?
Solved

How do I filter web content?

Posted on 2004-11-11
15
Medium Priority
?
348 Views
Last Modified: 2010-04-10
We have a Netgear router. It allows me to block key words based on words in the DNS name.

I want to be able to block out things like Adult content.  Running Server 2k3,  and server Nt 4.0....

what is the best way to filter out web pages and stop users from going to those sites at my place of employment?


(net nanny isn't an option  <grin> )

Thanks all
0
Comment
Question by:mrchaos101
  • 5
  • 3
  • 2
  • +5
15 Comments
 
LVL 20

Expert Comment

by:DVation191
ID: 12559870
mrchaos101,
My recommendations would be either of the two....

SurfControl
http://www.surfcontrol.com/

or

WebSense
http://www.websense.com/

I personally like SurfControl better based on demos I've been involved in.

hope this helps.
0
 
LVL 1

Author Comment

by:mrchaos101
ID: 12560233
DVation

Im not seeing a price on there web site for surfcontrol.... this scares me hehee

ALOS please see how our network is setup here:





                                                                   ____________PC's
                                                                   :
----ISP--------Router/Firwall----------Switch-----
                                                                   :
                                                                   ----------------Server 2003

My PC's use the IP of hte Server2003 for DNS.

Im new to the network game so I just want to test how I understand it here..

PC asks for www.something.com  --------->goes to Switch------------->Switch sees DNS request and sends the request to the Server 2003------>  Server looks at it and decieds dns asked for is not for our network----------->Forwards request to swithc with a NEW DNS request (useing the DNS server info for my ISP)------Switch sends it to router----------->sends request to ISP.

I know it is rude here but IF you could follow it

I think that is how it works and BECUASE all my internt traffic is going though the 2003 server, I should be able to set up surfcontroll in that PC and it should work correct?

0
 
LVL 79

Expert Comment

by:lrmoore
ID: 12560255
Another option for you is an iPrism appliance. It would go inline between your switch and Firewall, so all traffic literally passes through it.
http://www.stbernard.com/iprism
0
What is SQL Server and how does it work?

The purpose of this paper is to provide you background on SQL Server. It’s your self-study guide for learning fundamentals. It includes both the history of SQL and its technical basics. Concepts and definitions will form the solid foundation of your future DBA expertise.

 
LVL 1

Author Comment

by:mrchaos101
ID: 12560303
Wow that is neat hehe...

Let me add a few things.  We are small so cost is a HUGE issue.  I am sorta new to networking so It needs to be easy.

It doesn't have to be HUGE and great just effective enough to hold back aobut 20 computers.
0
 
LVL 79

Expert Comment

by:lrmoore
ID: 12560526
None of these solutions are going to be cheap, but I think that the simplicity of the iPrism is awesome, and I have put several of them into operation for clients. WebSense is another great product, but expensive and requires a separate server to run it on, and not every firewall works well with it.

With only 20 users, simple written acceptible use policies that everyone must sign acknowledgement would be a deterent to most employees. Any employee that is caught violating the policy gets a repremand, fired on the spot for downloading adult conent, or "written up" at the very least. The cost is zero $. It won't take long to bring everyone into compliance.



0
 
LVL 88

Expert Comment

by:rindi
ID: 12561666
I'm not sure, but you can probably do some simple sort of filtering on the Firewall/Router. Check the manual.

If that isn't enough, put a Proxy Server between the firewall and the rest of your network. If you only need the proxy server to do content filtering you can use a simple, old, phased-out PC as hardware, throw a linux distro on it (free), plus the Squid proxy software, also free and included in most distros. You would of course have to spend some time to get it up and running. Once it is running, you wouldn't have to spend too much time on it anymore.
You can, of course, also use a proxy server as a cache for internet pages. This results in access to cached objects being a lot faster than if they had to be gotten directly from the internet, but this also needs a larger disk and more RAM.
A proxy server keeps a log of the internet activity, so you could analize the surfing habits of the employees. You can also set it up to need authenification, thus only allowing those to surf the web who provide a valid username and Password.
0
 
LVL 6

Expert Comment

by:KOTiS
ID: 12564005
It seems like your PC's have a direct connection to the internet. They only use the Server for DNS requests which the server then resolves using external DNS servers. This is a problem because you have two options:

1. Use content filtering on each PC, which is difficult to manage
2. Use a centralised filtering solution, which is expensive

I have to propose the following:

1. Use a dummy IP address on each PC. If your server is using DHCP to assign addresses to the internal PC's (you should), assign one more address on the network interface card (10.0.0.1 for example) and let the rest of the 10.0.1.x range to be available to the internal PC's to request IP addresses. This way you PC's won't have a direct connection to the internet and they will have to use a proxy server.

2. Install and use a proxy server with content filtering. You have two more solutions here - the cheap/free one and the professional/expensive one. If you are on a tight budget then you have to use an old PC to install a free version of LINUX (http://www.redhat.com), then install SQUID (http://squid-cache.org) and finally use a free product like DansGuardian (http://dansguardian.org) to filter out specific content. If you are not on a tight budget, then there a lot of expensive commercial content filtering products, but i don't think you intend to use one of them (they are subscription based and are aimed to big corporation that have a lot of money to spend)

Regards,
Karasardelis Kostas
0
 
LVL 20

Expert Comment

by:DVation191
ID: 12565219
mrchaos101, surfcontrol can work in your situation by a number of methods. since you are using a switch and not a hub, you could mirror or map a the port that your internet comes in on. I believe you could install a second NIC in the server in which all traffic passes though in promiscuous mode.
0
 
LVL 20

Expert Comment

by:DVation191
ID: 12565231
0
 
LVL 20

Expert Comment

by:DVation191
ID: 12565238
I'm sorry that wasn't the right link...here are the prices...
http://www.peppm.org/2004/Product/surfcontrol/price.pdf
0
 
LVL 1

Expert Comment

by:ugh138
ID: 12568588
According to your request your best bet is to setup some kind of proxy between you and the internet.

Now there are two directions you can take to do this.

You can setup your win 2k3 server with Web filtering Software or Windows Proxy server / Use the free Linux solution as stated above

OR you can buy an appliance that has the web content built in.

We use Watchguard appliances for our web filtering. www.watchguard.com

These devices offer a tremendous amount of features that come in upgrades so you don't have to shell out the cash all at once.

You can purchase the web content filtering upgrade which I believe uses the same database as surf control.

The filtering option allows you to block by ip address, domain name, Categories and some other options

The only catch is that you have to purchase a renewal subscription every year to get the latest downloads from surf control for the categories section. this ranges from $70+ depending on what appliance you have

We use a firebox x1000 for our corporate headquarters (300 computers) and firebox x15 edge for our branch offices (15 computers) both have the web content filtering upgrade.  We can administer the web contents rules, VPN, firewall rules etc for all the x15 appliances from the X1000
There's also drag and drop VPN between appliances and remote users. Plus the administration comes in one WSYWIG interface that's easy to maintain.
Plus I'm guessing that the netgear router is a little out dated and this would be perfect to replace it with instead of messing with cumbersome server setups.
0
 
LVL 5

Expert Comment

by:twizted_teck
ID: 12571374
I would recommend iPrism from St. Bernard. I implemented it on our network and it wasn't too hard to configure and the 1u piece of hardware connects between your firewall and switch. The great thing about it is that you can use NTLM Authenication with your Active Directory to authenicate users. You can set up custom ACLs and assign groups, or users to this ACLs. With the ACLs you can determine what end users can access or block websites that you don't want them to get to. You can also run custom reports for a group or user to see what they are accessing. I called the sales rep and was able to obtain a demo. I'm  sure you'll be able to get one as well.
0
 
LVL 2

Accepted Solution

by:
tabush earned 2000 total points
ID: 12579231
Get a second NIC for one computer and run Winproxy on it - www.winproxy.com - that is cheap for small networks and does really good filtering.
0
 
LVL 1

Author Comment

by:mrchaos101
ID: 12697451
tabush,

Winproxy is about where I want to be cash wise.

It shows URL filtering.  So does this mean I have to KNOW what web sites I want to filter to get it t work?

Can it filter out key words  like Adult, XXX, Nudity etc?

thanks
0
 
LVL 20

Expert Comment

by:DVation191
ID: 12697980
Maybe you'll want to have a look at n2h2's Sentian.
The homepage about the product info is here: http://www.n2h2.com/products/sentian_home.php

You can find prices here:
http://www.sonicguard.com/N2H2-Sentian.asp
0

Featured Post

Upgrade your Question Security!

Add Premium security features to your question to ensure its privacy or anonymity. Learn more about your ability to control Question Security today.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Make the most of your online learning experience.
This article will show you step-by-step instructions to build your own NTP CentOS server.  The network diagram shows the best practice to setup the NTP server farm for redundancy.  This article also serves as your NTP server documentation.
Michael from AdRem Software outlines event notifications and Automatic Corrective Actions in network monitoring. Automatic Corrective Actions are scripts, which can automatically run upon discovery of a certain undesirable condition in your network.…
Monitoring a network: why having a policy is the best policy? Michael Kulchisky, MCSE, MCSA, MCP, VTSP, VSP, CCSP outlines the enormous benefits of having a policy-based approach when monitoring medium and large networks. Software utilized in this v…

864 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question