ML
    • Recent
    • Categories
    • Tags
    • Popular
    • Users
    • Groups
    • Register
    • Login

    Content Filtering

    Scheduled Pinned Locked Moved IT Discussion
    15 Posts 12 Posters 1.2k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • travisdh1T
      travisdh1 @Markferron
      last edited by

      @Markferron said in Content Filtering:

      We're getting rid of our Meraki MX400 considering the cost is around $9920 for one year of Advanced Security. I'm going towards a UniFi gateway, but I need something that will do content filtering. I've read a few threads in ML and, in general, people in general don't like combining firewalls and UTM devices/applications. Why is that? Also, what would you recommend that I use for content filtering?

      UTM devices generally have very anemic CPU and the ASICs used can't accelerate the added features like content filtering at any sort of speed. That's just the couple things off the top of my head, I know there are more reasons.

      Content filtering wise, you have lots of options. A proxy would do it. A PiHole DNS server could as well, but I don't know if you can block entire domains with it instead of IP addresses.

      DustinB3403D M 2 Replies Last reply Reply Quote 1
      • DustinB3403D
        DustinB3403 @travisdh1
        last edited by

        @travisdh1 said in Content Filtering:

        A PiHole DNS server could as well, but I don't know if you can block entire domains with it instead of IP addresses.

        You can, but that isn't the purpose of the tool. They had a topic about using PiHole to block adult content sites etc.

        1 Reply Last reply Reply Quote 1
        • M
          Markferron @travisdh1
          last edited by

          @travisdh1 I guess a proxy sounds right. I've never messed with one other than the one on my pfsense router at home. What would that look like? A static route to the proxy server from the firewall, I'm assuming?

          DashrenderD scottalanmillerS 2 Replies Last reply Reply Quote 0
          • DashrenderD
            Dashrender @Markferron
            last edited by

            @Markferron said in Content Filtering:

            @travisdh1 I guess a proxy sounds right. I've never messed with one other than the one on my pfsense router at home. What would that look like? A static route to the proxy server from the firewall, I'm assuming?

            Either a proxy your browsers all log into or a transparent proxy. A transparent proxy is basically inline between your users and your firewall.

            1 Reply Last reply Reply Quote 0
            • scottalanmillerS
              scottalanmiller @Markferron
              last edited by

              @Markferron said in Content Filtering:

              I've read a few threads in ML and, in general, people in general don't like combining firewalls and UTM devices/applications. Why is that?

              This is a huge topic on its own. But basically... because you want to treat security like a production workload, not a second class citizen. You'd never run production workloads by "just throwing them on the Domain Controller", why would you do so with security functions by throwing it on your router? You wouldn't, it's not an operational approach, nor a secure one.

              1 Reply Last reply Reply Quote 0
              • scottalanmillerS
                scottalanmiller @Markferron
                last edited by

                @Markferron said in Content Filtering:

                @travisdh1 I guess a proxy sounds right. I've never messed with one other than the one on my pfsense router at home. What would that look like? A static route to the proxy server from the firewall, I'm assuming?

                A proxy can be used for the most secure of needs. For most companies that need content filtering, DNS based is enough and that you can do with a service (a la StrongArm.io) or run yourself (a la PiHole.)

                ObsolesceO 1 Reply Last reply Reply Quote 0
                • Reid CooperR
                  Reid Cooper
                  last edited by

                  If you can get away with just using DNS based filtering, it is so easy.

                  1 Reply Last reply Reply Quote 0
                  • black3dynamiteB
                    black3dynamite
                    last edited by

                    If you were to use Pi-Hole, make sure your firewall is only allowing clients to use Pi-Hole IP for their DNS server.

                    Another option, is PaloAlto URL Filtering Web Security.
                    https://www.paloaltonetworks.com/products/secure-the-network/subscriptions/url-filtering-pandb.html

                    1 Reply Last reply Reply Quote 1
                    • syko24S
                      syko24
                      last edited by

                      A couple options I’ve used that work pretty well and are very affordable:

                      https://www.dnsfilter.com

                      And https://nxfilter.org is you want something self hosted

                      D 1 Reply Last reply Reply Quote 0
                      • D
                        dave_c @syko24
                        last edited by

                        @syko24 said in Content Filtering:

                        A couple options I’ve used that work pretty well and are very affordable:

                        https://www.dnsfilter.com

                        And https://nxfilter.org is you want something self hosted

                        I have a client using DNSFilter as one of its security layers. So far, so good. And yes, very affordable.

                        1 Reply Last reply Reply Quote 0
                        • dbeatoD
                          dbeato
                          last edited by

                          I have used Untangle Content Filtering but it means another network device, and while not DNS based it does content filtering and can do tracking by username and password is connected to LDAP.

                          1 Reply Last reply Reply Quote 0
                          • dbeatoD
                            dbeato
                            last edited by

                            The post that @DustinB3403 was referring is this one
                            https://mangolassi.it/topic/16905/add-porn-blocking-to-your-pi-hole/

                            1 Reply Last reply Reply Quote 1
                            • ObsolesceO
                              Obsolesce @scottalanmiller
                              last edited by

                              @scottalanmiller said in Content Filtering:

                              @Markferron said in Content Filtering:

                              @travisdh1 I guess a proxy sounds right. I've never messed with one other than the one on my pfsense router at home. What would that look like? A static route to the proxy server from the firewall, I'm assuming?

                              A proxy can be used for the most secure of needs. For most companies that need content filtering, DNS based is enough and that you can do with a service (a la StrongArm.io) or run yourself (a la PiHole.)

                              I set up a whitelist-only Squidproxy server for certain user subnets, along with SARG for reporting, which is freaking awesome.

                              It works great, with so many more options and granularity freedom. You can also subscribe to some filtering lists to use on your Squid proxy too if you need that.

                              1 Reply Last reply Reply Quote 1
                              • dafyreD
                                dafyre
                                last edited by

                                An inline device might be a bit easier to handle for transparent proxying.

                                UBNT Router --> Web Proxy Device --> Rest of the network.

                                1 Reply Last reply Reply Quote 0
                                • 1 / 1
                                • First post
                                  Last post