• Some users have recently had their accounts hijacked. It seems that the now defunct EVGA forums might have compromised your password there and seems many are using the same PW here. We would suggest you UPDATE YOUR PASSWORD and TURN ON 2FA for your account here to further secure it. None of the compromised accounts had 2FA turned on.
    Once you have enabled 2FA, your account will be updated soon to show a badge, letting other members know that you use 2FA to protect your account. This should be beneficial for everyone that uses FSFT.

OpenDNS vs alternatives

I

Inf0

Limp Gawd
Joined
Nov 29, 2007
Messages
298
I'm going to have to put in some permanent public access wifi for 200-300 users. The concern is that we want to do some content filtering so as to keep people from pulling up pron, warez, or file sharing. I've heard good things about OpenDNS, and wanted to see how this option compared with more traditional alternatives like a Barracuda web filter, or a Cisco ASA with CSC Plus, etc.

Considering you can maintain subscriptions to the former for ~$1000/year, I was pretty shocked when they quoted their Enterprise product at $3750 for 300 users. Is this level of support even necessary? Could I get away with the cheaper (or free) versions?
 
To do all that you're going to need a combination of security services to be effective. Just hijacking the DNS queries is not going to be sufficient.

With a Cisco ASA and Websense you could do everything pretty easily but you're talking about a lot of money.

The more control you want to exert over the users the more costly it becomes essentially. You're talking about URL filtering based on the content of the website as well as application-layer filtering looking for torrents, malware and the like. Any free tools you come up with to do this are going to be quite limited in their efficacy. If you want to do this effectively you're going to have to "bring your wallet" so to speak.
 
We're going to have an ASA in place regardless. The content filtering doesn't have to necessarily be bulletproof for what people can view, but it does need to protect us from liability in this age of the **AAs and their ilk. Any further thoughts on the layer 7 stuff is appreciated.
 
The ASA can natively search for a ton of different protocols and drop them. This is not the default though. You'll have to write the service policy to do this once you decide what you're trying to drop, e.g. bit-torrent, edonk3y, lamewire, etc... That should cut down on stuff quite a bit. You can then use the CSC to additionally filter the URLs people can visit. All in all you should be reasonably protected against the "casual abusers".
 
I say just use free OpenDNS in combination with whatever else you are doing e.g. the ASA.
 
You must log in or register to reply here.
Back
Top