Content Filtering For Small School

rosco

Gawd
Joined
Jun 22, 2000
Messages
722
I am working with a small high school that has about 90 computers. We are currently using the free version of Untangle but want more features.

The main thing we would like is for there to be at least two groups of policies, one for students and one for staff/teachers.

So far, two options we have looked at are the EDU package from Untangle and the Barracuda Web Filter 310. Any other options we should be considering? Those two are about the price range we are looking to spend.

Anyone have a better option?

As some of you you might remember, part of what I am looking to do with this network is setup Unifi APs providing both a secured wireless network on one VLAN and a guest wireless network on another VLAN. So, although I plan on taking care of the routing with a mikrotik router, the web filtering solution would need to be able to work in that scenario.

Thanks as always for the help.
 
OpenDNS requires no hardware. But a smart user can get around it if they know how to change DNS settings on their nic (if they have access to do that) or they memorize the ip of the site they want to visit....
 
I set up the same thing at a school for troubled teens when I worked there a few years ago .. I used Smoothwall Express and the Dansgaurdian mod .. I set up 3 policies. One for the students of which was very limited .. One for the staff of which had some limitations .. and then a totally open policy for the uppity ups....
 
sounds complicated x more hardware needed x budget = over budget

1 routing device (same as untangle) except less bloat consuming resources

2 networks acheived by VLAN's

squid proxy a free addon with auto install

dans guardian free addon with auto install
 
Options
1. Sonicwall UTM Stupid easy to setup for CFS I have it deployed for a private school it works wonders
2. Censornet. Can be a giant pain in the ass but it works quite well.
 
Options
1. Sonicwall UTM Stupid easy to setup for CFS I have it deployed for a private school it works wonders
2. Censornet. Can be a giant pain in the ass but it works quite well.

SW = over priced & expensive

Untangle / pfsence = way cheaper for school on budget..
 
it's ok i like them both.

If i had my pic and money wasn't a factor id still pick Untangle.

Sonicwall works and does things..

Overpriced and expensive are the same thing..

FYI there are educational discounts and the devices just work with minimal configuration.
 
Fortinet seems like an option here especially if you have not already bought into Unfi. You can use a fortigate as a firewall/utm/content filter as well as a wireless controller for their access points.
 
Fortinet seems like an option here especially if you have not already bought into Unfi. You can use a fortigate as a firewall/utm/content filter as well as a wireless controller for their access points.

came in to post this.

have a 60C, they have a wifi one that will do the dual wifi zones ETC.

integrates with LDAP and AD for filtering so I am told, I dont use that part of it, yet
 
Anyone else use Fortinet for this? I used one of their units to filter viruses and spyware but didn't really do much with the content filtering.

They might be a good option as well. It sure seems like the Barracuda isn't getting much love.
 
We use Barracuda at work for filtering ~ 1500 users. It works well. Ours is starting to fail after ~ 4 years so we are looking to get a new one. It integrates with AD nicely.
 
We use Barracuda at work for filtering ~ 1500 users. It works well. Ours is starting to fail after ~ 4 years so we are looking to get a new one. It integrates with AD nicely.

What model? Are you doing multiple units in HA?
I am looking to replace Websense with something else when our contract is up.
 
It's a 310 and no we don't have any in HA. It's showing it's age and slowness though.
 
Can the box send department managers emails about their underlings activities like I can do in Websense?
 
Are you aware that e-rate funding (aka schools and libraries program) can and should be used for content filtering? I would suggest that you talk with your ISP first, though...they might be willing to cut you a reciprocal deal if you do content filtering w/them (you would essentially be "doing them a favor" since the fee is usually much higher than their costs).
 
Last edited:
I am looking to replace Websense with something else when our contract is up.

I work for a very large MSSP and we've used a lot of content filtering products for our customers. I'll say this about Websense. It is expensive and it is a PITA to get setup properly, especially shoehorned into existing environments, but once you have it setup and configured correctly absolutely nothing else comes close. That said, it is costly, very costly.

If your current setup had been done well you will likely find everything else seems toy-ish.

Edit

I'm not saying other products fail. I'm saying Websense is a Lexus LS and some of the others are a Toyota Corolla. They both get you to work. Once you own an LS a Corolla seems a little pale.
 
Last edited:
Are you aware that e-rate funding (aka schools and libraries program) can and should be used for content filtering?
This is incorrect. I don't think you know much about e-rate.

USAC (the people who run e-rate) require that a district already be CIPA compliant before they can qualify for e-rate funds.
e-rate dollars cannot be used for web filtering.

I am looking to replace Websense with something else when our contract is up.
DO NOT look at M86. They are the worst.
We are moving to Sophos for web filtering and they support up to 8 VM's for HA. Their virtual appliances are free if you have ESX.
 
Cisco 5510 with SSM module installed. These devices sniff every packet, frame, etc.. at the bit level to ensure that they are not containing known malicious code and they do it at a hardware level. And you can filter about anything you want.

You can get the ASA 5510 with an SSM installed on eBay for a good price. Even an ASA 5505 with Sec Plus license and SSM will be awesome for your project and far less expensive than a 5510 which is far more powerful and throughput.

Check it out...

http://www.cisco.com/en/US/prod/col...0aecd80402e4f_ps6120_Products_Data_Sheet.html

Also Barracuda Networks has hardware devices that are really good at web, http, https, etc... filtering.
 
This is incorrect. I don't think you know much about e-rate. USAC (the people who run e-rate) require that a district already be CIPA compliant before they can qualify for e-rate funds.
OK, but as far as I know, it is optional during the 1st year of funding, optional in the 2nd year w/waiver, and then required in the 3rd year you apply for funds. I've never heard of a school doing CIPA certification prior to applying for e-rate.


e-rate dollars cannot be used for web filtering.
That one is definitely wrong. Web filtering can and should be included in bids for internet access and/or maintenance:

Separate pricing for the following components when not included in the standard configuration of an Internet access service is NOT ELIGIBLE:
• Caching
• Content filtering
• Web Casting


AFAIK everything with e-rate depends on how you do it, how you use it, and what you put in your tech plan ("what is your intent") ex:
Some products may have modules or features that are not eligible, (e.g., content filtering, network management, and caching). If these ineligible components are available separately, or the applicant specifically seeks the ineligible functions, their cost must be subtracted from the amount eligible for discount.
 
Last edited:
That one is definitely wrong. Web filtering can and should be included in bids for internet access and/or maintenance:
I'm not sure what point you are trying to prove considering you quoted USAC verbiage that states that content filtering is not eligible.
Yes, it CAN be included as an add on to something else you are already buying, but again you quote that the cost of the ineligible product (content filtering) must be separated out and not used in e-rate funding calculations.
 
cyr0n_k0r is correct on all the eRate pieces mentioned so far. eRate wouldn't apply in this case.

As for the OP, you might look at iBoss. I believe they do AD integration which would make it faily simple to design two different filtering policies and I think they would be reasonably priced.
 
I'm not sure what point you are trying to prove considering you quoted USAC verbiage that states that content filtering is not eligible.
Yeesh...sometimes eligable services can be bundled with ineligable ones. Sometimes they can't be tied together. When eligable and ineligable services are bundled, sometimes the ineligable services need to be cost-accounted. In other circumstances, they don't. The quotes I provided explained the details pretty clearly.

All you need to do is to follow the program to the letter, dot every i, keep a copy of the i for five years, never fail to consider a bid and (now) never take a bribe. Motive (=tech plan) is just as important as action.

Ex:
9. What type of filter is used on the MLDs to prevent unauthorized access to the Internet? (Answer provided by
Verizon Wireless)
– Verizon Wireless offers several content filtering options which are available at no cost. The following link provides
information regarding the different filtering levels currently available. The schools/districts decide which level of filtering
fits their particular needs.
https://wbillpay.verizonwireless.com/vzw/nos/uc/uc_content_filter.jsp
Does this service need to be cost accounted?
 
Last edited:
Does this service need to be cost accounted?
It depends. Is the part number that includes filtering listed under USAC's eligible devices? If so, then no. If it isn't then you would need to break out the cost of the filtering and make it a separate line item and not use the cost in funding calculations.
 
I work for a very large MSSP and we've used a lot of content filtering products for our customers. I'll say this about Websense. It is expensive and it is a PITA to get setup properly, especially shoehorned into existing environments, but once you have it setup and configured correctly absolutely nothing else comes close. That said, it is costly, very costly.

If your current setup had been done well you will likely find everything else seems toy-ish.

Edit

I'm not saying other products fail. I'm saying Websense is a Lexus LS and some of the others are a Toyota Corolla. They both get you to work. Once you own an LS a Corolla seems a little pale.

Its not set up right that's the thing. Plus we are not using half of the features so it is a waste.

We are moving to Sophos for web filtering and they support up to 8 VM's for HA. Their virtual appliances are free if you have ESX.

Thoughts on sophos?
 
Thoughts on sophos?
For antivirus we love it. It has great enterprise features and honestly once I got it setup I haven't touched the management server in months.
We are running version 9.5 right now, and the web filtering is going to require us to upgrade to v10. The nice thing with version 10 is that the web filtering is just a module that gets tacked onto the already installed antivirus agent, so there isn't a completely separate agent install for the filtering.

We haven't deployed it yet (will be this summer when school lets out) but from all the web demos of the product and seeing it in action it looks like it's going to do everything we need it to do. Plus the price point was amazing. They have a school package that is basically antivirus, email security (which we won't use), and web filtering all rolled into a single per user cost.

I'm not sure exactly what the per user fee was for us but I think it was something in the range of $10-15 per user. Which was a 3 year contract and included all the above features.
 
Sophos' web appliance works fine although even with exclusions it will still break some websites apparently so I run an auto-detect proxy script which excludes those sites so they don't even go near the proxy. The e-mail appliance works fine but the on-host puremessage really sucks. One thing that is a pain is sometimes their support will tell you to do things that do not actually work or you can't do them which is pretty annoying. It took quite a lot of back and forth to get some custom filters going on an e-mail appliance.
 
Back
Top