Alternate Approaches to Clean Web browsing for a Home or Small Office

By Paul Zwierzynski September 2010

There are a number of moral, legal and practical reasons why you ought to be filtering out pornographic and other bad content on your office and home Internet connections. Logical places to install a filter are on each PC, on your Internet router, at your ISP's office and, not so obviously, on your DNS server. There are a lot of options, including my recommendation of two different FREE approaches; using OpenDNS.com and using Dansguardian on IPCop.

Option 1 - PC based filtering software

Firstly, you might want to consider the obvious approach of installing software on each of your computers. I don't favor this approach, because it has the potential disadvantages of eating up your time, messing up your operating system(s), maintenance problems because of decentralization, and the users may discover they can uninstall it. These products won't install on your Xbox360 or Wii or other non-PC devices you might have on your network. This may be the best solution if you have a single computer using a dial-up modem to connect. Some helpful evaluations and recommendations can be found here:

http://www.usnetizen.com/parental-control.php
and here:
http://www.safefamilies.org/SoftwareTools.php
http://internet-filter-review.toptenreviews.com/index.html

This isn't mentioned above, but Blue Coat offers free K-9 Web Protection  for home users. There is a PC and a Mac version.
http://www1.k9webprotection.com/

Option 2 - Have your ISP Filter for You

There are a few ISPs who will filter content for you. Since everything coming to you has to pass through your ISP, this can be an excellent point to do the filtering for a home Internet connection. It has the advantage that all the hardware and software are at your ISP's office, and can't be tampered with, making it difficult to bypass. Everyone in your home will get the same filtering rules. They will typically cost you a bit more per month than other ISPs, and you may not be able to find one who services your area. The safefamilies.org link above lists some. Another place to start looking is:
http://www.google.com/Top/Computers/Internet/Access_Providers/Filtered/



Option 3 - Use OpenDNS.com

I'll cover this in detail, because it's a simple, free option which doesn't require any special hardware or software. If you don't have the money or expertise to do anything more, at least you can setup OpenDNS.

(All this assumes you've got some sort of firewall solution already for your Internet connection. OpenDNS doesn't do anything for you besides content filtering.)

OpenDNS provides customizable blacklist based filtering of DNS lookups from your network. You setup your computer or network to use their DNS servers instead of the DNS servers at your ISP. It works because before you can view http://www.google.com/maps your computer has to lookup (via DNS) the correct IP number for www.google.com. If the DNS server returns the incorrect IP number, you don't get the page you were looking for. (Instead you get a webpage with some ads, and openDNS makes a tiny bit of money, allowing them to offer this free service.) Although a user could still pull down a banned web page if he knew the correct IP number, in practice this is quite effective at blocking most things.

There are two steps to making this work.

  1. Set your computers to use openDNS.com's DNS servers instead of your ISP's DNS servers.

  2. Tell OpenDNS which blacklists to apply for you computers.

For most home and small networks, step 1 means you'll log into your firewall/router and tell it to use:
Primary DNS server: 208.67.222.222
Secondary DNS server: 208.67.220.220
The next time computers on your network reboot or reconnect, they will start using OpenDNS's servers.

Step 2 requires you, the network administrator, to create an account at http://www.opendns.com/start/ (Choose the basic option) Their computers will notice what IP number you're coming from, and apply the blacklists you choose to all requests coming from that network. You can also choose to pay them and get no ads and a couple extra features.

Problems and limitations with OpenDNS

  1. It's easy to bypass unless you add firewall rules. If one of the users on your network manually changes the DNS settings on his computer to your ISP's DNS server, no filtering will occur.
    However, you can prevent users from doing this by configuring your firewall to block outbound traffic going to port 53 (DNS servers listen to port 53) except if it's headed to OpenDNS's servers at 208.67.222.222 or 208.67.220.220. Some inexpensive home firewall/routers can do this, any office grade firewall should have this capability.

  2. Business class broadband connections usually have fixed IP numbers, but consumer broadband connections often don't have fixed IP numbers. Since OpenDNS looks at the IP number your DNS requests are coming from to determine what blacklists to apply, when your IP number changes, your blacklists won't be applied anymore.
    If you ISP doesn't give you a fixed IP number, you'll need to install a special client on one of your computers that alerts OpenDNS every time your IP number changes. There are Mac and Windows versions. See: http://www.opendns.com/support/article/109

  3. Every computer on your network gets the same filtering rules. You can't have one set of rules for the kiddies and another for the adults.

  4. Although you can log into your account on OpenDNS.com and view how many attempts have been blocked recently, which is helpful, you have no visibility into which machines on your network were involved.

Note: If you already have a Windows server on you network which is always turned on you can perform a similar service to OpenDNS but running on your own server using an inexpensive software package called DNS Redirector. http://www.dnsredirector.com You can get better control and reporting of which machines in your network are making bad requests.

Option 4 - Use a Hardware Firewall that Provides Content Filtering

In recent years there have been a number of often short-lived home routers on the market which do content filtering by checking URLs against an online-database. These devices can protect a whole network at once and still run on lightweight hardware because the blacklist database is maintained on a server on the Internet. You pay a yearly subscription fee and your router checks on the fly every URL it downloads, getting a thumbs up or down from the master blacklist. This system is entirely dependent on the completeness and accuracy of the online blacklist. Your subscription fee pays for the work to keep that database up-to-date. Likely I've missed some, but devices I'm aware of on the U.S. Market currently (September 2010) are:

D-link SecureSpot 2.0 service

This will run on it's DIR-625, DIR-628 and DIR-655 wireless N routers, or on a DSD-150 pocket-sized appliance. You need to pay ~$80 per year for your SecureSpot subscription, which will provide content filtering for any and all devices on your network.

The Zyxel ZyWALL firewall router series with Dynamic content filtering

Zywall routers use an external blacklist service. The low-end Zywall 2 Plus sells for ~$170 with one year of filtering included. Filtering subscriptions cost around $80 per year after the first year. Prices go up from there for their higher-end firewalls.

Phantom's iBoss home wireless router

The ~$50 iBoss home wireless router distinguishes itself by offering not only content filtering (~$60/year subscription) but also incorporating time-based controls. You can, for instance, set the kids computer and the Wii to only get Internet access from 4 to 8 PM. This could be very useful for some folks. They also make an iBoss Pro model which may be more useful for an office; their literature doesn't give details about the differences. It costs ~$170 plus $250 per year for the subscription.

Option 4 - Build a Free filtering firewall that runs on old PC hardware

There are a number of free firewall software projects which are a minimal version of a linux or free unix variant with a web interface for control. They are similar to any commercial firewall appliance, except you provide the hardware to run on; an old PC. IPCop is one of these firewall distributions. As part of my job with a non-profit organization I maintain the Cop+ addon for IPCop which provides a simple way to add the free open source Dansguardian content filter to an IPCop firewall.

IPCop with Cop+ addon

IPCop with Cop+ needs a ~600Mhz or faster PC with at least 128Mb RAM and two network cards installed to serve as your router. This computer sits between your Internet cable or dsl modem and the rest of your network, where you normally would put a commercial router appliance. After installing IPCop you can no longer use this PC for checking your email or running MSWord etc. In fact it no longer needs a keyboard and monitor, it just sits in the corner and guards your network.


IPCop provides "just enough" for a home or small office setting with simple setup and maintenance. The web interface is simple and there are not a lot of things for a non-techie to learn. In addition, for my organization there is a killer app for IPCop. An addon is available called Update Accelerator which a big help to remote offices with a lot of machines but limited internet bandwidth. If an office has a dozen or more computers getting windows updates and virus updates daily, Update Accelerator can save huge amounts of bandwidth by caching the updates.

Blacklists for use with dansguardian are available for free from a few places, but I recommend the extensive lists available for a small fee from urlblacklist.com. The Services -- Content Filter page in the IPCop GUI allows your to configure your blacklist source. Dansguardian is different from most other Content Filters in that it will work well even without any blacklists at all. Dansguardian provides powerful filtering beyond the use of blacklists by examining the contents of every web page for questionable words and phrases before letting it through.

Other Free Firewall Distributions with content filtering and more

The below firewalls include Dansguardian or other content filtering plus they have other additions like spam filtering, and scanners for viruses or other malware. To do these things you need frequent updates of signature data or rulesets. How you get these updates depends on the firewall. There may be costs involved to do this and these services will certainly need frequent attention from an administrator.

If you need the extra features, you probably need a trained network guy to take advantage of their power and manage them. From a security standpoint, it would be preferable to run these services on a separate server NOT on your firewall; of course, the same is true about Dansguardian.

Below is my personal assessment which is based on reviewing their web sites, user manuals and user forums. It is NOT based on using any of them on a real network; I'm not an authority on any of them. For bigger networks, one of them might meet you needs better than IPCop.

Endian Firewall (Community Version)

http://www.endian.com/en/community/download/
Endian Community edition is the free version of the software they sell as a hardware appliance with support services. Includes Dansguardian content filter and a set of blacklists in the install image.

Originally based on IPCop but more complicated than IPCop because of additional features, but you might want these:

No automatic updates to blacklists. (On Free version)
No update accelerator.

ClearOS (Formerly know as Clark Connect)

http://www.clearfoundation.com/Software/overview.html
Unlike the old Clark Connect and most other firewall projects, the FREE version of ClearOS is NOT a cut down version of their Commercial product, it is the same product. They are trying to make their money selling the services you need €“ virus updates, blacklist updates, tech support and penetration testing. ClearOS aims to be both a firewall and an office server, serving up files and mail for you as well as protecting your network. Security wise that increases your risk and I can't recommend it. However you could use it just for your firewall. Dansguardian content filtering is included by default. ClearOS is well documented and has a large community. Also includes:

No automatic updates to blacklists, virus definitions or antispam unless you pay for those services.
No Update Accelerator.

Untangle firewall (Free version)

http://www.untangle.com/
The untangle firewall Free version includes a lot of capabilities. If you later decide you want to pay for and add additional capabilities, you just add modules and subscriptions. I'll describe the free stuff, but it can do more if you've got the cash.

Free content filtering does not examine pages like Dansguardian does. It blocks based on blacklists or mime type and file extensions. The blocked page has embedded ads in an attempt to generate revenue for Untangle. The blacklists are Community maintained. Their quality and size is undocumented. Significant Untangle features that aren't currently in IPCop:

No Update Accelerator

Zeroshell

http://www.zeroshell.net/eng/
"Swiss Army knife" linux router distribution. Runs from a CD.
One man Distro;  very hackerish; not for neophytes.
Dansguardian needs to be manually patched in.

If you're familiar with linux and networking details Zeroshell can do most anything. Load sharing, captive portal, radius server, Kerberos, dansguardian, layer 7 protocol shaping etc.

No Update Accelerator.