Content Filtering For Small School

rosco

Gawd
Joined
Jun 22, 2000
Messages
722
I am working with a small high school that has about 90 computers. We are currently using the free version of Untangle but want more features.

The main thing we would like is for there to be at least two groups of policies, one for students and one for staff/teachers.

So far, two options we have looked at are the EDU package from Untangle and the Barracuda Web Filter 310. Any other options we should be considering? Those two are about the price range we are looking to spend.

Anyone have a better option?

As some of you you might remember, part of what I am looking to do with this network is setup Unifi APs providing both a secured wireless network on one VLAN and a guest wireless network on another VLAN. So, although I plan on taking care of the routing with a mikrotik router, the web filtering solution would need to be able to work in that scenario.

Thanks as always for the help.
 

Eickst

[H]ard|Gawd
Joined
Aug 24, 2005
Messages
1,884
OpenDNS requires no hardware. But a smart user can get around it if they know how to change DNS settings on their nic (if they have access to do that) or they memorize the ip of the site they want to visit....
 

ThreeDee

[H]F Junkie
Joined
Sep 5, 2001
Messages
11,292
I set up the same thing at a school for troubled teens when I worked there a few years ago .. I used Smoothwall Express and the Dansgaurdian mod .. I set up 3 policies. One for the students of which was very limited .. One for the staff of which had some limitations .. and then a totally open policy for the uppity ups....
 

DlStreamnet

Limp Gawd
Joined
Mar 10, 2005
Messages
359
sounds complicated x more hardware needed x budget = over budget

1 routing device (same as untangle) except less bloat consuming resources

2 networks acheived by VLAN's

squid proxy a free addon with auto install

dans guardian free addon with auto install
 

Wrench00

2[H]4U
Joined
Sep 30, 2003
Messages
3,423
Options
1. Sonicwall UTM Stupid easy to setup for CFS I have it deployed for a private school it works wonders
2. Censornet. Can be a giant pain in the ass but it works quite well.
 

dashpuppy

Supreme [H]ardness
Joined
May 5, 2010
Messages
6,163
Options
1. Sonicwall UTM Stupid easy to setup for CFS I have it deployed for a private school it works wonders
2. Censornet. Can be a giant pain in the ass but it works quite well.

SW = over priced & expensive

Untangle / pfsence = way cheaper for school on budget..
 

Wrench00

2[H]4U
Joined
Sep 30, 2003
Messages
3,423
it's ok i like them both.

If i had my pic and money wasn't a factor id still pick Untangle.

Sonicwall works and does things..

Overpriced and expensive are the same thing..

FYI there are educational discounts and the devices just work with minimal configuration.
 

Nicklebon

Gawd
Joined
May 22, 2006
Messages
775
Fortinet seems like an option here especially if you have not already bought into Unfi. You can use a fortigate as a firewall/utm/content filter as well as a wireless controller for their access points.
 

haunter

[H]ard|Gawd
Joined
Jul 20, 2011
Messages
1,883
Fortinet seems like an option here especially if you have not already bought into Unfi. You can use a fortigate as a firewall/utm/content filter as well as a wireless controller for their access points.

came in to post this.

have a 60C, they have a wifi one that will do the dual wifi zones ETC.

integrates with LDAP and AD for filtering so I am told, I dont use that part of it, yet
 

rosco

Gawd
Joined
Jun 22, 2000
Messages
722
Anyone else use Fortinet for this? I used one of their units to filter viruses and spyware but didn't really do much with the content filtering.

They might be a good option as well. It sure seems like the Barracuda isn't getting much love.
 

/usr/home

Supreme [H]ardness
Joined
Mar 18, 2008
Messages
6,160
We use Barracuda at work for filtering ~ 1500 users. It works well. Ours is starting to fail after ~ 4 years so we are looking to get a new one. It integrates with AD nicely.
 

schnell

Gawd
Joined
Jul 22, 2005
Messages
763
We use Barracuda at work for filtering ~ 1500 users. It works well. Ours is starting to fail after ~ 4 years so we are looking to get a new one. It integrates with AD nicely.

What model? Are you doing multiple units in HA?
I am looking to replace Websense with something else when our contract is up.
 

/usr/home

Supreme [H]ardness
Joined
Mar 18, 2008
Messages
6,160
It's a 310 and no we don't have any in HA. It's showing it's age and slowness though.
 

schnell

Gawd
Joined
Jul 22, 2005
Messages
763
Can the box send department managers emails about their underlings activities like I can do in Websense?
 
Joined
Aug 8, 2010
Messages
832
Are you aware that e-rate funding (aka schools and libraries program) can and should be used for content filtering? I would suggest that you talk with your ISP first, though...they might be willing to cut you a reciprocal deal if you do content filtering w/them (you would essentially be "doing them a favor" since the fee is usually much higher than their costs).
 
Last edited:

Nicklebon

Gawd
Joined
May 22, 2006
Messages
775
I am looking to replace Websense with something else when our contract is up.

I work for a very large MSSP and we've used a lot of content filtering products for our customers. I'll say this about Websense. It is expensive and it is a PITA to get setup properly, especially shoehorned into existing environments, but once you have it setup and configured correctly absolutely nothing else comes close. That said, it is costly, very costly.

If your current setup had been done well you will likely find everything else seems toy-ish.

Edit

I'm not saying other products fail. I'm saying Websense is a Lexus LS and some of the others are a Toyota Corolla. They both get you to work. Once you own an LS a Corolla seems a little pale.
 
Last edited:

cyr0n_k0r

Supreme [H]ardness
Joined
Mar 30, 2001
Messages
5,360
Are you aware that e-rate funding (aka schools and libraries program) can and should be used for content filtering?
This is incorrect. I don't think you know much about e-rate.

USAC (the people who run e-rate) require that a district already be CIPA compliant before they can qualify for e-rate funds.
e-rate dollars cannot be used for web filtering.

I am looking to replace Websense with something else when our contract is up.
DO NOT look at M86. They are the worst.
We are moving to Sophos for web filtering and they support up to 8 VM's for HA. Their virtual appliances are free if you have ESX.
 

tangoseal

[H]F Junkie
Joined
Dec 18, 2010
Messages
9,330
Cisco 5510 with SSM module installed. These devices sniff every packet, frame, etc.. at the bit level to ensure that they are not containing known malicious code and they do it at a hardware level. And you can filter about anything you want.

You can get the ASA 5510 with an SSM installed on eBay for a good price. Even an ASA 5505 with Sec Plus license and SSM will be awesome for your project and far less expensive than a 5510 which is far more powerful and throughput.

Check it out...

http://www.cisco.com/en/US/prod/col...0aecd80402e4f_ps6120_Products_Data_Sheet.html

Also Barracuda Networks has hardware devices that are really good at web, http, https, etc... filtering.
 
Joined
Aug 8, 2010
Messages
832
This is incorrect. I don't think you know much about e-rate. USAC (the people who run e-rate) require that a district already be CIPA compliant before they can qualify for e-rate funds.
OK, but as far as I know, it is optional during the 1st year of funding, optional in the 2nd year w/waiver, and then required in the 3rd year you apply for funds. I've never heard of a school doing CIPA certification prior to applying for e-rate.


e-rate dollars cannot be used for web filtering.
That one is definitely wrong. Web filtering can and should be included in bids for internet access and/or maintenance:

Separate pricing for the following components when not included in the standard configuration of an Internet access service is NOT ELIGIBLE:
• Caching
• Content filtering
• Web Casting


AFAIK everything with e-rate depends on how you do it, how you use it, and what you put in your tech plan ("what is your intent") ex:
Some products may have modules or features that are not eligible, (e.g., content filtering, network management, and caching). If these ineligible components are available separately, or the applicant specifically seeks the ineligible functions, their cost must be subtracted from the amount eligible for discount.
 
Last edited:

cyr0n_k0r

Supreme [H]ardness
Joined
Mar 30, 2001
Messages
5,360
That one is definitely wrong. Web filtering can and should be included in bids for internet access and/or maintenance:
I'm not sure what point you are trying to prove considering you quoted USAC verbiage that states that content filtering is not eligible.
Yes, it CAN be included as an add on to something else you are already buying, but again you quote that the cost of the ineligible product (content filtering) must be separated out and not used in e-rate funding calculations.
 

renixinq

Limp Gawd
Joined
Feb 13, 2003
Messages
439
cyr0n_k0r is correct on all the eRate pieces mentioned so far. eRate wouldn't apply in this case.

As for the OP, you might look at iBoss. I believe they do AD integration which would make it faily simple to design two different filtering policies and I think they would be reasonably priced.
 
Joined
Aug 8, 2010
Messages
832
I'm not sure what point you are trying to prove considering you quoted USAC verbiage that states that content filtering is not eligible.
Yeesh...sometimes eligable services can be bundled with ineligable ones. Sometimes they can't be tied together. When eligable and ineligable services are bundled, sometimes the ineligable services need to be cost-accounted. In other circumstances, they don't. The quotes I provided explained the details pretty clearly.

All you need to do is to follow the program to the letter, dot every i, keep a copy of the i for five years, never fail to consider a bid and (now) never take a bribe. Motive (=tech plan) is just as important as action.

Ex:
9. What type of filter is used on the MLDs to prevent unauthorized access to the Internet? (Answer provided by
Verizon Wireless)
– Verizon Wireless offers several content filtering options which are available at no cost. The following link provides
information regarding the different filtering levels currently available. The schools/districts decide which level of filtering
fits their particular needs.
https://wbillpay.verizonwireless.com/vzw/nos/uc/uc_content_filter.jsp
Does this service need to be cost accounted?
 
Last edited:

cyr0n_k0r

Supreme [H]ardness
Joined
Mar 30, 2001
Messages
5,360
Does this service need to be cost accounted?
It depends. Is the part number that includes filtering listed under USAC's eligible devices? If so, then no. If it isn't then you would need to break out the cost of the filtering and make it a separate line item and not use the cost in funding calculations.
 

schnell

Gawd
Joined
Jul 22, 2005
Messages
763
I work for a very large MSSP and we've used a lot of content filtering products for our customers. I'll say this about Websense. It is expensive and it is a PITA to get setup properly, especially shoehorned into existing environments, but once you have it setup and configured correctly absolutely nothing else comes close. That said, it is costly, very costly.

If your current setup had been done well you will likely find everything else seems toy-ish.

Edit

I'm not saying other products fail. I'm saying Websense is a Lexus LS and some of the others are a Toyota Corolla. They both get you to work. Once you own an LS a Corolla seems a little pale.

Its not set up right that's the thing. Plus we are not using half of the features so it is a waste.

We are moving to Sophos for web filtering and they support up to 8 VM's for HA. Their virtual appliances are free if you have ESX.

Thoughts on sophos?
 

cyr0n_k0r

Supreme [H]ardness
Joined
Mar 30, 2001
Messages
5,360
Thoughts on sophos?
For antivirus we love it. It has great enterprise features and honestly once I got it setup I haven't touched the management server in months.
We are running version 9.5 right now, and the web filtering is going to require us to upgrade to v10. The nice thing with version 10 is that the web filtering is just a module that gets tacked onto the already installed antivirus agent, so there isn't a completely separate agent install for the filtering.

We haven't deployed it yet (will be this summer when school lets out) but from all the web demos of the product and seeing it in action it looks like it's going to do everything we need it to do. Plus the price point was amazing. They have a school package that is basically antivirus, email security (which we won't use), and web filtering all rolled into a single per user cost.

I'm not sure exactly what the per user fee was for us but I think it was something in the range of $10-15 per user. Which was a 3 year contract and included all the above features.
 

D-EJ915

[H]ard|Gawd
Joined
Jan 31, 2003
Messages
1,524
Sophos' web appliance works fine although even with exclusions it will still break some websites apparently so I run an auto-detect proxy script which excludes those sites so they don't even go near the proxy. The e-mail appliance works fine but the on-host puremessage really sucks. One thing that is a pain is sometimes their support will tell you to do things that do not actually work or you can't do them which is pretty annoying. It took quite a lot of back and forth to get some custom filters going on an e-mail appliance.
 
Top