Network Safeguarding Platform · v0.15

An on-premise safeguarding gateway for UAE schools.

Aman is a network appliance that enforces ADEK §6.1 web-filtering, content-categorisation, geo-blocking, SSL inspection, and AI-based behaviour detection across every device on a school's LAN. No endpoint agents, no per-device licensing.

Request a demonstration Technical brief

~5.4M: Domains in blocklists, refreshed hourly
7: Web filter categories, age-tiered
Signed: Cryptographically signed threat-intel, verified per-school
100%: On-appliance inference. No data leaves the school.

Capabilities

What the appliance does, in production today.

Network filtering

·DNS-layer filtering across seven content categories (adult, gambling, social, streaming, malware, ads / trackers, generative AI).
·Per-policy domain allow / deny lists.
·SafeSearch enforced on Google, Bing, YouTube and DuckDuckGo.
·Threat intelligence refreshed continuously from a signed central feed.

Web gateway

·Transparent HTTP and HTTPS interception with URL-level categorisation.
·Encrypted-traffic inspection in two modes: hostname-only (privacy-preserving) or full content, configurable per policy.
·Modern-protocol fallback enforcement — clients cannot bypass via HTTP/3.
·Branded or silent block responses, school-configurable.

Geo-blocking

·Outbound traffic to specified country codes denied at the gateway.
·Live destination-IP geo-resolution — applies regardless of the requested hostname.
·Per-policy, scoped to the device groups the policy covers.

Behaviour detection

·On-appliance AI scans browsing patterns for grooming, self-harm and bullying signals.
·All inference runs locally on the appliance; no telemetry leaves the school network.
·Per-cycle audit trail of every URL scanned and every verdict returned.

Network segmentation

·Per-port VLAN tagging (untagged, tagged, trunk).
·Per-segment L3 subnets, address pools and firewall rule sets.
·Configurable port bridging — multiple LAN ports aggregate into one segment.
·Stateful firewall with admin-managed rule chains.

Identity & access

·Single sign-on: Google Workspace, Microsoft Entra ID, LDAP, on-prem Active Directory.
·Role-based access control: School Admin, Principal, Teacher.
·Per-school physical isolation — separate runtime, database and signing key per deployment.
·Audit log of every administrative action; 365-day retention.

Alerting & escalation

·Real-time safeguarding alerts surfaced in the dashboard.
·Multi-channel delivery: email, webhook, Slack, Microsoft Teams, WhatsApp, Telegram.
·Escalation rules with configurable delay-and-escalate thresholds.
·Per-policy exam mode: time-bounded category lockdown, automatic release.

Architecture

Inline gateway. One device. No agents.

The appliance sits between the school's WAN uplink and its internal switch fabric. All client traffic transits the box before egress, where it is classified, inspected, logged, and either forwarded or denied according to the policy applied to the source IP's device group.

Policy is the single source of truth: every administrative change re-derives the enforcement state across all inspection layers atomically. Threat intelligence is pulled continuously from the operator's central infrastructure, signed end-to-end and verified on each school's appliance before installation.

Deployment

Powered hardware shipped pre-configured.
Two cables: one to the school's uplink, one to the LAN.
Initial configuration via web dashboard, ~10 minutes.
Subsequent updates pushed over SSH; no on-site visits required.

     INTERNET
        │
        │ WAN uplink
   ┌────▼─────┐
   │  Aman    │  · DNS filtering
   │ Appliance│  · Web gateway + URL categorisation
   │          │  · Encrypted-traffic inspection
   │          │  · Stateful firewall + geo-blocking
   │          │  · On-appliance AI behaviour scanner
   └────┬─────┘
        │ LAN  (segmented by class / year / role)
        │
   ┌────▼─────────────────────────────┐
   │  School switch fabric            │
   │                                  │
   │  ┌───────┐  ┌───────┐  ┌───────┐│
   │  │ 7A    │  │ 8B    │  │ KG2   ││  ← device groups
   │  └───────┘  └───────┘  └───────┘│
   └──────────────────────────────────┘

Regulatory alignment

ADEK §6.1, KHDA digital-citizenship, UAE PDPL.

Aman addresses the operational requirements of the Abu Dhabi Department of Education and Knowledge cyber-safety guidance, the Knowledge and Human Development Authority digital-citizenship framework, and the UAE Personal Data Protection Law. The mapping below references shipped controls only.

ADEK §6.1.3 (a)

DNS filtering of malicious and inappropriate domains

ADEK §6.1.3 (b)

Web-category filtering with age-appropriate defaults

ADEK §6.1.3 (c)

SafeSearch enforcement on major search engines

ADEK §6.1.3 (d)

SSL / TLS inspection for encrypted traffic

ADEK §6.1.4 (a)

Per-cohort device groups with distinct policies

ADEK §6.1.4 (b)

Exam-mode policy windows, time-bounded and audited

ADEK §6.1.5

Real-time safeguarding alerts with escalation

ADEK §6.1.7

Geo-blocking of outbound traffic by country

ADEK §6.1.9

Per-action audit log, 365-day retention

KHDA

Generative-AI usage controls per age tier

UAE PDPL

Per-school physical data isolation, UAE-hosted control plane

UAE PDPL

On-appliance LLM inference; no behavioural data leaves the school

What ships

A turnkey appliance, configured for your school.

Form factor

Fanless desktop appliance, silent operation

Network interfaces

Gigabit WAN · multi-Gigabit LAN

Capacity

Sized per enrolment; bigger schools get bigger hardware

Control plane

UAE-hosted, sovereign

Updates

Continuous, signed threat-intel + scheduled feature releases

Dashboard

Web UI reachable on the school LAN

Authentication

Google · Microsoft Entra · LDAP · Active Directory · local credentials

Support

Direct line to the engineering team, no tiered call centres

Pilot programme available for accredited UAE schools.

90-day on-site evaluation under signed NDA. Full feature set, no commitment, removal at any time.

Request a demonstration About VDR Tech