Blocking adult sites from users on a wired and wireless network

I'd like to ask the experts here what you'd say are some ways and ballpark costs to block people from accessing 'adult sites' in a work environment?  Mostly at a PC on the office domain. But there's also wifi they could use.

Some background:

It's an SBS 2011 Standard domain with 7 users at desktops. There's a low end Cisco router (RW-215).  There's 2 wifi VLANs - an office SSID and public SSID supplied by a group of Ubiquiti unifi UAPs

Depending on cost, they'd want to block adult sites on office VLAN for sure, and maybe public VLAN

I haven't deal with this in a while.

I remember Open DNS had a (free?) service that allowed category blocking? But the devices had to use OpenDNS DNS servers. Enforcible for desktops, but not enforable on employee wireless devices and not on people's devices on public wifi

Having not dealt with this in a while, my vision is that it's never 100%? Sites are always popping up - that won't appear on lists of sites to block - and if people are motivated to get to them, they most likely can.  If the public wifi VLAN is not site filtered, they can use that.  Or heck, they can use cellular if they really need to see porn at work.  I would think they just make an employee policy not to go to those sites rather than go through the trouble of technology to get them to behave?
Who is Participating?

[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Andy BartkiewiczNetwork AnalystCommented:
Just get a web filter
Bryant SchaperCommented:
For the number of people I would replace the router with a firewall with some filtering.  Tons of "free" options, but I would look at Sonicwall and Sophos.  If you dont have good endpoint/server security Sophos can help with both and is very reasonable.
Dr. KlahnPrincipal Software EngineerCommented:
I would think they just make an employee policy not to go to those sites rather than go through the trouble of technology to get them to behave?

Your view is correct and in those organizations where I've consulted that was the policy and there was no trouble with this issue.  Admittedly some people were fired, and not all of them hourly grunts on the line.  But once it was clear that the policy applied to everybody, no further issues were encountered.  "Old Bill was six weeks short of retirement and they fired him" goes a long way toward making a point.

But the policy must be even-handedly applied to everyone, not just the hourly workers, or all it does is create resentment.
Discover the Answer to Productive IT

Discover app within WatchGuard's Wi-Fi Cloud helps you optimize W-Fi user experience with the most complete set of visibility, troubleshooting, and network health features. Quickly pinpointing network problems will lead to more happy users and most importantly, productive IT.

Blue Street TechLast KnightCommented:
Hi BeGentleWithMe-INeedHelp,

From a liability aspect, the employees should have signed an AUP (Acceptable Usage Policy) and then it is the job of the company to make sure it is enforced to limit exposure. If you lock-down the environment properly users will not be able to circumvent a NGFW (Next-Generation Firewall). The only way they would be able to access that content is via their cellphones, at which point it depends if they are BYOD or company issued. Irrespectively, that can be managed as well using MDM (Mobile Device Management).

To underscore your point though...employees should be motivated to work. Otherwise, they should get canned. It doesn't sound like the company is results oriented. As long as it is not illegal behavior the company should not really care that much what employees do as long as they are producing results. But I digress...

I'd replace that Cisco RW-series SPI (Stateful Packet Inspection, which is a 1996 technology) with a solid DPI (Deep Packet Inspection) firewall like a SonicWALL TZ300: It will run you about $1000.00 USD and will actually protect your client's network plus easily block porn and anything else you wish to block. In general, you should replace firewalls every 3 years unless there are more pressing needs.

Otherwise, how will you protect this environment from Zero-Day attacks, Ransomware, Cerber?

What about inspecting encrypted traffic, which makes up 68% of the Internet now and is continuing to grow. Even a DPI firewall cannot inspect encrypted traffic...You need DPI-SSL, which SonicWALL has!

Let me know if you have any other questions!

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
Ricardo Jose Jr. PalmaNetwork and Security ConsultantCommented:

Most effective solution is to compliment your setup with a firewall with UTM features (IPS-AV-URL Filtering, and content filtering). You can check out vendors such as Fortinet, Sophos, etc. they provide firewalls with UTM features that you can easily manage.

Search for any distributor for your country, engage them, and propose for them to provide you with a PoC to test out their product in your environment before you buy.
Hello ThereSystem AdministratorCommented:
Use Parental Control...
BeGentleWithMe-INeedHelpAuthor Commented:
Thanks.  we set up OpenDNS filtering.  they seem to be OK with that for now.
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Windows 10

From novice to tech pro — start learning today.