Content filtering options
-
@momurda said in Content filtering options:
What do you have at the site already?
Many firewall devices have this stuff built in now.
I could block anything by category or even strings 'cricket' 'viagra' stuff like that. Any traffic passing through the interface out to the web gets inspected.
Any requests that use these words get blocked with a warning in the browser and logged.
Not quite the same as a dns filtering though.No, firewalls do not have that. Those are UTM devices. But that is a totally different discussion.
Also there is no way for most of those devices to block anything HTTPS unless you let the UTM perform MitM on your SSL. This generally causes more problems than it solves.
-
@momurda said in Content filtering options:
What do you have at the site already?
Many firewall devices have this stuff built in now.
I could block anything by category or even strings 'cricket' 'viagra' stuff like that. Any traffic passing through the interface out to the web gets inspected.
Any requests that use these words get blocked with a warning in the browser and logged.
Not quite the same as a dns filtering though.There is a crappy Cisco ASA firewall there. Yuck.
-
Oh that is too bad.
-
We use PiHole. Not as comprehensive, but it's low cost and we can control it.
-
@scottalanmiller said in Content filtering options:
We use PiHole. Not as comprehensive, but it's low cost and we can control it.
But PiHole is not designed to block all domains and only allow a whitelist.
-
@jaredbusch said in Content filtering options:
@scottalanmiller said in Content filtering options:
We use PiHole. Not as comprehensive, but it's low cost and we can control it.
But PiHole is not designed to block all domains and only allow a whitelist.
For ONLY Whitelist, DansGuardian, then.
-
@scottalanmiller said in Content filtering options:
@jaredbusch said in Content filtering options:
@scottalanmiller said in Content filtering options:
We use PiHole. Not as comprehensive, but it's low cost and we can control it.
But PiHole is not designed to block all domains and only allow a whitelist.
For ONLY Whitelist, DansGuardian, then.
Does that do DNS filtering now?
-
@jaredbusch said in Content filtering options:
@scottalanmiller said in Content filtering options:
@jaredbusch said in Content filtering options:
@scottalanmiller said in Content filtering options:
We use PiHole. Not as comprehensive, but it's low cost and we can control it.
But PiHole is not designed to block all domains and only allow a whitelist.
For ONLY Whitelist, DansGuardian, then.
Does that do DNS filtering now?
No, but it does whitelist content filtering, which is what he had asked for. You could point it to a DNS filtering service for an additional layer, of course.
-
Webroot DNS on the endpoints?
-
DNSFilter and Censornet are products I have used.
-
-
@smitherick said in Content filtering options:
Webroot DNS on the endpoints?
Interesting... I'll have to check into that. We already run Webroot endpoint AV.
-
You can use dnsmasq to achieve what you want. It will block all requests except the domains you choose. You have to add the following to your dnsmasq.conf file.
bogus-priv domain-needed no-resolv # blocks the usage of your resolv.conf file and hosts files, and only allows upstream servers set in this file. # Whitelist - will forward dns request to the following domains server=/mangolassi.it/1.1.1.1 # Dns to which to forward the allowed request -
@romo that looks pretty easy, but we need at least 3 different levels of filtering that can be applied to users or groups.
-
@rojoloco that does change the complexity of the solution then.
Crazy idea, if you have any sort of configuration management tool, you could still do one vm, 3 dnsmasq containers and push manual dns settings via the config-management tool to your users to their respective dns server.
-
@romo said in Content filtering options:
@rojoloco that does change the complexity of the solution then.
Crazy idea, if you have any sort of configuration management tool, you could still do one vm, 3 dnsmasq containers and push manual dns settings via the config-management tool to your users to their respective dns server.
Looking only at hosted solutions, we have no extraneous hardware at that site and it's a 100% windows shop.
-
Can you get away with forcing them all to use Internet Explorer? Is that a realistic option?
Or are you 100% set on a paid hosted DNS solution?
-
@obsolesce said in Content filtering options:
Can you get away with forcing them all to use Internet Explorer? Is that a realistic option?
Or are you 100% set on a paid hosted DNS solution?
They have to use multiple browsers for the testing they do. I'm not necessarily set on a DNS solution, but that seems like it would provide some protection from malicious sites in addition to being able to block time wasters. Hosted and easy to manage are the main goals (hard to fix hardware in India from Atlanta).
-
@rojoloco said in Content filtering options:
@obsolesce said in Content filtering options:
Can you get away with forcing them all to use Internet Explorer? Is that a realistic option?
Or are you 100% set on a paid hosted DNS solution?
They have to use multiple browsers for the testing they do. I'm not necessarily set on a DNS solution, but that seems like it would provide some protection from malicious sites in addition to being able to block time wasters. Hosted and easy to manage are the main goals (hard to fix hardware in India from Atlanta).
Going the DNS route, what's your plan?
Change the DNS servers on each PC there, and on the edge firewall or whatever you have there?
-
@obsolesce pretty much. They have a Cisco firewall on site, I can gpo the rest, they are part of our domain. If it works well, we will likely use it in our office once our subscription for websense expires. What a clunky POS.
