Project Management

Free Web content filtering puts safer browsing within reach for everyone

Earlier this week, I ranted about schools and businesses not using controls to prevent students and employees from viewing unsuitable content on the Web. I thought it appropriate to discuss an easy-to-use solution that fits within everyone’s budget.

Earlier this week, I went on a rant about schools and businesses not using controls to prevent students and employees from viewing unsuitable content on the Web.  Now that I’m somewhat calm, I thought it appropriate to discuss an easy-to-use solution that fits within everyone’s budget.

The Challenge

Every day millions of employees connect to one or more Web sites using employer infrastructure.  In many cases, employees jump from one page to another, indiscriminately clicking interesting links.  This behavior didn’t lie dormant until people entered the workforce.  Home and school computers were used before the boss provided “free” high-speed access from the workplace, and they continue to be used both by them and their children, grandchildren…

I don’t need to dwell on the dangers of casual Web browsing.  It’s a known threat to business continuity and data security.  Further, it can expose employees, students, and home users to unsuitable content, content that can prompt complaints about hostile work environments or child endangerment.  The solution is also well-known.  Filter content, allowing only that which is suitable for the target user population. 

Web content filtering is often seen as a costly, complex solution.  Schools fighting shrinking budgets are not likely to pursue in-house or subscription-based filtering.  Businesses of all sizes facing an uncertain economy are often more concerned with survival than giving the security manager more money to protect against something that might not happen.  In both cases, decisions are made to accept risk associated with employee or student exposure to unsuitable content as well as that related to malware infections caused by visiting questionable sites.

The Solution

Schools and business do not have to spend thousands of dollars for filtering technology and management.  There is a solution which provides a reasonable filtering solution at the right price—free.  The solution is OpenDNS.

OpenDNS provides an easy-to-use and free way to protect students, employees, and home users from questionable Web content.  Once you sign up and reconfigure your network to use OpenDNS for DNS services, all filtering management is performed on the OpenDNS site.  See Figure 1.  Filtering is accomplished by selecting one or more Web site categories to block.  The sites within each category are frequently updated.

OpenDNS Category Settings 

Figure 1 

Figure 1 shows the configuration for my home network.  I could choose one of the predefined filtering configurations.  Instead I chose to customize my settings.  Note that OpenDNS displays a paw next to those categories deemed inappropriate for children.  Since my grandchildren aren’t old enough to circumvent grandpa’s controls via online proxies, I left the Proxy/Anonymizer unchecked so I can freely use my proxy sites.

Instead of allowing an entire category, I could have decided to simply allow a specific proxy site (e.g., MegaProxy).  Allowing or blocking a specific site is easy, as shown in Figure 2.

 Manage individual domains

Figure 2 

If you want to know whether a site should be blocked, you can check it as shown in Figure 3.  Also note that users can send an email to you directly from the block notice if they have questions about why they were prohibited from reaching the site.

 Management Services

Figure 3

  

Other OpenDNS features include:

  • Zero-downtime network.  OpenDNS assures its subscribers that DNS services will always be available.
  • Faster Internet.  OpenDNS claims name resolution is faster with its proximity-based server assignments.  In other words, a DNS query is sent to the server closest to the resolver.
  • Usage statistics
  • OpenDNS Guide.  This is often not considered a feature as much as it is seen as a way for OpenDNS to pay the bills.  In any case, when a user enters a URL that is not found, OpenDNS displays a search/recommendations page with ad listings.
  • Customization.  The guide described above and block pages can be customized to include a company logo, Internet acceptable use policy, etc.
  • Safety.  OpenDNS is kept up-to-date with the latest patches and secured with DNS configuration best practices.  This works pretty well.  For example, OpenDNS was not susceptible to the vulnerability discovered by Dan Kaminsky earlier this year.
  • Shortcuts.  Long URLs can be given aliases using the OpenDNS shortcuts feature, as shown in Figure 4.   

Creating Shortcuts 

Figure 4 

The final word

The Internet is not a safe place for children or adventurous employees.  But schools and businesses have no reason not to take reasonable and appropriate steps to protect their students, employees, critical infrastructure, and sensitive information.  If your school or business has yet to deploy a filtering solution, the ease of use and no-cost arguments for OpenDNS might give you the leverage you need to convince decision-makers to do the right thing.

About

Tom is a security researcher for the InfoSec Institute and an IT professional with over 30 years of experience. He has written three books, Just Enough Security, Microsoft Virtualization, and Enterprise Security: A Practitioner's Guide (to be publish...

21 comments
UAddUp
UAddUp

I know there are hundreds of companies offering filters for your desktop or network. This is not what I need. I need a company that can work with me to filter adult URLs within my website. So when someone goes to my site and enters: www.Gap.com, my program should be able to contact that Filtering company and check if GAP.com is family friendly or not. (I have Google Adsense in the site and they are very very strict with sites mentioning other adult sites. They can shut your account and not allow you to open it again if you have adult content. I asked them to help me, and recommend me a Filtering company, but they said they could recommend me anyone. The filtering thing is a Whole Big Thing, just adding many keywords is not good enough. Companies work on creating a whole program from scratch. I have to find a company that is ready to work with me, and instead of installing their software on my PC, they should allow my server to send a request to their server to check on their database. Can someone recommend me something?

dpalme
dpalme

Looks like a good program. A few things: -Does not look like a content filter (url only). Squidguard (url) and Dansguardian (content) will give you both and both are free. -Does not look like you can provide different levels of access for users. As a school district, this has been a major source of pain for me. -All that said, we are trying out Untangle which so far has been pretty slick (and includes a security suite!) though the differentiated access levels is a low cost add on.

rwtodd2007
rwtodd2007

Both of these seem to work well, however can they be set up as policies so if you have the multiple users on the same computer with seperate logons, that the settings dont always pertain to everyone?

dutch_gemini
dutch_gemini

Blue Coat K9 Web Protection is also such a tool.

BALTHOR
BALTHOR

Why can't I block Google with my firewall.

mbwmn
mbwmn

i started using it in our office (35 users) a few weeks ago. works great. some websites are tagged under multiple categories (myspace is tagged for 'social networking' and 'instant messaging'. lots of complaints from the indians for the first few days, until i started suggesting that the indians have their cheifs email me requesting explicit permission to visit a blocked site...

seanferd
seanferd

The OpenDNS Updater, used for dynamic IPs, can now be easily run as a service. Actually, the Updater gets updated and improved quite frequently. The Updater is important for making use of the services provided by OpenDNS for those who have dynamically assigned IP addresses.

blacknred0
blacknred0

i have untangle at home and work and i love it. it is so easy to use and maintain. really if you want your network to be protected more this would be the way to go. i recommend it 100%. but all you need to know is a little bit about linux systems just in case you want the untangle server to do more of what it already does.

ian.obrien
ian.obrien

As long as Blue Coat has patched the K9 Buffer overlfow problem it is a good tool. Otherwise it is a huge security liability.

boxfiddler
boxfiddler

How the hell did I miss this one? :D :D :D You don't cease to amaze me BALTHOR. Keep up the good work.

boxfiddler
boxfiddler

has been b*tching that the Impure Brigade has been lax in its duties lately... She may be quite right. We gotta work on that.

seanferd
seanferd

as I am partially laid off. Too many hours some days, followed by endless slack. Then surprise phone calls, "We need you to..." Oh, I'm sorry, did you mean Windows?

The Scummy One
The Scummy One

we have been too busy with the nasty 'W' word :0 :0 (please excuse the suggestion of the nasty word).

The Scummy One
The Scummy One

the Queen of the Impure -- has been out of action. So we have an excuse :D And if that doesnt work -- My Religion Made Me Do It!