Protecting young (and not so young) eyes
Yesterday I wrote about securing your network. While I know that it is by no means a complete discussion on firewalls, let’s move on to talk in a little more detail about content filtering.
Our church has the highest grade of “business class” cable Internet available. It meets and even exceeds our needs for normal Internet browsing, giving each user sufficient speed for most uses. Unfortunately, they offer no sort of content filtering on the ISP side. Translation: all pages are by default accessible to all users, even “those” sites.
Well, it takes no Einstein to realize that this isn’t a good idea for a church. In fact, it’s a downright bad idea, specifically since we offer free WiFi to anyone who requests the passkey and have a computer lab for the little kiddos.
So, what options are available for content filtration?
- Well, we could pay for client-side software for each machine. Ummm, no.
- We could switch to an ISP with content filtering built in. That’d be a great option except for the fact that we don’t have a high-speed filtered provider in our area.
- We could buy/lease a network filter like Barracuda or iPrism. These are very expensive, but they are GREAT for large organizations. Ours isn’t that big.
- So, we chose Linux. It’s free, it’s fast, it’s efficient, and did I mention free?
We’re using DansGuardian as our content filter. The open-source DansGuardian is free for all non-commercial users. The creator also has a commercial version available through the fine folks at SmoothWall, known as SmoothGuardian.
DansGuardian works well with a huge blacklist of blocked sites, but it doesn’t rely on it. In fact, you don’t even *have* to have a blacklist. See, Dans also reads the HTML of each page you view scanning for banned phrases, URLs, PICS ratings, and more. If it sees a dirty word on a page, it blocks it, whether or not it exists in a blacklist. You can see the benefits of this straight away. Thousands of pornographic and otherwise obscene pages are created daily, and no blacklist could ever hope to keep up with them.
If you haven’t already, install a content filter in your church - it may save someone from developing a horrible addiction. (By the way, parents can also use DansGuardian at home)
April 24th, 2007 at 10:42 pm
I’ve seen DansGuardian but I’ve had a hard time believing a list not put together by a company paying employees to make it, coupled with some regular expressions, could do as good a job of blocking, not to mention reporting, as a commercial solution. The commercial solutions I’ve looked at, and continue to look at, include Barracuda and iPrism along with Blue Coat products (www.bluecoat.com). I like Blue Coat the best from a “gut” perspective after reading their website, and I also like their free-for-personal-use computer-based K9 software (www.getk9.com).
With your recommendation, I may look again at DansGuardian as finances are an issue in this purchase for us. Our primary, but not only, need is to block unsavory content from being accessed over our soon-to-be-released free wifi hotspot setup, which is ready to go except for filtering and some documentation.
We also have the fastest, Business Class cable internet service from our local provider :-) However, I’m very glad they don’t provide blocking…that would likely result in an inflexible solution that would affect something legitimate (anything from mail to instant messaging or something). Our Microsoft ISA 2004 firewall provides very good inbound and outbound firewall control (outbound is locked down except for things allowed), and I’d much prefer to also do content filtering under in-house control than farm it out entirely to an ISP!
April 24th, 2007 at 11:05 pm
Good point. I’m all for flexibility myself. I’m going through a lot of pain right now with SMTP because I just had to have more flexibility over our e-mail. And it’s true in IT: what we don’t control, controls us.
You’re right about blacklists too. If a staff of dozens isn’t getting paid to manage a blacklist, it’s not going to be too good. DansGuardian directs people to http://urlblacklist.com/ for their blacklist needs. They are good, but not up to the standard of commercial products.
I have been really pleased with the performance of DansGuardian, with one caveat: it does present a lot of false positives. The day care ladies were looking for breast pumps a few days ago, and of course every page was blocked. With this comment including the phrase, this page may also get blocked. It’s weighted (like SpamAssassin), so you define the threshold. Also, like SpamAssassin, it’s a delicate balance.
I’ve had to tweak a few things. For instance, it was necessary to add Virginia to safe phrases because to DansGuardian, a page with lots of Virginia addresses looks like a page full of virgins.
Other than that, I’ve put it to several tests, and it always passes. I was looking over the logs, and noticed it blocking photos within certain sites because of their filenames. Babe-of-the-week.jpg appeared several times.
With all things Linux, try it out. If you don’t like it, send it back for a full refund.
Thanks for being the first to comment on my blog!