[REPOSTED UPON REQUEST] By Ron Benvenisti for TLS. Based on my IT professional experience of 30 years specializing in cyber-security for the last 20 of them, here’s my broad brush on Internet Filtering solutions. It would take an exhaustive review to cover this topic thoroughly, but here’s the mile high view from my perspective. Feel free to add and correct.
Basically every solution uses lists to block or allow sites and these lists are automatically updated by the providers or third parties on a regular basis to accommodate the daily spawn of unsavory content. They also allow for some leeway for certain sites and possibly individualized for the users you choose. This may be attractive to some but can also make keeping track of things somewhat tricky.
Accountability: The Buddy System
This is a great approach for those who need some one to watch over them. The key feature here is “Internet Accountability” software that monitors how you use the Internet and sends a report to the person you select such as a friend, parent or mentor. This online transparency is supposed to make you think twice about where you surf but doesn’t necessarily prevent you from doing so. Covenant Eyes is the predominant player in its original or re-sold form like WebChaver and will cost about $9 a month for Covenant Eyes and $5 for WebChaver. If you also want filtering, that’s extra for another $1.50 a month which does not work on a Mac or Linux, only Windows. If you want to add another person to monitor that could cost another $2 a month. Annual cost: somewhere between $75 and $150 give or take. They have an “app” for Android and iPhone but it does not do filtering of websites or apps and it only works with the stock browser (which is easy to replace). For Windows Mobile and Blackberry users, sorry, no joy here. Many have found the accountability to be a good solution but in my opinion you really should add more robust filtration for family use. Prevention is worth a pound of cure. It’s nice to get lifted out of a trap but better not to get snared in the first place. I’m not judging here, just an observation. While Covenant Eyes and its clones rely on a computer resident program as well as hooks into the network protocols of the PC they have been known to be defeated with alternative “profile” configurations and use of “other” browsers. Because it “interrupts” the network layer, it does slow network performance. Covenant Eyes is not foolproof and can be defeated through a simple technique, which I will not reveal but is easy enough for the tech-savvy teen to figure out, but for those who need to be watched and can withstand the desire to use other devices or try to break the program it can be a lifesaver.
PC Client Filter: Watchdogs and Nannies
There are several of these available from no-cost items like Blue-Coat’s K9 to pricier options like NetNanny ($30 which is the only one available also for the Mac), McAfee’s Safe Eyes and Family Protection ($50) and others with similar capabilities. They have default categories to block, typically from low to high risk and can also allow or disallow individual sites you choose. They typically have an annual subscription fee which is basically the same price over again each year.
People say they are hard to configure, and like Covenant Eyes they need to be installed on every PC and some may have a limitation of how many you can install on before needing to buy the business, corporate or enterprise version. These programs also “interrupt” the network layer which slows performance. NetNanny has an Android browser that they claim will “disable” other browsers if they try to bypass the NetNanny browser. Unfortunately there are several ways to disable and “fool” these programs, some more difficult than others, but a quick Google search will give you more than you need to know. The Android browser can be defeated in less than 5 minutes. Should you use it? I would go with BlueCoat K-9 for free for the same functionality.
Network Appliances: The Washing Machine
Positioned as an “enterprise level” device for small businesses, schools and agencies this device is placed at the network perimeter of the site. All connections must go through this device for it to be effective. I have seen this bypassed by people plugging in modems to phone lines or hopping onto unsecured wireless networks. It’s rare but it happens. SonicWall, Cisco, Barracuda, D-Link are some of the players in this field and for the most part they offer a good solution. If you have users who need certain sites that are blocked by default or other individual needs, configuring these devices and documenting the changes can be somewhat tiresome. Joe in purchasing may need to go shopping but JoAnn in human resources does not. These devices work best where static IP addresses are used, or where user profiles are associated with the permissions so that Joe and JoAnn are not mixed up on the network. These devices are hard to defeat unless they are bypassed completely through unsecured wireless networks or dial-up accounts (typically on a user’s personal laptop). I have seen instances where people have set their smart-phones up as a Wi-Fi hotspot and bypassed the device using the wireless connection on their corporate issued laptop to access the 3G/4G data connection on the smart phone. No solution is foolproof and while this is a relatively expensive solution you don’t need to be taken to the cleaners. If you have enough users it becomes cost efficient in terms of price per seat and minimizes any user workstation configuration. If you don’t need to see (or feed) another box see the below DNS solution.
Locking the Back Door
It’s quite common that families with multiple PCs need to go to a network router solution, wired or wireless. Most Internet providers deliver wireless routers that can handle any number of wireless connections whether PCs, Smartphones, iPads, etc. Typically these routers have some level of parental controls like filtering by category, blocking (black-listing) or allowing (white-listing) individual sites. It is also possible to set rules for each connected device which is not a trivial task. You need to know something about IP addresses versus MAC addresses to make this work right. If you can figure out how to set this up make sure you also enable encryption on the router and have a strong password for the connection as well as the router administrator. There have been more times than I’d like where I have found open wi-fi networks with default passwords here inLakewood. I have had to track down the signal to the address and then notify the mostly embarrassed owners. Not only have they not filtered their connectivity, but they have left themselves open to all kinds of nasty things like identity theft and possibly worse. Lock down any router you get from the ISP or that you bought to accommodate your wireless PCs.
Caveat: Periodically check and make sure that no hard wired Ethernet cables are connected to your modem besides the one from your router. Any cables (besides the router) that are connected to the modem will bypass any filtering and security on the router.
Grand Central Censor
Services like Jnet and YeshivahNet offer server based filtering. This means that all Internet access goes through their servers. They offer a fee based service that uses pre-set black and white lists which can be over-ridden by request. Generally they charge additionally for email addresses on top of the service. Touted as providing the barest of content approved by them they will honor approved and limited requests for additional sites. Charges are around $20 to $50 a month plus installation and a modem purchase. The modem is hardwired to only go through their network so this will not protect internet data-enabled devices like smart phones, Blackberries and iPhones.
Flying on a Cloud
This is the dark horse in the race which to me is really the winner. The price is right, free (or you could opt for a few more features for about $20 a year). Similar to the Server Censors except you use your existing provider, you don’t need to do anything on the PC and it won’t slow your connection and will probably speed it up. You also cannot create individual user rules but the package is free. For most families that’s not an issue. Open DNS Parental Controls routes your internet traffic through their internet hub servers which provide the filtering. These servers are robust DNS servers and not small proxies. They can handle tons of traffic. You can configure categories, white-lists and black-lists from any web browser anywhere at anytime with your username and password. By using redundant DNS hub servers (Domain Name Servers) Open DNS is not subject to outages or lost configurations. It also provides anti-phishing, anti-virus, anti-spyware and anti-malware functionality at no additional cost. The setup takes less than 5 minutes, if you’re slow. You log into your ISP provided router and make one simple change. (Hopefully you changed the default password on your ISP router and also enabled encryption – that’s first and foremost). Once you have your free account the OpenDNS site will show you in 3 basic steps how to enable the service on any ISP or store purchased wireless or hardwired router. Since there is nothing residing on your PCs or router, configuration is done over your now protected web on their servers. There is no limit on the number of clients as they are all routed over the same network inside and outside the location.
If you need individualized configurations for different users or departments, the business and enterprise solutions would be your best choice. All Open DNS solutions, large or small are set up in a matter of minutes and can be configured from anywhere at anytime. This is the solution that I use and recommend. It’s fast, it works, there’s no hassle and the price is right.
Disclaimer: I am not associated with any of the companies mentioned or any other companies providing filtering solutions. Back in 2005 when I first came to Lakewood I introduced the “Safe Web Connection” at $3.95 a month. It was a great program but believe it or not, I couldn’t give it away (although that’s what people wanted me to do!). The opinions stated herein are solely my own.
What were the (better?) features of Safe Web Connection ?
Is it still available ?
Nice Job Ron. I was not familiar witht your “blak horse” option before. what are the names of some providers in this category? The problem as it appears with this option, is that if the user knows the IP address of a proxy or the actual site desired, (s)he would be able to bypass this system. Either way the more we do, even if not foolproof, the better!
how do I contact Ron directly ?
Can someone chime in i setup the opendns account setup the filtering to the medium level and its letting all (moderated) to come through
k9 is available on mac
@1 At the time, SWF was excellent but like those to follow, K9 is just as good and free. I cut my losses in SWF and recommended K9.
@2 Open DNS blacklists proxies. Granted there are new ones all the time but Open DNS will block them.
@3 Through TLS
@4 You need to do step 3 in the instructions ; flush dns and browser cache.
K9 works on the Mac.
@1 Open DNS is a name server which resolves URLs to the IP address so it’s actually the IPs that are blocked!
Thank you Ron. Anybody who denies the need for a filter is just burying their head in the sand.
Unfortunately, OpenDNS service is the easiest to bypass of all the other methods since your PC can be configured to not use the DNS settings provided by the router/modem. It takes 20 seconds to bypass or to reverse the bypass.
It is, of course, better than no filters at all, but I would only recommend it as an additional line of defense or just to speed up your DNS lookups.
is this open dns good with k9? is it a stira or just redundant?
While filters are extremely important, dont give yourself a false sense of security if you put one on.
Everyone of the options listed above can be bypassed in less the n10 minutes if you know what you are doing.
That does not mean that you should not have any fitlering, rather done believe that you/family is secure.
Could you follow up with an article about mobile options? iPhone, Android, and Blackberry.
@11 Open DNS Parental Control should be enough.
I already use K9..can you tell me if Opendns is better or the same as K9 (other than the fact that k9 needs to be on all my computers in order to work).?
I have an IPAD that I use from home with my wireless router..I currently dont have a filter on that…if I use OPENDNS, will it be filtered because my conection is coming through opendns?
If I want opendns to work properly..do I have to delete k9 on my computers, or can I run them both?
I appreciate your input..especially at this time..before we head to Citifield..I feel we should all be ready to make some changes/upgrades..not just to listen and move on.
You are partially correct. Some can and some cannot. In any case you have to make sure that your solution hasn’t been compromised from time to time which is easy enough to check. Spending more does not help here either. The only way OpenDNS can be defeated is if someone bypasses your router or hops on to your neighbor’s open wireless network.
OpenDNS has the advantage of not having to be installed on each device.
OpenDNS will filter your iPad through your home wireless router.
K9 will work with OpenDNS but it will be redundant. K9 will also slightly slow your device’s connection down. If you need to have different filtering on specific devices then K9 will do it for the specific device with or without OpenDNS.
Everyone bear in mind that many CableVision SurfBoard modems will not let you change DNS settings. In those cases you can install a wireless router and set up OpenDNS from there or set up OpenDNS in the DNS settings on each device. There are clear instructions on the OpenDNS site. If anyone needs help just contact me through TLS.
One thing I believe your forgetting about is that filtering is not only for your kids but for YOURSELF too. So as long as you know the openDNS, K9 etc. password you are not protected. The solution would be to have a friend install k9 on your computer and use his email (so if you reset the password the new one will go to him), however for openDNS this isn’t so practical as you wouldn’t know the password to your router and therefore won’t be able to add any devices to your wi-fi. Obviously jnet yeshivanet etc. don’t have this problem because you can’t override them even with a password, and webchaver i’m not familiar with but i’d imagine you could have a friend put on the password.
I have an optimum cable (cablevision) surfboard from Motorola..I also have another wireless router, a buffalo AOSS.. It doesn’t seem to be connecting to my Motorola when I try to connect to that modem. I tried with the Buffalo..in the instructions it says to change the WAN setting..however on my Buffalo screen it only shows me a place to change the LAN ( I’m afraid to change the wrong one). Ron, would you be able to direct me here or you can contact me at the email I made up to store this password on its [email protected]. Thanks.
i would like to do the open dns thing but im to intimidated to tamper with dns things on my optimum modem…. il screw it up and have to wait for an angry sweaty dude contracted by optimum to come on tuesday between 11AM an 6PM etc ………….
What happens when you travel (hotel, etc.)? It seems that you are not protected then as the filter is on your router not your computer. Is this correct? If so, you would still need a filter on computer itself.
Entering DNS on the PC should only be allowed by the admin. Lock users out of network config on the PC.
The eve of Rosh Chodesh Sivan today
I’m going to pray at the tomb
השל”ה הקדוש” זיע”א”Shal”h Hkados” in Tiberias
It’s a good time to pray for the boys education
Who wants to remind him to send me email names
ערב ראש חודש סיוון היום
אני הולך להתפלל על קבר
“Shal” H Hkados “בטבריה
זה זמן טוב להתפלל על חינוך ילדים
מי רוצה להזכיר לו לשלוח לי שמות דואר אלקטרוני
What about for blackberry?
going on any pc or laptop and clicking on “control panel”, then “internet options”, then the “content” tab, and then “enable”…
allows you to create password that blocks any type of sight from moderate to extreme some to none, what is wrong with this simple free option that has been around with the creation of the pc as part of their systems? correct, for oneself he knows the password he just created and he can overide it, but for someone else its bulletproof unless they can figure out passwords if so they should figure out the lottery numbers too, and as per oneself one can have someone else create password for you too as mentioned above.
was this option mentioned above, was this the last one you mentioned? or am i way off target
Does opendns have a setting that can disable the Internet at a certain time…can I prevent someone from using the computer during the night..if they have the wireless password.
Are there other programs that I could install..preferably on my routed that would accomplish that? I know safeeyes has that feature.
@27 You would need access to the BES server policies as admin.
@28 The Windows Internet options may not work with all browsers. If you are going to muck around, go to Network Connections and set the DNS in TCP/IP settings to the OpenDNS Parental Control (Family) servers and lock everyone else out of admin.
@29 Since OpenDNS is a Domain Name Server it cannot restrict times. If you have a router from your ISP (not a modem) you can set up access schedules and rules for each device there. Otherwise you would need K9 or the like to set those schedules.
A good techie can set any of these options up in an hour or less for a one-time investment that would probably cost less than a paid for solution (assuming you don’t have any virus or malware). Most of this can be done remotely without a visit or having to lug your stuff somewhere.
#27, If you need “time” controls then use K9 in conjunction with OpenDNS.
There is k9 for iPhone.
I believe there is a provider like Yeshivanet or one of the others, that has a blackberry filter which works through their enterprise program. This would mean that you would need to activate enterprise with your provider, then activate your phone on their plan.
I was told by some computer “expert” that K9 does harm to your hard drive.Is there any bassis for this?
What about NativUSA? Any reviews on that?
@30 Probably wasn’t K9 unless someone tried to delete it incorrectly.
@31 Too new to review as most products are advertised but not available. So far very similar to client installed filters but way up there on the pricey side. Many features are announced but are not even available. Ambitious marketing to niche market, super-expensive newcomer to the table. Time will tell if their offerings are practical, cost efficient and effective solutions. So far it looks more like an ambitious business plan geared for an isolated niche market designed for recurring revenues and revenue generated from additional charges for each (normally expected) feature. Would need a real compelling difference to be a competitive solution in features to justify the price other than future product announcements. Wait and see….
Should be @33 and @34… numbers here are funky lately!
@20 No joy for Cablevision modems – no filter configuration parameters on board. You would need to put an inexpensive router between the modem and your PCs and configure filtration on that.
I need some help!
A group from Lakewood installed my K9 filter after the first asifa.
I need some adjustments, but do not remember the Frum Jewish organization name.
I anyone could help me with this info, I would very much appreciate it.
Comments are closed.