[REPOSTED UPON REQUEST] By Ron Benvenisti for TLS. Based on my IT professional experience of 30 years specializing in cyber-security for the last 20 of them, here’s my broad brush on Internet Filtering solutions. It would take an exhaustive review to cover this topic thoroughly, but here’s the mile high view from my perspective. Feel free to add and correct.
Basically every solution uses lists to block or allow sites and these lists are automatically updated by the providers or third parties on a regular basis to accommodate the daily spawn of unsavory content. They also allow for some leeway for certain sites and possibly individualized for the users you choose. This may be attractive to some but can also make keeping track of things somewhat tricky.
Accountability: The Buddy System
This is a great approach for those who need some one to watch over them. The key feature here is “Internet Accountability” software that monitors how you use the Internet and sends a report to the person you select such as a friend, parent or mentor. This online transparency is supposed to make you think twice about where you surf but doesn’t necessarily prevent you from doing so. Covenant Eyes is the predominant player in its original or re-sold form like WebChaver and will cost about $9 a month for Covenant Eyes and $5 for WebChaver. If you also want filtering, that’s extra for another $1.50 a month which does not work on a Mac or Linux, only Windows. If you want to add another person to monitor that could cost another $2 a month. Annual cost: somewhere between $75 and $150 give or take. They have an “app” for Android and iPhone but it does not do filtering of websites or apps and it only works with the stock browser (which is easy to replace). For Windows Mobile and Blackberry users, sorry, no joy here. Many have found the accountability to be a good solution but in my opinion you really should add more robust filtration for family use. Prevention is worth a pound of cure. It’s nice to get lifted out of a trap but better not to get snared in the first place. I’m not judging here, just an observation. While Covenant Eyes and its clones rely on a computer resident program as well as hooks into the network protocols of the PC they have been known to be defeated with alternative “profile” configurations and use of “other” browsers. Because it “interrupts” the network layer, it does slow network performance. Covenant Eyes is not foolproof and can be defeated through a simple technique, which I will not reveal but is easy enough for the tech-savvy teen to figure out, but for those who need to be watched and can withstand the desire to use other devices or try to break the program it can be a lifesaver.
PC Client Filter: Watchdogs and Nannies
There are several of these available from no-cost items like Blue-Coat’s K9 to pricier options like NetNanny ($30 which is the only one available also for the Mac), McAfee’s Safe Eyes and Family Protection ($50) and others with similar capabilities. They have default categories to block, typically from low to high risk and can also allow or disallow individual sites you choose. They typically have an annual subscription fee which is basically the same price over again each year.
People say they are hard to configure, and like Covenant Eyes they need to be installed on every PC and some may have a limitation of how many you can install on before needing to buy the business, corporate or enterprise version. These programs also “interrupt” the network layer which slows performance. NetNanny has an Android browser that they claim will “disable” other browsers if they try to bypass the NetNanny browser. Unfortunately there are several ways to disable and “fool” these programs, some more difficult than others, but a quick Google search will give you more than you need to know. The Android browser can be defeated in less than 5 minutes. Should you use it? I would go with BlueCoat K-9 for free for the same functionality.
Network Appliances: The Washing Machine
Positioned as an “enterprise level” device for small businesses, schools and agencies this device is placed at the network perimeter of the site. All connections must go through this device for it to be effective. I have seen this bypassed by people plugging in modems to phone lines or hopping onto unsecured wireless networks. It’s rare but it happens. SonicWall, Cisco, Barracuda, D-Link are some of the players in this field and for the most part they offer a good solution. If you have users who need certain sites that are blocked by default or other individual needs, configuring these devices and documenting the changes can be somewhat tiresome. Joe in purchasing may need to go shopping but JoAnn in human resources does not. These devices work best where static IP addresses are used, or where user profiles are associated with the permissions so that Joe and JoAnn are not mixed up on the network. These devices are hard to defeat unless they are bypassed completely through unsecured wireless networks or dial-up accounts (typically on a user’s personal laptop). I have seen instances where people have set their smart-phones up as a Wi-Fi hotspot and bypassed the device using the wireless connection on their corporate issued laptop to access the 3G/4G data connection on the smart phone. No solution is foolproof and while this is a relatively expensive solution you don’t need to be taken to the cleaners. If you have enough users it becomes cost efficient in terms of price per seat and minimizes any user workstation configuration. If you don’t need to see (or feed) another box see the below DNS solution.
Locking the Back Door
It’s quite common that families with multiple PCs need to go to a network router solution, wired or wireless. Most Internet providers deliver wireless routers that can handle any number of wireless connections whether PCs, Smartphones, iPads, etc. Typically these routers have some level of parental controls like filtering by category, blocking (black-listing) or allowing (white-listing) individual sites. It is also possible to set rules for each connected device which is not a trivial task. You need to know something about IP addresses versus MAC addresses to make this work right. If you can figure out how to set this up make sure you also enable encryption on the router and have a strong password for the connection as well as the router administrator. There have been more times than I’d like where I have found open wi-fi networks with default passwords here inLakewood. I have had to track down the signal to the address and then notify the mostly embarrassed owners. Not only have they not filtered their connectivity, but they have left themselves open to all kinds of nasty things like identity theft and possibly worse. Lock down any router you get from the ISP or that you bought to accommodate your wireless PCs.
Caveat: Periodically check and make sure that no hard wired Ethernet cables are connected to your modem besides the one from your router. Any cables (besides the router) that are connected to the modem will bypass any filtering and security on the router.
Grand Central Censor
Services like Jnet and YeshivahNet offer server based filtering. This means that all Internet access goes through their servers. They offer a fee based service that uses pre-set black and white lists which can be over-ridden by request. Generally they charge additionally for email addresses on top of the service. Touted as providing the barest of content approved by them they will honor approved and limited requests for additional sites. Charges are around $20 to $50 a month plus installation and a modem purchase. The modem is hardwired to only go through their network so this will not protect internet data-enabled devices like smart phones, Blackberries and iPhones.
Flying on a Cloud
This is the dark horse in the race which to me is really the winner. The price is right, free (or you could opt for a few more features for about $20 a year). Similar to the Server Censors except you use your existing provider, you don’t need to do anything on the PC and it won’t slow your connection and will probably speed it up. You also cannot create individual user rules but the package is free. For most families that’s not an issue. Open DNS Parental Controls routes your internet traffic through their internet hub servers which provide the filtering. These servers are robust DNS servers and not small proxies. They can handle tons of traffic. You can configure categories, white-lists and black-lists from any web browser anywhere at anytime with your username and password. By using redundant DNS hub servers (Domain Name Servers) Open DNS is not subject to outages or lost configurations. It also provides anti-phishing, anti-virus, anti-spyware and anti-malware functionality at no additional cost. The setup takes less than 5 minutes, if you’re slow. You log into your ISP provided router and make one simple change. (Hopefully you changed the default password on your ISP router and also enabled encryption – that’s first and foremost). Once you have your free account the OpenDNS site will show you in 3 basic steps how to enable the service on any ISP or store purchased wireless or hardwired router. Since there is nothing residing on your PCs or router, configuration is done over your now protected web on their servers. There is no limit on the number of clients as they are all routed over the same network inside and outside the location.
If you need individualized configurations for different users or departments, the business and enterprise solutions would be your best choice. All Open DNS solutions, large or small are set up in a matter of minutes and can be configured from anywhere at anytime. This is the solution that I use and recommend. It’s fast, it works, there’s no hassle and the price is right.
Disclaimer: I am not associated with any of the companies mentioned or any other companies providing filtering solutions. Back in 2005 when I first came to Lakewood I introduced the “Safe Web Connection” at $3.95 a month. It was a great program but believe it or not, I couldn’t give it away (although that’s what people wanted me to do!). The opinions stated herein are solely my own.