If you've got a lot of different devices, you've got Chromebooks, iPads, maybe candles or something like that. If you set your filtering up at the network level through your router or your firewall, any of those devices used in the library will have filtering on them. Because of what we talked about DHCP providing the DNS that the DNS is going out to my filtering or firewall DNS servers, they have the blocking in place to make me compliant. Disabling the filter. Something I want to jump in and mention to here about that enabled on all library owned devices. This means all staff computers as well. It does not just the computers that are loaned out is not just the children's computers that you use, even though the wording here is specifically you must protect against access things that are harmful to minors. SIPA says you have to on all low computers owned by the library. Notice the quote says protects against access by adults and minors. Right. And if you do ask you Zach or anything about that they will say yes even the staff computers, which you're like but they're just the staff nobody you don't. But if you are getting a rate to help pay for your internet service every single computer that is in your library building has to have a filter on it. However, we get to the next part. That's your key of how to get your staff to do what they need to do. So, I don't see the way they were this that you required to disable the filter on demand, but you want to serve your community. And I have two great examples of this. So, I had a person who brought in China where her husband had brought home from World War two, and it was Nazi China where. And she wanted to look up to see if it was worth anything had been sitting in their basement for 40 years. And since I was in charge of the filtering. I wasn't blocking hate sites hate speech. So I was able to go out to eat. And again, this can vary. If you've gone to your Google and put in Nazi China. I, who knows what kind of results you would have got. I always use the eBay when I had people bring antiques or things they were trying to find a value for they come in the library. I was a business library in Connecticut so I did this stuff all the time somebody would bring something in. And in Nebraska, a lot of my community, they would want to know what their gun was worth. So if you're blocking the violence or things like that category, a lot of times that will block access to any of the gun websites to be able to look up the value, or you want to go out and it just again, some of those categories you can turn on because it seems like a good idea, you just got to be aware of the unintended consequences. And all you're required to do for SIPA is pretty much blocked pornography. So, maybe if you want to lock your children's computers down a little bit more, depending on your network setup we can definitely do that. So, be aware that you may run into some examples where it's legit, you know, you should be able to get to that because you turn this category on, it's now blocked. So, I showed you on the screen so the DNS filter has that block bypass, depending what service or what technology you're using. Other things you can do, if you have a very good service, you could maybe check the website on like your smartphone, not using the library's network, see that it's a legitimate, they should be able to get to it, it shouldn't be blocked. Log into your DNS filter service, log into your firewall, contact your support person, add it to the white list. And it used to be that could take 24 hours to propagate, but now it happens pretty quick. Usually, I would say within 5 or 10 minutes if you're adding it to the white list, they should be able to get to that domain. You can modify it right on the fly in the DNS setting. You have to have administrator rights on the PC, but you could flip out, bring up the DNS like that screen I showed you earlier, switch it back to the Google defaults. And as soon as you make that change, it takes. You don't have to reboot the computer or anything. And then nice thing about this is if it's a public computer and you have reboot resource software on it, which you should, you could change the DNS server settings, they can get to what they need to get to. And as soon as they're done with the computer, all you got to do is reboot it and it goes back to the DNS settings that have your filtering set up. I will warn you, though, if you change those DNS servers, you're no longer filtering anything on the computer that person could then use the computer to get out to whatever they want to. But it's pretty easy and pretty quick to shut it off. Whether you do it through your filter service has a just has a bypass button, or you have to pop in change the settings, and then let them carry on. So that kind of wraps up the E rate. I think that's my last slide too. Yep. Okay, cool. Anybody does, I have one other thing I was going to add to but I just want to remind everyone if you have any questions you want to ask of about anything in today's session. Great filtering DNS, whatever. Get into the questions section. Like I said earlier, we'll answer all of your questions you have now as long as it takes, we won't get cut off or anything. And if you do have to leave just come back and you can watch recording afterwards. So questions. We have one. One just popped in while talking. Yeah, what I would say is, even if you're not an E rate library. If you do not have a firewall, or you have a firewall in place. Validate and make sure that if they have a category that's called threats hack cybersecurity that is enabled because that is a huge kind of that first wall that first moat in a good cybersecurity setup. I think a lot of people just think of filtering in relation to protecting from the bad things and when it gets, you know, when you're doing erate or I am a less grants or things and we have to do it for that but there's so many other needs. You need it for other things too. Yeah, so like I said, the library, you can't afford the firewall, or, you know, the maintain or the management of it. This is a very simple technology that will give you some immediate cybersecurity benefits. Kind of that first tier, the firewall be maybe tier two but it's a very easy way to turn on some tier one security. So if you have the ability to log in your DNS router, change the DNS servers to quad nine gets you some great cybersecurity just right out of the gate. Yes, absolutely. All right, so question to just pop in more chatting. So you recommend that admin functions are locked down on all devices as well. Yeah, so we talked about that. In the last one I did where we talked about securing your public computers last week last month session. You should have admin access, even your own computer in your office, you do not want to use your computer logged in with admin rights. What happens is you go somewhere on the web, the little thing pops up, you want to install this. If you have admin rights and you hit, yes, by accident, you don't read it close you click it. It will install on the computer. If you are set up as a user on your Windows computer, and you accidentally click yes, it will then prompt you for the administrator password. It's just a great, great thing. None of my computers at home. I log in and use as an admin. If I have to install software on them. I have to sign out, or I have to log in as another user which is my admin login. And that's the login I use to install software. When my girls were at home with me growing up, kids are using it. We shared a computer in the house by making them have their own user accounts. They could set things up they wanted, but then I was ensured that if they wanted to install something, they had to come ask my permission to do it and I could check it before they did. So none of your computers, I would say none of your staff computers or your public computers, nobody should be logged into those for day to day use as an admin. They should be logging in as just a user account. And if there's software that needs to be installed, then given the admin rights. So if you have people that are taking their laptops and stuff home, it might depend. For example, when I was in Connecticut, our city it guys knew me knew my skill set, and I had access to an admin login on my laptop. So if I needed to install something for a product or program I was doing, I could log out of my Asherman account, login as admin, and install the app. And they got notification that I did it. So if they saw it and saw what it was, if they thought it looked goofy, I would get a phone call or an email saying, Hey, are you sure you want to do this? We have this on your computer this weekend and we're not sure what it is. Can you fill us in on what's going on? So there are some instances where that you never ever want to be daily using your computer with administrative rights. Just that's just a really bad idea. Yeah. So they have a follow up how about S windows that S mode for Windows. So safe mode. Yeah, no, it just depends. I find it problematic and kind of a pain in the the rear so I'm not a big fan of safe, safe mode. A lot of businesses really jumped on the virtual session virtual workstation thing initially the problem with that is requires a really Today's PCs are powerful enough a lot of security researchers and stuff when they're using their computer to do security testing and research. They'll fire up they may be running like a Linux operating system and they can run up virtual machines so they can run a virtual Windows machine. They can run virtual this virtual that they can do all kinds of nasty things in that virtual session and then they could just close it and shut it off and they haven't actually done anything to their main computer. I don't see hardly any of that in the libraries I've been at. Again, my, my advice is, you have the admin account that's only used for loading updates and software. Everybody should just be using a user login for their day to day stuff. Great. All right. Alright, thank you for coming in. Thanks for the great info. Yes. One last thing I wanted to mention about irate and if anyone has any other questions go ahead and get them in any last minute desperate questions you want to ask of us. What I wanted to mention about irate and SIPA a question that I've seen come up when I'm dealing with libraries or libraries dealing with filtering and irate in and being in compliance with SIPA. Who do and I'm not asking you all. I'm going to answer the question. Who do you certify with saying that you are compliant with SIPA like how do you tell the federal government or whoever that you do are doing these things the things that are required. There is no place that where you go and fill out a letter or fill out a form or send in any and a letter to like the FCC or something saying hey we are we have done our thing we're compliance. There's nothing that you send out saying hey we've done these things. The way it works is when you are trying to receive federal funding for Internet to help do your make your Internet work. Then those particular organizations will have somewhere where you have to certify that you are in compliance. So, to be more broad about this we're talking about SIPA. But in order to receive any federal funding that for your Internet service or for any computers or devices that will use your Internet. You do you have to be SIPA compliant so that is for irate because as federal funding, but also I am ls instant museum and library services that is federal funding any grants that you receive via I am ls. You will also need to if if anything you're going to be purchasing is for your Internet service or to buy computers or devices that will connect and use your Internet, or to buy any of the networking equipment that will make your Internet work if you have received a grant via I am ls. You will have to be SIPA compliant as well we offer grants here to the library commission our library improvement grants, our children's grants. Previously, when we had American Rescue Plan Act money cares act money, all of that all came from the federal government. And if you wanted to get any of that use any of that money to get Internet service or any devices or equipment that use the Internet. You had to be SIPA compliant. You would certify that your SIPA on each of those grant applications there would be a box saying yes we are or there be an extra page you'd say yes we are. There's nowhere that you go and like send to the FCC here's our certification letter and it covers everything doesn't work that way there is no place that's going to ask you or that you can send in and say, say we've done this it does it's not that way it's just if you decide to receive some money, that particular organization will have somewhere on their forms on e-rate forms there's one of the box and a check saying SIPA compliant on our grant applications you had to check a box saying SIPA compliant. If you went directly to the IMS and had a grant directly from them, they have a box that said yep we're SIPA compliant because we are going to be using the money for this particular purpose. There's been a little bit of confusion about that recently I think there's been so much money I think coming from the federal government now it's like how do we do this who do I have to tell who I have to send a letter to. You don't just wait until you're applying for the money and then they'll have a place where you can say yes we are. Another question they'll get is how do they check? Will they check? Possibly. To start off, even with e-rate which you think it's federal and they'll trust you, but they do do things called audits for e-rate it's not like an audit from the IRS it's just a checks and balances making sure the program worked and they may randomly they do have the authority to go back at least 10 years and double check and see if you were. So don't check a box if you're not really doing it. It's just in case they do actually come and check and say show me what you're using show me when you purchase this for a filtering product or whatever. Alright so any other desperate questions people want to ask or anything else Amanda or Sharon that you want to share before we wrap things up. I didn't see any new questions come in in while I was talking just now. I think that's about all I've got for now. Sherm did you want to add anything else? You know if you don't have a firewall this lease gives you a filtering solution gives you a little basic some basic cybersecurity but please please please take advantage category two flooding get a real firewall. And could you pop over to your contact info so people know how to get a hold of you. So as far as the firewalls go we have I've collected some quotes for some vendors that support Nebraska. So we have an idea when we when we go to do e-rate. So when you initially do your application you just have to say we're kind of buying this gear, but you don't have to worry about pricing until you actually go to buy the gear. And I do have some just some generic quotes from some vendors that you know we've collected because two vendors that are super popular in Nebraska is Fort net that this almost all the schools use and I think most of libraries with firewalls kind of fall that lead. And this go morocchi stuff is super popular too. So I can give you an idea of what this cost. Obviously we would get a refresh quote is part of the e-rate process so we had current pricing in that. And models and stuff change constantly so yeah. It's a pretty good deal for that category to depending on what your funding match is. For the fact that some of this firewall stuff, if you're trying to get a firewall that will make your fiber optic connection fly, they get very expensive. And even though you're like oh I'm going to apply for category to e-rate it's depending on your library it's not going to pay for all of it. But it's a good thing up front just kind of have an idea what this is going to cost you. So it's like okay, we're going to pay $10,000 for new networking gear and a firewall, but I'm only getting 70% reimbursement. You know you got to have that extra 30% you know you got to come up with the extra money to have it. The nice thing is it's a five year window. So you can fund that year over the five years and within the five years it's probably time to upgrade and replace it anyway so it's kind of a smart setup I think they did there. Yep. All right, so yeah, any questions you do have any future questions send them to reach out to shirm he can give you some answer any other questions you have and give you some input and help you figure out which devices you might want to, which pieces of committee might want to purchase for your library. All right. All right, so I'm going to pull presenter control back to my screen and concerns I have earlier are gone. Yay. I'm getting dead. So, thank you so much, Sharon for being here today. And last month like I said we have these two different sessions that really go well together. I recommend watching last month's and then this one's. If you weren't here while I have the recording today, they really do go together. And they will have you hopefully keep everything safe for your library and for your people who use your library. Things safe. So thanks shirm. Thanks, Amanda. They said the last Wednesday of the month is always pretty sweet tech day to have any ideas for what we're going to do in August Amanda are we still thinking on that. Oh, that's a good question. I always put you on the spot. Sometimes you know, we'll see. Yeah, so this is the page for today show. If you want to pop over here to get to our main and compass live page. If you use your search engine of choice and type in and compass live. We are the only thing called that on the internet so far. Nobody's allowed to use that name. I haven't trademarked or copyrighted it but anyway, we have our main page and our archive shows page. You see our main page you see your upcoming shows, and our recordings are right underneath here so today's show, as long as go to webinar and YouTube cooperate with me should be ready for you all to watch by the end of the day tomorrow. And it we posted here on our archives page. These are in order with most recent ones at the top. So here's last week's session. And here is actually actually this one shrooms previous session from the end of June secure computers public use. Today's we'll have the same thing with a link to the recording and our YouTube channel and a link to the slide presentation without so you can have access to that all the links that were in there. Everyone who attended today's show and registered for a show will get an email from me letting you know when the recording is ready. So push it out onto our various social media. We have a Facebook page which is linked from some of the end compass live pages I've got open over here. We have Facebook page for the show. So if you'd like to use Facebook give us a like. We give reminders reminder to log in today show announcements about the show coming up, letting you know when recordings are ready. If you'd like to use Facebook on other things like right now or still on Twitter or Instagram use the end comp live hashtag, abbreviation for our show. So you can follow us that way as well. On our archives show I'll show you there's a search feature if you want to see who done a topic on a show on a particular topic. You can search the full show archives or the just the most recent 12 months you want something just current. And that is because and I'm going to scroll a bit down here but not all the way, because this is huge. We have all of our show archives going back to when and compass live first premiered which was in January 2009. I think that makes us 15 years old now. If you are watching an old show just pay attention to the original broadcast date all of them have the date when they first went out we're done. And many of the shows will be fine. Good to watch stand the test of time, but some things will become old outdated resources and services may have changed drastically links may be broken. People might not work at the same place they worked at when they presented for us like 10 years ago. So just pay attention to those dates. But as librarians do libraries do we keep things for historical purposes as long as we have a place to keep all of our archives we will have them always out there for history. And right now, all of our shows are on our YouTube channel for the Library Commission. So that wraps up for today's show. And looking at our schedule here, you probably did not know about what next week show is going to be but while we were talking I added it, because I was figuring out what was going to be coming up. I am working with getting some more August dates filled in here, but next week is continues from here today show, but it's something I always do early before the fall about erate erate one on one, the basics. And this is the erate process every year actually officially can start as of July 1. Most libraries wait until the fall to actually start doing the, what are they, you know, figuring out what they want to do for erate for next year. But I do do full three hour workshops later in the fall, the November ish usually, but to get people started or if you're just wondering what it's about I want to know some just the short, you know, what's the short intro to this. The basic erate one on one just the basics, and I scheduled that for next week. So I'll be talking about just the overview of the program, some possible updates coming every year there's always little tweaks to it. But a nice one hour session so if you don't want to really dive into a full three hour step by step session showing all the different forms and everything. This is a good intro for you or just refresher if you've done erate before. If you're just interested in erate not sure if it's something for you and you're not sure if you want to go into a full much three hours. Just sign up and get like a little taste of it next week on our one hour one on one session about erate that I will be holding. Oh, that will wrap it up for today's show and no other questions came in while I was doing this so I think we are good to go. Thanks Amanda. Thanks for seeing you next time. Later on another show. Thank you to all of you and one of our future episodes of Encompass Live. Bye bye.