So, by now you’ve realized that you really should provide some content filtering of your Internet connection. A reasonable first-step is to configure your connection so that you are using OpenDNS as your DNS service. It is very simple to start using OpenDNS…

If you are serving DCHP to your internal network from a router, you should simply change the DNS entries from what is supplied by your ISP to the OpenDNS addresses – 208.67.222.222 and 208.67.220.220. This simple configuration change is all that is required for most home, and many small business networks.

If your network is configured for split-DNS, then you should configure the internal DNS server so that it forwards to the OpenDNS addresses for external resolution.

To gain the greatest advantage from using OpenDNS, you need to create an account that is linked to the IP address of your network. Most often this is the IP address of the external interface of the router. OpenDNS is located at www.opendns.com. Select Start using it now… and you are allowed to create your account and specify your IP address to OpenDNS.

Once the account is created, go to the Settings tab. You will see the screen where you have the option to select the filtering level. The filtering levels are defined as:

• High – Protects against all adult-relates sites, illegal activity, social networking sites, and general time-wasters.
• Moderate – Protects against all adult-related sites and illegal activity.
• Low – Protects against pornography and phishing.
• Minimal – Protects against phishing attacks.
• None – Nothing blocked.
• Custom – Choose the categories you want to block.

Apply the settings and your network will be using OpenDNS for Internet content filtering.

Customization of the filtering level is allowed. You can whitelist certain domains so that they are never blocked. Likewise, you can blacklist certain domains so that they are always blocked.

Obviously, your network may be more complex than what is presented above. If you don’t have someone available who knows how to properly configure DNS, the OpenDNS folks have several help documents ready for you to read.

That’s about all that is required. I hope that it works well for your organization.

- Dan

Last time we discussed the need and benefits of implementing Internet content filtering. Now, we will look at some of the options available for a business or home to implement filtering and which options are best suited. Please keep in mind that this is not designed as a purchasing guide or product evaluation. It is more designed to give an idea of the possibilities.

Option 1 – Dedicated appliance

This option uses a dedicated appliance to do the filtering. A common configuration is for the filtering appliance to be installed in-line on the segment between the firewall and the protected network. This forces all traffic to pass through the device. Content inspection takes place as packets pass. The following are two examples of dedicated content filtering appliances.

• St.Bernard iPrism
• Barracuda Web Filter

Dedicated appliances may be considered reasonable for small organizations who do not have the manpower to manage a dedicated server. An advantage of this option is that it is independent of the OS used on the client machine. No software is installed on the client.

Option 2 – Dedicated server

Dedicated servers is the option chosen by organizations needing a high-level of control over the filtering. They consist of software that is installed on either a Linux or Windows server. Often they use software that “proxies” the connection from the workstation to the web site. Here are some examples of software that requires a dedicated server for content filtering.

• Dan’s Guardian
• SafeSquid
• WebSense Web Security Gateway

The dedicated server option requires an administrator that is knowledgeable of hardening the underlying operating system and can manage the software installation. This option also is independent of the OS used on the client machine. No software is installed on the client.

Option 3 – Host-level software

This option is a common personal solution. Software is installed on the client computer. It requires a separate password to make changes to the filtering level. The following are well-known examples.

• NetNanny
• CyberPatrol
• bSafeOnline
• SurfWatch

This option is best suited for the home or individual. It is dependent on the operating system of the computer.

Option 4 – Filtering services

This is fairly recent option. These services require a change to your network settings so that your requests for web pages are routed through their service. They seem to work pretty well.

• Google Apps Security Service
• OpenDNS.org

The advantage of using filtering services is that someone else is configuring and running the servers. Also, no software has to be installed on the client computer. The primary disadvantage is that this filtering solution can be straightforward to bypass if a user has complete local admin rights to their computer, and they know basic tcp/ip.

I hope this discussion helps clarify the options.

- Dan

Many companies and individuals filter their connection to the Internet. Many others allow wide-open, unfiltered access to whatever their ISP provides. While there may be some good reasons to have unfiltered access in some settings, it is wise to consider applying some filtering to the Internet connection.

Consideration should be given to these issues:

1. Policing vs protecting – This is the most basic question that must be addressed as you think about filtering. What is your objective? Are you hoping to keep you employees from surfing to the Bad Sites, or is your intention to protect them and the company?

   Unfortunately, many employees will take filtering as a statement of distrust. It is important that it be “sold” as being to their benefit that the company be protected and this be done. Employees must also realize that when at work they are about the business of advancing the company.

   Additionally, filtering can help to protect the organization and individuals from falling prey to phishing attacks. (More information on phishing can be found at Wikipedia.)

2. Productivity – Filtering the Internet has the potential to increase productivity of the staff. Let’s face it, unless there are strong policy statements against personal web surfing when at work, and the policies are backed by actions, people will naturally tend to kill time and surf non-work related sites.

   I’ve not found consistent numbers, but there are several studies that seem to suggest personal Internet use consumes a great deal of time for the American worker. Filtering, combined with strong policy, can increase productivity.

3. Liability – Minimizing exposure to liability is a must for the modern business. Any time a “hostile work environment” exists, the company is responsible. I am surprised how easy it is to have someone surf to a web site that makes someone else uncomfortable thus introducing the possibility of harassment charges.

   Instituting filtering indicates that the company is actively taking steps to promote a positive environment. It helps to reduce the possibility of harassment charges. Of course, I am not a lawyer, nor am I giving legal advice. You should seek advice and counsel from your own attorney.

So, now that you have decided to implement some sort of Internet filtering, you need to reach a point of balance in that filtering. Many options will allow filtering anything from pornography to gambling to chat sites to classified ad sites to social networking sites, and so on. Reaching a balance of what will be acceptable vis a vis unacceptable is important. Management must carefully work through this.

Once you have given due attention to those issues, and have decided to implement filtering, you need to know your options. We’ll address that in a follow-up entry.

- Dan