How do I filter web content?
We have a Netgear router. It allows me to block key words based on words in the DNS name.
I want to be able to block out things like Adult content. Running Server 2k3, and server Nt 4.0....
what is the best way to filter out web pages and stop users from going to those sites at my place of employment?
(net nanny isn't an option <grin> )
Thanks all
I want to be able to block out things like Adult content. Running Server 2k3, and server Nt 4.0....
what is the best way to filter out web pages and stop users from going to those sites at my place of employment?
(net nanny isn't an option <grin> )
Thanks all
ASKER
DVation
Im not seeing a price on there web site for surfcontrol.... this scares me hehee
ALOS please see how our network is setup here:
____________PC's
:
----ISP--------Router/Firw
:
----------------Server 2003
My PC's use the IP of hte Server2003 for DNS.
Im new to the network game so I just want to test how I understand it here..
PC asks for www.something.com --------->goes to Switch------------->Switch
I know it is rude here but IF you could follow it
I think that is how it works and BECUASE all my internt traffic is going though the 2003 server, I should be able to set up surfcontroll in that PC and it should work correct?
Im not seeing a price on there web site for surfcontrol.... this scares me hehee
ALOS please see how our network is setup here:
____________PC's
:
----ISP--------Router/Firw
:
----------------Server 2003
My PC's use the IP of hte Server2003 for DNS.
Im new to the network game so I just want to test how I understand it here..
PC asks for www.something.com --------->goes to Switch------------->Switch
I know it is rude here but IF you could follow it
I think that is how it works and BECUASE all my internt traffic is going though the 2003 server, I should be able to set up surfcontroll in that PC and it should work correct?
Another option for you is an iPrism appliance. It would go inline between your switch and Firewall, so all traffic literally passes through it.
http://www.stbernard.com/iprism
http://www.stbernard.com/iprism
ASKER
Wow that is neat hehe...
Let me add a few things. We are small so cost is a HUGE issue. I am sorta new to networking so It needs to be easy.
It doesn't have to be HUGE and great just effective enough to hold back aobut 20 computers.
Let me add a few things. We are small so cost is a HUGE issue. I am sorta new to networking so It needs to be easy.
It doesn't have to be HUGE and great just effective enough to hold back aobut 20 computers.
None of these solutions are going to be cheap, but I think that the simplicity of the iPrism is awesome, and I have put several of them into operation for clients. WebSense is another great product, but expensive and requires a separate server to run it on, and not every firewall works well with it.
With only 20 users, simple written acceptible use policies that everyone must sign acknowledgement would be a deterent to most employees. Any employee that is caught violating the policy gets a repremand, fired on the spot for downloading adult conent, or "written up" at the very least. The cost is zero $. It won't take long to bring everyone into compliance.
With only 20 users, simple written acceptible use policies that everyone must sign acknowledgement would be a deterent to most employees. Any employee that is caught violating the policy gets a repremand, fired on the spot for downloading adult conent, or "written up" at the very least. The cost is zero $. It won't take long to bring everyone into compliance.
I'm not sure, but you can probably do some simple sort of filtering on the Firewall/Router. Check the manual.
If that isn't enough, put a Proxy Server between the firewall and the rest of your network. If you only need the proxy server to do content filtering you can use a simple, old, phased-out PC as hardware, throw a linux distro on it (free), plus the Squid proxy software, also free and included in most distros. You would of course have to spend some time to get it up and running. Once it is running, you wouldn't have to spend too much time on it anymore.
You can, of course, also use a proxy server as a cache for internet pages. This results in access to cached objects being a lot faster than if they had to be gotten directly from the internet, but this also needs a larger disk and more RAM.
A proxy server keeps a log of the internet activity, so you could analize the surfing habits of the employees. You can also set it up to need authenification, thus only allowing those to surf the web who provide a valid username and Password.
If that isn't enough, put a Proxy Server between the firewall and the rest of your network. If you only need the proxy server to do content filtering you can use a simple, old, phased-out PC as hardware, throw a linux distro on it (free), plus the Squid proxy software, also free and included in most distros. You would of course have to spend some time to get it up and running. Once it is running, you wouldn't have to spend too much time on it anymore.
You can, of course, also use a proxy server as a cache for internet pages. This results in access to cached objects being a lot faster than if they had to be gotten directly from the internet, but this also needs a larger disk and more RAM.
A proxy server keeps a log of the internet activity, so you could analize the surfing habits of the employees. You can also set it up to need authenification, thus only allowing those to surf the web who provide a valid username and Password.
It seems like your PC's have a direct connection to the internet. They only use the Server for DNS requests which the server then resolves using external DNS servers. This is a problem because you have two options:
1. Use content filtering on each PC, which is difficult to manage
2. Use a centralised filtering solution, which is expensive
I have to propose the following:
1. Use a dummy IP address on each PC. If your server is using DHCP to assign addresses to the internal PC's (you should), assign one more address on the network interface card (10.0.0.1 for example) and let the rest of the 10.0.1.x range to be available to the internal PC's to request IP addresses. This way you PC's won't have a direct connection to the internet and they will have to use a proxy server.
2. Install and use a proxy server with content filtering. You have two more solutions here - the cheap/free one and the professional/expensive one. If you are on a tight budget then you have to use an old PC to install a free version of LINUX (http://www.redhat.com), then install SQUID (http://squid-cache.org) and finally use a free product like DansGuardian (http://dansguardian.org) to filter out specific content. If you are not on a tight budget, then there a lot of expensive commercial content filtering products, but i don't think you intend to use one of them (they are subscription based and are aimed to big corporation that have a lot of money to spend)
Regards,
Karasardelis Kostas
1. Use content filtering on each PC, which is difficult to manage
2. Use a centralised filtering solution, which is expensive
I have to propose the following:
1. Use a dummy IP address on each PC. If your server is using DHCP to assign addresses to the internal PC's (you should), assign one more address on the network interface card (10.0.0.1 for example) and let the rest of the 10.0.1.x range to be available to the internal PC's to request IP addresses. This way you PC's won't have a direct connection to the internet and they will have to use a proxy server.
2. Install and use a proxy server with content filtering. You have two more solutions here - the cheap/free one and the professional/expensive one. If you are on a tight budget then you have to use an old PC to install a free version of LINUX (http://www.redhat.com), then install SQUID (http://squid-cache.org) and finally use a free product like DansGuardian (http://dansguardian.org) to filter out specific content. If you are not on a tight budget, then there a lot of expensive commercial content filtering products, but i don't think you intend to use one of them (they are subscription based and are aimed to big corporation that have a lot of money to spend)
Regards,
Karasardelis Kostas
mrchaos101, surfcontrol can work in your situation by a number of methods. since you are using a switch and not a hub, you could mirror or map a the port that your internet comes in on. I believe you could install a second NIC in the server in which all traffic passes though in promiscuous mode.
Here is a SurfControl price list...
http://www.peppm.org/2004/Product/surfcontrol/price.pdf&e=747
http://www.peppm.org/2004/Product/surfcontrol/price.pdf&e=747
I'm sorry that wasn't the right link...here are the prices...
http://www.peppm.org/2004/Product/surfcontrol/price.pdf
http://www.peppm.org/2004/Product/surfcontrol/price.pdf
According to your request your best bet is to setup some kind of proxy between you and the internet.
Now there are two directions you can take to do this.
You can setup your win 2k3 server with Web filtering Software or Windows Proxy server / Use the free Linux solution as stated above
OR you can buy an appliance that has the web content built in.
We use Watchguard appliances for our web filtering. www.watchguard.com
These devices offer a tremendous amount of features that come in upgrades so you don't have to shell out the cash all at once.
You can purchase the web content filtering upgrade which I believe uses the same database as surf control.
The filtering option allows you to block by ip address, domain name, Categories and some other options
The only catch is that you have to purchase a renewal subscription every year to get the latest downloads from surf control for the categories section. this ranges from $70+ depending on what appliance you have
We use a firebox x1000 for our corporate headquarters (300 computers) and firebox x15 edge for our branch offices (15 computers) both have the web content filtering upgrade. We can administer the web contents rules, VPN, firewall rules etc for all the x15 appliances from the X1000
There's also drag and drop VPN between appliances and remote users. Plus the administration comes in one WSYWIG interface that's easy to maintain.
Plus I'm guessing that the netgear router is a little out dated and this would be perfect to replace it with instead of messing with cumbersome server setups.
Now there are two directions you can take to do this.
You can setup your win 2k3 server with Web filtering Software or Windows Proxy server / Use the free Linux solution as stated above
OR you can buy an appliance that has the web content built in.
We use Watchguard appliances for our web filtering. www.watchguard.com
These devices offer a tremendous amount of features that come in upgrades so you don't have to shell out the cash all at once.
You can purchase the web content filtering upgrade which I believe uses the same database as surf control.
The filtering option allows you to block by ip address, domain name, Categories and some other options
The only catch is that you have to purchase a renewal subscription every year to get the latest downloads from surf control for the categories section. this ranges from $70+ depending on what appliance you have
We use a firebox x1000 for our corporate headquarters (300 computers) and firebox x15 edge for our branch offices (15 computers) both have the web content filtering upgrade. We can administer the web contents rules, VPN, firewall rules etc for all the x15 appliances from the X1000
There's also drag and drop VPN between appliances and remote users. Plus the administration comes in one WSYWIG interface that's easy to maintain.
Plus I'm guessing that the netgear router is a little out dated and this would be perfect to replace it with instead of messing with cumbersome server setups.
I would recommend iPrism from St. Bernard. I implemented it on our network and it wasn't too hard to configure and the 1u piece of hardware connects between your firewall and switch. The great thing about it is that you can use NTLM Authenication with your Active Directory to authenicate users. You can set up custom ACLs and assign groups, or users to this ACLs. With the ACLs you can determine what end users can access or block websites that you don't want them to get to. You can also run custom reports for a group or user to see what they are accessing. I called the sales rep and was able to obtain a demo. I'm sure you'll be able to get one as well.
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
tabush,
Winproxy is about where I want to be cash wise.
It shows URL filtering. So does this mean I have to KNOW what web sites I want to filter to get it t work?
Can it filter out key words like Adult, XXX, Nudity etc?
thanks
Winproxy is about where I want to be cash wise.
It shows URL filtering. So does this mean I have to KNOW what web sites I want to filter to get it t work?
Can it filter out key words like Adult, XXX, Nudity etc?
thanks
Maybe you'll want to have a look at n2h2's Sentian.
The homepage about the product info is here: http://www.n2h2.com/products/sentian_home.php
You can find prices here:
http://www.sonicguard.com/N2H2-Sentian.asp
The homepage about the product info is here: http://www.n2h2.com/products/sentian_home.php
You can find prices here:
http://www.sonicguard.com/N2H2-Sentian.asp
My recommendations would be either of the two....
SurfControl
http://www.surfcontrol.com/
or
WebSense
http://www.websense.com/
I personally like SurfControl better based on demos I've been involved in.
hope this helps.