Content Filters

Posted on by John Nash

(Note: this was written in 2013 – years ago, so links may or may not work.)

Reviewing web content filters: the box that scans incoming web pages, reads them, and allows acceptable content or blocks/drops unacceptable content based upon rules you set. Notes:

  1. Must read the pages, not merely scan URLs
  2. Must break open encrypted packets and scan, otherwise it is all wasted time
  3. Must not rely upon the device being used to view web pages — must be installed in the line connecting the LAN to the Internet, so it cannot be bypassed by any end user. It cannot be a mere proxy (cloud) that trusts the person being limited does not circumvent it: it must be hard wired into the building LAN so that it is impossible to evade.
  4. Preferably OpenSource so it is subject to peer review.
  5. Preferably no per seat licensing attempts to exploit
  6. Linux / BSD / Unix OS

DSCN2693

Web search possible results

Five Content Filters, Tech Republic http://www.techrepublic.com/blog/five-apps/five-content-filters-suitable-for-both-home-and-business/

Potential candidates which supposedly read the actual web page and block unacceptable content.

  1. Net Nanny http://www.netnanny.com/ — relies on intintegrity of the end user’s PC, Windows, not in LAN, costs $39.99 per seat for licenses
  2. K9 http://www1.k9webprotection.com/ — only works on Windows or some mobile devices, apparently to be installed onto the actual device and not inline in the LAN, and they want $12.50 PER MONTH PER SEAT to use it. graphic
  3. Safe Squid http://www.safesquid.com/content-filtering/linux-installation — downloads at http://www.safesquid.com/content-filtering/documentation. Seems to be free. Good Linux command line install instructions. Not sure if it scans each web page or not: looks like just a firewall with a URL blacklist (menus have nothing about content filter, key words, weights, etc). Think it might be intended to be installed inline however it comes in Linux and Windows versions. Look more at this later.
  4. DansGuardian http://dansguardian.org/?page=documentation — It was a good project, but not maintained. People in volved started a pay-per-seat for-profit project called SmoothWall that has superceeded it. It does read the pages, but it did not break open encrypted packets when I used it last.
  5. OpenDNS http://www.opendns.com Looks promising. It is a web based service BUT it works by changing the DNS lines in your firewall to point to OpenDNS. Unless the end user can break inot my firewall/router it will help. They provide a white paper on their approach here. Free with VIP subs available for $20/year. Graphic here. I’ll look more but this is potentially a high efficiency solution, so I subscribed. Summary from the web site at http://www.opendns.com/technology/ reads

    “We’ve established that DNS is used in almost all online activities, helping you get to where you want to go. But traditional DNS doesn’t discriminate the good from the bad. Regular DNS doesn’t know the difference between http://www.paypal.com and a forged clone site, aiming to trick you into providing your sensitive personal information. OpenDNS not only knows the difference, but also gives you the tools to decide what to let in, and what to block.  Think of it like a firewall for DNS. Using DNS as a filtering mechanism has powerful implications: phishing websites can be blocked from tricking users into giving up sensitive data and malware websites can be prevented from infecting computers.  Moreover, it’s not just about preventing security threats from loading.  Infected computers usually use DNS to try and “phone home” to a master computer for instructions, often leaking out confidential information, passwords, and files from computers.  OpenDNS prevents that from happening, too.”

    The bottom line is change your DNS settings to use the OpenDNS server addresses as your DNS server settings and save/apply:208.67.222.222, and 208.67.220.220. Piece of cake.
    Apparently there is more to this than meets the eye. I had my wife browse to sex dot com and she said she got pictures, lots of pictures. Ah. An email came to the address I provided when registering. First I must confirm my identity. Then enroll my IP address. Then select my level of filtering. Then wait 3 minutes for it to take effect. Works. It is clearly a URL filter, but that is better than nothing until I find a content scanning filter.
    One benefit is that URLs are submitted and rated by members through an averaging process (voting).

  6. Smoothwall Express http://www.smoothwall.net/ — looks like IPCop to me, a firewall. No apparent content filtering. Maybe content filtering is in their per seat license product. I requested pricing information on their contact web page, but have not heard back yet. I’ll update when I have more complete information. This could be a nice content scanner in addition to the OpenDNS URL scanner, but the pricing may be too high for a public charity serving the poor to afford. Their sales asked when I could chat and I suggested Monday 10/7. NOTE: I talked with the Smoothwall rep Tuesday 10/8 and there filter definitely does break open encrypted packets and examine the content.
  7. IPCop http://www.ipcop.org/ — it is only a firewall. We use it now and it works nicely. Free, no artificial limitations to coerce you into buying something unlimited. But no content filtering.