Content Filtering

Markferron

We're getting rid of our Meraki MX400 considering the cost is around $9920 for one year of Advanced Security. I'm going towards a UniFi gateway, but I need something that will do content filtering. I've read a few threads in ML and, in general, people in general don't like combining firewalls and UTM devices/applications. Why is that? Also, what would you recommend that I use for content filtering?

travisdh1

@Markferron said in Content Filtering:

We're getting rid of our Meraki MX400 considering the cost is around $9920 for one year of Advanced Security. I'm going towards a UniFi gateway, but I need something that will do content filtering. I've read a few threads in ML and, in general, people in general don't like combining firewalls and UTM devices/applications. Why is that? Also, what would you recommend that I use for content filtering?

UTM devices generally have very anemic CPU and the ASICs used can't accelerate the added features like content filtering at any sort of speed. That's just the couple things off the top of my head, I know there are more reasons.

Content filtering wise, you have lots of options. A proxy would do it. A PiHole DNS server could as well, but I don't know if you can block entire domains with it instead of IP addresses.

DustinB3403

@travisdh1 said in Content Filtering:

A PiHole DNS server could as well, but I don't know if you can block entire domains with it instead of IP addresses.

You can, but that isn't the purpose of the tool. They had a topic about using PiHole to block adult content sites etc.

Markferron

@travisdh1 I guess a proxy sounds right. I've never messed with one other than the one on my pfsense router at home. What would that look like? A static route to the proxy server from the firewall, I'm assuming?

Dashrender

@Markferron said in Content Filtering:

@travisdh1 I guess a proxy sounds right. I've never messed with one other than the one on my pfsense router at home. What would that look like? A static route to the proxy server from the firewall, I'm assuming?

Either a proxy your browsers all log into or a transparent proxy. A transparent proxy is basically inline between your users and your firewall.

scottalanmiller

@Markferron said in Content Filtering:

I've read a few threads in ML and, in general, people in general don't like combining firewalls and UTM devices/applications. Why is that?

This is a huge topic on its own. But basically... because you want to treat security like a production workload, not a second class citizen. You'd never run production workloads by "just throwing them on the Domain Controller", why would you do so with security functions by throwing it on your router? You wouldn't, it's not an operational approach, nor a secure one.

scottalanmiller

@Markferron said in Content Filtering:

@travisdh1 I guess a proxy sounds right. I've never messed with one other than the one on my pfsense router at home. What would that look like? A static route to the proxy server from the firewall, I'm assuming?

A proxy can be used for the most secure of needs. For most companies that need content filtering, DNS based is enough and that you can do with a service (a la StrongArm.io) or run yourself (a la PiHole.)

Reid Cooper

If you can get away with just using DNS based filtering, it is so easy.

black3dynamite

If you were to use Pi-Hole, make sure your firewall is only allowing clients to use Pi-Hole IP for their DNS server.

Another option, is PaloAlto URL Filtering Web Security.
https://www.paloaltonetworks.com/products/secure-the-network/subscriptions/url-filtering-pandb.html

syko24

A couple options I’ve used that work pretty well and are very affordable:

https://www.dnsfilter.com

And https://nxfilter.org is you want something self hosted

dave_c

@syko24 said in Content Filtering:

A couple options I’ve used that work pretty well and are very affordable:

https://www.dnsfilter.com

And https://nxfilter.org is you want something self hosted

I have a client using DNSFilter as one of its security layers. So far, so good. And yes, very affordable.

dbeato

I have used Untangle Content Filtering but it means another network device, and while not DNS based it does content filtering and can do tracking by username and password is connected to LDAP.

dbeato

The post that @DustinB3403 was referring is this one
https://mangolassi.it/topic/16905/add-porn-blocking-to-your-pi-hole/

Obsolesce

@scottalanmiller said in Content Filtering:

@Markferron said in Content Filtering:

@travisdh1 I guess a proxy sounds right. I've never messed with one other than the one on my pfsense router at home. What would that look like? A static route to the proxy server from the firewall, I'm assuming?

A proxy can be used for the most secure of needs. For most companies that need content filtering, DNS based is enough and that you can do with a service (a la StrongArm.io) or run yourself (a la PiHole.)

I set up a whitelist-only Squidproxy server for certain user subnets, along with SARG for reporting, which is freaking awesome.

It works great, with so many more options and granularity freedom. You can also subscribe to some filtering lists to use on your Squid proxy too if you need that.

dafyre

An inline device might be a bit easier to handle for transparent proxying.

UBNT Router --> Web Proxy Device --> Rest of the network.