• Some users have recently had their accounts hijacked. It seems that the now defunct EVGA forums might have compromised your password there and seems many are using the same PW here. We would suggest you UPDATE YOUR PASSWORD and TURN ON 2FA for your account here to further secure it. None of the compromised accounts had 2FA turned on.
    Once you have enabled 2FA, your account will be updated soon to show a badge, letting other members know that you use 2FA to protect your account. This should be beneficial for everyone that uses FSFT.

recommend web filtering

V

Vague

Limp Gawd
Joined
Apr 17, 2008
Messages
253
A small charter school's IT person just quit and they're asking for some help.

The have between 30-40 computers, both desktop PCs and macbooks. One of the things they want is website filtering, I guess based on keyword or url. A lot of the kids end up spending the day on Myspace, Facebook or porn instead of doing school work.

I'm fully aware that whatever solution is put in place the kids will find a way around it, but something still needs to be done.

I guess because there is a mix of both OSX & Windows OSes and the need for centralized management that a software solution is a bad idea.

I have no experience evaluating hardware solutions. Can anyone suggest some things to look at?
 
Well, there are usually two approaches to this.

Deny with a software or appliance
- The most common way in today's enterprise. usually deployed near the edge or on the firewall. checks url against a common database to see how it is classified and also if the rules allow or deny.

Deny using DNS
- This is another method, since all clients must use dns to "find" their websites. i've only seen one product that does this, opendns.org. But its free and quite simple (it may be a good solution for you)

Keep asking the [H]. Lots of good people here to help you.

Some more details would be nice. For example...
how does the internet get there? (T1, Cable, DSL, etc)
Is there a firewall?
Is there an Active Directory, Novell, or some sort of centralized system?
 
You could switch to opendns and sign up for an account. If you register your IP addresses you can setup blocks for various types of websites. I've used this before then the customer only needed 1 or 2 websites blocked and they didn't want to pay for anything more in depth.
 
If they have an old computer that isn't being used, setting up Clarkconnect running DansGuardian works for a nice filter.

We use that setup with open DNS as a "backup" and it has been very effective and trouble free.
 
If you are looking for a free solution with no paid support you can check out Untangle and run it as a transparent proxy with web filtering, protocol control to block IM, P2P, etc. If you want something with excellent support I would check out Astaro. They have a web gateway appliance that does excellent URL filtering, protocol control, QoS, etc. Both of these products can also act as a firewall and VPN concentrator if you need that.
 
Thanks everyone, these are some great suggestions.

So to add a little more information, the connection will be via cable and they also have a county provided line, I'm not sure what type, probably a fractional T1. I'm going to try and stay away from it. They have the additional cable connection because the T1 can't handle much traffic, apparently pages start to time out if there are more than a few students accessing the web. My plan is to separate the teachers to the school network and the students to the cable connection.

There is no firewall or network management right now like AD or Novell, at least not on the cable line.

They have two devices already connected, Sync T-FRAP which looks like a CSU/DSU for the T1 and a 3com Pathbuilder s400 that looks like the router conencted to the Sync T-FRAP.

They do have a budget, so a separate appliance can be a reasonable choice especially if it makes it easier for whoever comes after me to work with it. I'm looking at the Astaro units and they seem to fit the bill exactly. They even have a demo unit, so that might be the way to go.

Many of you suggest installing something on an old unused computer, and that'll probably work just fine if not better and cheaper, but I'm really looking at simpler management. Unless you think it's just way overkill and not worth it, I'll keep looking at these Astaros.

Thank for all your input, everyone.
 
I have never really liked astaro, it doesnt seem to be worth the money in my honest opinion, as all linux/BSD based firewalls use the same kernel and much of the packages used are the same, just a different front end really!

Google squid and squidguard, or dansguardian and you will notice that all of the linux/bsd firewalls use ths for content filtering and proxies

If you are a non-IT-intelligent user i dont think astaro is your best option, i have found that smaller clients have found that untangle UTM has been much more simple, and personally in a situation like yours, where u want a box that works as soon as you open it, "endian firewall" fits the equation best.

All major linux and bsd based firewalls use the same software anyway, its just how much u need to configure them to work that counts.

Also , on a low speed connection like yours, you would want to make a very large cache on your proxy server (your firewall of choice) to keep users from killing ur bandwidth with pictures!

You also need quite a bit of RAM and a pretty fast disk for content filtering! A pentium 4 and 512 meg ram is minimum for 40 nodes requiring an appliance for routing, content filtering and proxy services
 
One nice thing about buying an astaro appliance is that you have a support contract and product replacement warranty. You have a problem, call the support line and they will fix it. No screwing around for days trying to get someone on a forum to help you. :D Also, the software is a lot more stable, in my experience, than Endian. It's also more customizable than Untangle.
 
Untangle !!!!!

Check it out at http://untangle.com/

The software requires a modest PC in comparison to other firewalls, but it's worth it !!
I know of 2 boxes setup at local businesses and another at a local school for doing exactly what you speak of and they are fantastic !! I went so far as to take a spare PC with 2 NICs and set this up as my firewall/router/gateway/content filter for my home network. My son has started browsing the web and I want to keep things PG. Also the setup couldn't be easier !!
I have used IPcop, smoothwall and Endian, and none were as simple or as effective as Untangle. I'm NOT saying its the best but its been great for me.

check it out :D
 
I only suggested untangle because ive heard its much simpler than astaro, but saying that i dont like it much its not flxible enough lol.

I havent ever had problems with endian, at work (200 nodes) we use endian as a web proxy/filter (for internet access) and a pfsense box to keep up a site2site vpn and as a router (we use terminal services for all remote sites to keep things simple).
 
Untangle is a good choice, but it's hardware requirements are unlike the other versions.
 
Combine OpenDNS account...with Untangle
Get the "Pro" version of Untangle...and you DO have support you can call. Or tackle it yourself with the free community version...their forums are very fast and helpful with support.
 
You must log in or register to reply here.
Back
Top