Earlier this week, I went on a rant about schools and businesses not using controls to prevent students and employees from viewing unsuitable content on the Web. Now that I'm somewhat calm, I thought it appropriate to discuss an easy-to-use solution that fits within everyone's budget.
Every day millions of employees connect to one or more Web sites using employer infrastructure. In many cases, employees jump from one page to another, indiscriminately clicking interesting links. This behavior didn't lie dormant until people entered the workforce. Home and school computers were used before the boss provided "free" high-speed access from the workplace, and they continue to be used both by them and their children, grandchildren…
I don't need to dwell on the dangers of casual Web browsing. It's a known threat to business continuity and data security. Further, it can expose employees, students, and home users to unsuitable content, content that can prompt complaints about hostile work environments or child endangerment. The solution is also well-known. Filter content, allowing only that which is suitable for the target user population.
Web content filtering is often seen as a costly, complex solution. Schools fighting shrinking budgets are not likely to pursue in-house or subscription-based filtering. Businesses of all sizes facing an uncertain economy are often more concerned with survival than giving the security manager more money to protect against something that might not happen. In both cases, decisions are made to accept risk associated with employee or student exposure to unsuitable content as well as that related to malware infections caused by visiting questionable sites.
Schools and business do not have to spend thousands of dollars for filtering technology and management. There is a solution which provides a reasonable filtering solution at the right price—free. The solution is OpenDNS.
OpenDNS provides an easy-to-use and free way to protect students, employees, and home users from questionable Web content. Once you sign up and reconfigure your network to use OpenDNS for DNS services, all filtering management is performed on the OpenDNS site. See Figure 1. Filtering is accomplished by selecting one or more Web site categories to block. The sites within each category are frequently updated.
Figure 1 shows the configuration for my home network. I could choose one of the predefined filtering configurations. Instead I chose to customize my settings. Note that OpenDNS displays a paw next to those categories deemed inappropriate for children. Since my grandchildren aren't old enough to circumvent grandpa's controls via online proxies, I left the Proxy/Anonymizer unchecked so I can freely use my proxy sites.
Instead of allowing an entire category, I could have decided to simply allow a specific proxy site (e.g., MegaProxy). Allowing or blocking a specific site is easy, as shown in Figure 2.
If you want to know whether a site should be blocked, you can check it as shown in Figure 3. Also note that users can send an email to you directly from the block notice if they have questions about why they were prohibited from reaching the site.
Other OpenDNS features include:
- Zero-downtime network. OpenDNS assures its subscribers that DNS services will always be available.
- Faster Internet. OpenDNS claims name resolution is faster with its proximity-based server assignments. In other words, a DNS query is sent to the server closest to the resolver.
- Usage statistics
- OpenDNS Guide. This is often not considered a feature as much as it is seen as a way for OpenDNS to pay the bills. In any case, when a user enters a URL that is not found, OpenDNS displays a search/recommendations page with ad listings.
- Customization. The guide described above and block pages can be customized to include a company logo, Internet acceptable use policy, etc.
- Safety. OpenDNS is kept up-to-date with the latest patches and secured with DNS configuration best practices. This works pretty well. For example, OpenDNS was not susceptible to the vulnerability discovered by Dan Kaminsky earlier this year.
- Shortcuts. Long URLs can be given aliases using the OpenDNS shortcuts feature, as shown in Figure 4.
The final word
The Internet is not a safe place for children or adventurous employees. But schools and businesses have no reason not to take reasonable and appropriate steps to protect their students, employees, critical infrastructure, and sensitive information. If your school or business has yet to deploy a filtering solution, the ease of use and no-cost arguments for OpenDNS might give you the leverage you need to convince decision-makers to do the right thing.
Tom is a security researcher for the InfoSec Institute and an IT professional with over 30 years of experience. He has written three books, Just Enough Security, Microsoft Virtualization, and Enterprise Security: A Practitioner's Guide (to be published in Q1/2013). Before joining the private sector, he served 10 years in the United States Army Military Police with four years as a military police investigator. He has an MBA and CISSP certification. He is also an online instructor for the University of Phoenix.