Website Filtering

paradisiac

paradisiac

paradisiac

Soldato
Joined
22 Mar 2009
Posts
7,754
Location
Cornwall
hi, im looking at the best solution to block websites (porn, gambling, social media.....) on our network, but allowing either a password override or allowing certain computers to be ignored from the filtering. I have tried opendns which does the job, but most people are smart enough to change their dns to google or such like so that it bypasses the filtering. I have read that the best solution is via router settings, but have not found anything obvious that allows this to be bypassed on certain machines either with an override password or complete override. any ideas?
 
Largely a waste of time, anyone half clued up will get around all but the most locked down filtering easily - unless you start locking down SSL/HTTPS, etc. as well by which point your disabling a lot of basic internet functionality.

Router based filtering will depend a lot on the exact router - some have relatively sophisticated implementation, others lacking any real functionality and/or requiring 3rd party firmware to enable.
 
This a home network?

My router (WNDR4500) running dd-wrt allows filtering by url and keyword, time of day etc. and also allows you to specify a list of clients that the policy applies to. Sounds like it will do what you want after a bit of setting up but I've not tried it myself so can't really say how good it is.
 
Rroff said:
Largely a waste of time, anyone half clued up will get around all but the most locked down filtering easily - unless you start locking down SSL/HTTPS, etc. as well by which point your disabling a lot of basic internet functionality.

Router based filtering will depend a lot on the exact router - some have relatively sophisticated implementation, others lacking any real functionality and/or requiring 3rd party firmware to enable.
Click to expand...

yeh that was my thought, everything i have tried has taken less than 10 minutes for people to find a way to bypass it.
the router being used is a netgear but cant remember the model, it lets me block sites, but thats a total lockout, apart from one IP which can be excluded from the filtering. the problem with this is 1) only one machine can be excluded and 2) you have to list every website one by one, whereas something like opendns has categories, which seemed to be pretty good at what it did, was just really easy to bypass

Buffalo2102 said:
This a home network?

My router (WNDR4500) running dd-wrt allows filtering by url and keyword, time of day etc. and also allows you to specify a list of clients that the policy applies to. Sounds like it will do what you want after a bit of setting up but I've not tried it myself so can't really say how good it is.
Click to expand...

Its a business network, but is setup very much like a home network, just with a big switch added.
we do run a server and machines are meant to be on the domain, but not everyones is as some people bring their personal laptops/tablets in, so going server side isnt really an option either.
 
Last edited:
If it's a work network, I'd be looking at putting a proxy server in place & locking the firewall down to only allow port 80/443 connections from the proxy server

What router/firewall are you using?
 
BattFink said:
If it's a work network, I'd be looking at putting a proxy server in place & locking the firewall down to only allow port 80/443 connections from the proxy server

What router/firewall are you using?
Click to expand...

at the moment its just a cheap netgear router and no specific firewall as it was only recently they have decided they want this type of lockdown. there is no sensitive information on the network so security was never really an issue for them, but they have recently decided that members of staff might be abusing the internet use so want to start to lock it down, but of course, without blocking the bosses from using the internet freely.

my knowledge on proxy servers isnt that great, how would that work with outside machines coming in and out, would there be a need to change the settings every time?
 
BattFink said:
If it's a work network, I'd be looking at putting a proxy server in place & locking the firewall down to only allow port 80/443 connections from the proxy server

What router/firewall are you using?
Click to expand...

Unless you also whitelist sites on demand (which is how where I work operates) its still trivial to work around though.

Funny setup at work as they have the corp network with wifi and then also provision a "free" wifi on the same network (partitioned) - if you were caught browsing porn on the corp network it would be a disciplinary and probably dismissal - if you were on the "free" wifi no one would bat an eyelid.
 
Rroff said:
Largely a waste of time, anyone half clued up will get around all but the most locked down filtering easily - unless you start locking down SSL/HTTPS, etc. as well by which point your disabling a lot of basic internet functionality.

Router based filtering will depend a lot on the exact router - some have relatively sophisticated implementation, others lacking any real functionality and/or requiring 3rd party firmware to enable.
Click to expand...

Not really a waste of time. Anyone "clued up" can bypass a lot of systems but that is not the point.
You put the system in place, you then add to your IT Policy that the sites of the type listed in the first post are not allowed to be accessed and that any attempt to circumvent the blocking system is a disciplinary matter.
 
Small proxy server (old desktop PC will suffice) in place running something like Squid or the free version of Smoothwall (we use this at work but the full enterprise suite) and then as someone above said, have the router/firewall deny all 80/443 traffic unless its via the proxy.

Tell everyone how to set the proxy details in IE so they can use it when they bring in their own kit.
 
You must log in or register to reply here.
Back
Top Bottom