?
Solved

Internet content filter device recommendation

Posted on 2009-04-22
17
Medium Priority
?
1,360 Views
Last Modified: 2013-11-16
I need a little basic education.

I work with a Christian school which has a network of about 70 computers.  Most windows 2000, a few XP a 2 vista.

I would like to get a device that sits between the cable moden and the rest of the network.  The device needs to scan for viruses and content.  I know such devices exist.

1.  I do not know the correct terminology to even research these devices.  Can somebody give me the correct terms in which to search with?

2.  Can anybody recommend a device or a company?  Being a non-profit cost is a major barrier so advice there would be appreciated.

Thank you.

Jerlo
0
Comment
Question by:Jerry Thompson
  • 5
  • 4
  • 3
  • +4
17 Comments
 
LVL 6

Expert Comment

by:dianthonym
ID: 24208314
You can get a SonicWall tz180.  This is a very nice device that will provide what you are looking for.  They can be purchased for around $500 and upgraded from there as you need.  In the long run you will be very happy with the security and content filtration services this offers and that may justify the cost.
0
 
LVL 47

Expert Comment

by:Donald Stewart
ID: 24208451
Take a look at the web filtering option here
 
http://www.opendns.com/solutions/enterprise/ 
0
 
LVL 50

Expert Comment

by:dbrunton
ID: 24210018
A proxy server is what you want

http://en.wikipedia.org/wiki/Web_proxy

Basically it's a computer that handles all internet requests.  It can filter and scan for you.

You'll need a technical expert to set it up for you.  The computer doesn't have to be a new one and it can run free software.  You may well be able to find an expert that will set it up for free for you.
0
Meet the Family that is Made for Collaboration

The TeamConnect Family product group as part of the Sennheiser for Business Portfolio comprising high-quality, technically well-conceived meeting solutions for business communication – designed for any meeting room and any meeting situation.

 
LVL 1

Expert Comment

by:TheAnimaniac
ID: 24212943
And the devicename for your research is UTM (Unified Threat Management) http://en.wikipedia.org/wiki/Unified_threat_management
0
 
LVL 5

Expert Comment

by:Gregg DesElms
ID: 24220736
Hmm.  Interesting.  The education you seek, Jerlo, is kinda' here, by hook or by crook...

...though I'll bet it's unclear to you.

In short, here's what you need... and I'm not suggesting this because I necessarily think it's the best approach... but you specified that the appliance needs to virus-check and filter.  So here's the best way to do it...

Get an appliance (probably best if it's a router/firewall combo sort of thing) that will allow you to do two things:

1) It will allow you to install and run on it anti-virus software (which normally runs on a computer, but which the firewall's firmware has been programmed so that it can run such software); and,

2) It will allow you to configure within it DNS servers which are different from those provided by the cable modem carrier.

The device would also be a normal router and/or firewall, too... but I"m just saying that those two capabilities which I've just mentioned should be there, as well.

Some such devices as that actually come already configured with... say... for example... Norton Anti-Virus already installed on them... burned into their firmware (or maybe residing on a memory card inside which is being viewed by the device's firmware as if it were a little hard drive... or, what the heck, it may actually be a little flash hard drive inside)... and, when so, then its anti-virus database simply needs to be updated, and then away you go  (And if it's on a memory card or flash drive, and same is being viewed as a little hard drive by the device's firmware, then the Norton (or whatever brand it is) anti-virus software thereon may, itself, even be upgradeable).

The reason why you need the capability to configure DNS (as described in item "2)" above), is because as far as content filtering goes, dstewartjr, in his second post of this thread, gave you the best advice you're ever going to get... ever.  Trust me on this.  The filtering capability of OpenDNS is best-of-breed.  And it's enterprise package is all set up to do precisely what you want to do.  And it's free.  And it works.  Oh, boy, does it ever work.  It's the hands-down best, fastest, cheapest, easiest way to do effective (and the operative here, here, is "effective") enterprise-wide content filtering.  Period.  Look no further.  And so, then, if you opt for OpenDNS as your means of filtering content, then the way you'd do it, simply, is to configure the appliance so that it uses OpenDNS's DNS servers instead of the DNS servers provided by the cable company.  Simple as that.

So, that's the logic part of your education which should help you to move on to the next step.

You were pointed at a SonicWall product.  SonicWall's a pretty darned slick appliance maker.  Maybe even one of, if not the, best.  But there are others... some of them pretty much in the same league as smoething from SonicWall.  

The proxy server approach has merit, but mostly just because you could, if you wanted to, run the anti-virus software on it; and then, if so, your appliance need no longer be capable of running anti-virus software.  And it's a fact that finding router, or firewall, or router/firewall appliances that will allow you to configure, within them, LAN-wide DNS, are easier to find out there in the world that such devices which also run anti-virus software.  So the proxy server idea... or at least the notion of some kind of server which is running anti-spyware that is sitting in between the router/firewall and the rest of the LAN makes some serious sense.

So that's the block-diagram logic of it.  Will that send you on your way okay?  Or do you need further help actually configuring; or with product recommendations, etc.?
0
 
LVL 5

Expert Comment

by:Gregg DesElms
ID: 24220759
And if you need more help, you need to begin by giving us a bit of the lay of the land on your LAN so far...

...what's plugged-in to the cable modem right now?  A router, I presume; into which is a managed switch, no? Is there a firewall anywhere in the picture?  Or is the router also a firewall?

What's the skinny on your LAN, specifically?
0
 
LVL 6

Expert Comment

by:ajeab
ID: 24226688
look at iphantom.com  it's a subscription base.  there device sit between modem and router. you can select the category to block
0
 

Author Comment

by:Jerry Thompson
ID: 24227057
I acknowledge that our network works, but I am also sure it is not configured optimally.  Being a Christian School, many volunteer "experts" have helped the network to develop.  Unfortunately when they had a problem they would find a short term fix.  Unfortunately that sometimes set the stage for future larger problem.  I have some network training, I would put my skills in the moderate level.  II do insist on fixing a problem correctly not speedily.

Details on our network.

Cable>>Road Runner supplied Cable modem >> 4 port, 3 yr old net gear router >> 24 port linksys switch.

One of those lines makes its way to the tech room.  the tech room has 27 work stations and a windows 2000 server.  Server handles DNS, DHCP and Active Directory.  Most work stations are windows 2000, a few XP.  There are about a dozen switches and 72 computers total throughout the facility.

We have cybersitter 9  and CA antivirus on all computers.

My goal this summer is to map the network completely.  Half the cabling is not labeled and I do not know where the cables go once it leaves the 24 port switch.

By using this device, can I eliminate this software on all the client computers?

What kind of OS would need to be on an intermediary computer?

Thanks to everyone so far for your comments.  I did get some pricing from sonic wall and started exploring the other ideas.

Jerlo
0
 
LVL 6

Expert Comment

by:ajeab
ID: 24227709
sonicwall will cause much more even with 501c3 discount.  I use iphantom.com (iboss product) at one of my facility.  it work well. what it does is it sit between modem and router so if you go with this the setup will be  RR modem --> IBOSS --> netgear -->24 ports switch.  

there is nothing need to be set on the work station. ALL traffic will pass IBOSS box which then allow or deny base on your setting.  I purchase the resident version and it work fine.  

if you want to DIY route.  go with linux.  I am also use IPCOP with addon. there are numbers of addon avail that will function similar to IBOSS.  you only need crappy computer.(Pentium 4 is fine) . very easy to setup.

you may get rid of cybersister. but do keep antivirus.  
0
 
LVL 50

Expert Comment

by:dbrunton
ID: 24227829
>> What kind of OS would need to be on an intermediary computer?

If you go for a proxy server you could use a Linux distribution as ajeab suggests.
0
 
LVL 5

Expert Comment

by:Gregg DesElms
ID: 24228462
Do you know how to login to the control panel of the Netgear router?  If so, then first go create the appropriate kind of account at OpenDNS...

     http://www.opendns.com

...and then configure the Netgear router so that it uses OpenDNS's DNS rather than RoadRunner's.

At that moment, having done that simple thing, you will have completely resolved the filtering issue fr the entire network.  And I mean completely.  Once you have set up your filtering in your OpenDNS account; then at that point, you could go remove CyberSitter from all machines... every last one of them.  And at that point, the filtering part of it would be done...

...leaving only anti-virus.

So, then... precisely which NetGear router?  (Model number)

And what about a firewall... or is that built-in to the router?

And this is a wired network, right?

Also, what kind of budget are you working with?
0
 
LVL 6

Expert Comment

by:ajeab
ID: 24230262
with opendns, unless you have static IP, you have to install their software on one off the computer to update the dynamic IP on opendns server.  and it will not protect you if someone know how to  change dns server setting on the computer.   But with IBOSS device,  doesn't matter what dns is set to. it will block it base on your setting.  in case of IPCOP, if you have Dangadian install, it will block it too base on the setting.

Opendns is a start.
0
 
LVL 5

Accepted Solution

by:
Gregg DesElms earned 200 total points
ID: 24230478
ajeab wrote:  "with opendns, unless you have static IP, you have to install their software on one off the computer to update the dynamic IP on opendns server."

What self-respecting LAN with approaching a hundred users on it would have anything other than a static IP?  We're not talking about a home network, here.

Secondly, even if we were talking about a dynamic IP situation (and, who knows, maybe we are... and if so, then this is relevant), no matter what's going on on the workstations, at least the servers, in the server room, are always running (or if they're not, then they certainly should be).  The little software utility about which you speak could simply run on one of those servers... where it belongs in any case.

ajeab wrote:  "and it will not protect you if someone know how to  change dns server setting on the computer."

Again, we're not talking about a home network, here.  Commercial LANs can easily be configured (and should be, by default) so that no DNS requests from any workstation will actually work unless they're to the DNS servers which the LAN intends for them to use.  Controlling and forwarding and re-routing DNS requests from workstations is child's play... and SOP, too, I might add.

ajeab wrote:  "But with IBOSS device..."

...there is a cost... and a not-insignificant cost, I might add.  OpenDNS is free.  And best-of-breed, to boot.

ajeab wrote:  "in case of IPCOP, if you have Dangadian install..."

Oy.  What part of the thread-starter's having written "I would put my skills in the moderate level" did you not understand?  I've used IPCop.  It's perfectly okay... if you're into that whole "open-source project" and "we're all in this together" sort of mentality; and if you actually know what you're doing with Linux and its different distros and all that kinda' stuff.  But that's not where this thread-starter seems to be... nor, I'll bet, is that where he WANTS to be.  I've been doing this for 32 years.  I know exactly where he's at... and what's ahead of him, too.  I'm not saying he can't figure it out.  I'm absolutely certain that he can... it's not brain surgery, and he's obviously very bright.  But I'll bet there's a whole bunch of other stuff he'd rather be doing with his precious time.  

One of my personal acid tests for any open-source software product is how well those writing and supporting it seem to understand, from what's on its web site, the plight of the end-user... people who aren't as close to the product as are they... people who don't live and breath it, and who aren't as up-to-speed as are they.  Any open-source project web site that is all about the project, and doesn't even bother to explain right on the front page, in straightforward, simple English, for the benefit of the first time, end-user WHAT IN THE HECK THE SOFTWARE EVEN IS AND/OR DOES (as is the case on the IPCop web site and so many other geek-operated, open source project web sites like it) tells me everything I need to know about how much work it's going to be for the end-user to use the product and get up to speed on all its little life-sucking issues.  Geeky, open-source project operators are all about the code and the coolness of the project.... and wouldn't recognize the importance of actually MARKETING their product to those who aren't geeky, like them, if it waliked up and kissed 'em square on the mouth... as is the case on the IPCop web site.

The thread-starter, I'll bet, would like to have a life... away from the client site.  Oh, sure, he could get to the point wherein he had some idea what in the heck you were talking about when you wrote "Dangadian install," but why?  This client has already demonstrated that it's unwilling to do things the absolutelly right way; and it thinks that it's okay to cobble it all together with volunteers.  Ugh!  Such a client is inherently high-maintenance.  Trust me on this... I know.  I've got more not-for-profit, buget- and technology-challenged clients like that than most consultants even have clients... period.  I KNOW what this guy (the thread starter) is getting himself into.  And struggling with the likes of IPCop -- regardless how actually simple it is for the technologically astute like yourself -- ain't what this guy needs in his life!

Hence, my suggestion of OpenDNS... if nothing else, just to get that part of it off his plate in a big hurry.

ajeab wrote:  "Opendns is a start."

I'm sorry.  You're wrong.  OpenDNS is a SOLUTION.  I'm using it almost everywhere, now... on every client who'll allow me to get it up and running on their LAN.  (And, no, I have nothing to do with the OpenDNS product or site or its people.  I'm no shill.)  It will promptly take the filtering issue off the thread-starter's plate, and allow him to get the filtering software off the workstaions in almost literally the bat of an eye...

...leaving only (per his thread-starting (and subsequent) post(s), the anti-virus issue...

...which, incidentally, I believe shouldn't even be discussed, frankly, without also understanding where we are on a firewall... hence my earlier asking about it... and I await the answer to that and the other questions I posed in that post...

...that is, unless the thread-starter would rather go learn what "Dangadian install" means... to which he's certainly welcome if that's his choice.

[sigh]
0
 
LVL 6

Expert Comment

by:ajeab
ID: 24233940
 ^
  ^
  ^
   
"What self-respecting LAN with approaching a hundred users on it would have anything other than a static IP?  We're not talking about a home network, here."

I mean static internet IP not internal IP

I'm not try to discredit opendns.  I do use opendns with a combination of other for solution.  I'm too working in non-profit and budget is tight.  my work can't afford the cost of those commercial device that integrated virus scan and content scan.  I'm also not a programmer. But I was in a similar situation to find the solution to secure the network and content filter.   I am not try to tell what he should use, I just want to share my experience what I find and it's work for me (and budget) .    sonicwall is good for one stop shop but it come with price.   it depend how much the school willing to spend.  

as for Dangadian install, it might sound complicated but with IPCOP, you type 3 command line to install it.  all configure is done via web interface.

so, look at different solutions, do comparison, test it out and see which one fit your school best.  
0
 

Author Comment

by:Jerry Thompson
ID: 24241689
WOW, and I thought I was asking a simple question.  Thank you for all the responses.

1.  The router is a NetGear RP114.  I have access to it and it looks like I can configure it to use openDNS.

2.  Yes our IP addres is dynamic.  Being a school, we qualify for free internet.  Free also means the least amount of service possible and still call it high speed.

Of course this now leads to a couple of other questions.  I hope my ignorance does not show too much.

I will sign up with openDNS and implement that with our existing router.  

Assuming that works, do I need to turn off the DNS service on the server?  

Some of the network has fixed IP addresses and the DNS points to the DNS service on the local server.  Do I need to switch those to automatic?  (The reason for the static IP on some of the computers was connecting remotely with this one computer worked reliably if the IP was static.)

Thanks again for all you help.  

Jerlo
0
 
LVL 6

Expert Comment

by:ajeab
ID: 24243721
change netgear dns to OpenDNS

 leave your DNS server on but make sure to change forwarders in DNS server setting to OpenDNS too.  and you will need to install OpenDNS software to one of the computer (most likely server) for OpenDNS able to update your internet IP address.  

you can leave fixed IP computer as it is.  since all dns will query your internal first.  make sure that no other DNS setting is exist on those FIXED IP computer except your internal DNS server. because if you have other DNS server in there, it will bypass opendns.  (kindda workaround)

off topic: since you are a school.  look at E-Rate.  school qualify for e-rate can get as much as 90% discount on data service. (mean full T-1 will cause around $40-$50/month)
0
 

Author Closing Comment

by:Jerry Thompson
ID: 31623693
Thank you for all your input.
0

Featured Post

Fill in the form and get your FREE NFR key NOW!

Veeam is happy to provide a FREE NFR server license to certified engineers, trainers, and bloggers.  It allows for the non‑production use of Veeam Agent for Microsoft Windows. This license is valid for five workstations and two servers.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Great sound, comfort and fit, excellent build quality, versatility, compatibility. These are just some of the many reasons for choosing a headset from Sennheiser.
An introduction to the wonderful sport of Scam Baiting.  Learn how to help fight scammers by beating them at their own game. This great pass time helps the world, while providing an endless source of entertainment. Enjoy!
Established in 1997, Technology Architects has become one of the most reputable technology solutions companies in the country. TA have been providing businesses with cost effective state-of-the-art solutions and unparalleled service that is designed…
Email security requires an ever evolving service that stays up to date with counter-evolving threats. The Email Laundry perform Research and Development to ensure their email security service evolves faster than cyber criminals. We apply our Threat…
Suggested Courses

809 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question