Content Filtering
-
@Markferron said in Content Filtering:
I've read a few threads in ML and, in general, people in general don't like combining firewalls and UTM devices/applications. Why is that?
This is a huge topic on its own. But basically... because you want to treat security like a production workload, not a second class citizen. You'd never run production workloads by "just throwing them on the Domain Controller", why would you do so with security functions by throwing it on your router? You wouldn't, it's not an operational approach, nor a secure one.
-
@Markferron said in Content Filtering:
@travisdh1 I guess a proxy sounds right. I've never messed with one other than the one on my pfsense router at home. What would that look like? A static route to the proxy server from the firewall, I'm assuming?
A proxy can be used for the most secure of needs. For most companies that need content filtering, DNS based is enough and that you can do with a service (a la StrongArm.io) or run yourself (a la PiHole.)
-
If you can get away with just using DNS based filtering, it is so easy.
-
If you were to use Pi-Hole, make sure your firewall is only allowing clients to use Pi-Hole IP for their DNS server.
Another option, is PaloAlto URL Filtering Web Security.
https://www.paloaltonetworks.com/products/secure-the-network/subscriptions/url-filtering-pandb.html -
A couple options I’ve used that work pretty well and are very affordable:
And https://nxfilter.org is you want something self hosted
-
@syko24 said in Content Filtering:
A couple options I’ve used that work pretty well and are very affordable:
And https://nxfilter.org is you want something self hosted
I have a client using DNSFilter as one of its security layers. So far, so good. And yes, very affordable.
-
I have used Untangle Content Filtering but it means another network device, and while not DNS based it does content filtering and can do tracking by username and password is connected to LDAP.
-
The post that @DustinB3403 was referring is this one
https://mangolassi.it/topic/16905/add-porn-blocking-to-your-pi-hole/ -
@scottalanmiller said in Content Filtering:
@Markferron said in Content Filtering:
@travisdh1 I guess a proxy sounds right. I've never messed with one other than the one on my pfsense router at home. What would that look like? A static route to the proxy server from the firewall, I'm assuming?
A proxy can be used for the most secure of needs. For most companies that need content filtering, DNS based is enough and that you can do with a service (a la StrongArm.io) or run yourself (a la PiHole.)
I set up a whitelist-only Squidproxy server for certain user subnets, along with SARG for reporting, which is freaking awesome.
It works great, with so many more options and granularity freedom. You can also subscribe to some filtering lists to use on your Squid proxy too if you need that.
-
An inline device might be a bit easier to handle for transparent proxying.
UBNT Router --> Web Proxy Device --> Rest of the network.
