Useful‎ > ‎

Web Filtering

...with an emphasis on home use, and no or low cost,  for friends who ask me about keeping their kids safe.

So, you want to stop your kids stumbling upon the infamous "hello.jpg". Or the lady in the smelly bathtub, or that spinny site or...

Don't worry if you don't immediately know which sites I'm talking about. Consider yourself lucky, at some level I envy you. My wife would not be happy with some of the stuff I end up seeing as part of my job.

There are many different ways to skin this particular cat at little or no cost, each with its own particular merits.

Option 1 - Filtering Gateway

IPCop, Smoothwall, m0nowall etc. - I've even got a few suggestions about extra stuff you'll need to put on IPCop, which is what I currently use at home to share a dialup connection between a number of machines.

There are a number of free and commercial blacklists that can be used, although I suspect the commercial one is probably well worth the money; in part that's because it contains a list of kid-safe sites that could be used as a web whitelist for younger children.

The management tools for those add-ons are reasonably flexible, although I would prefer a bit more flexibility. Perhaps I've been spoiled, as I've spent the last three years at work managing a SurfControl installation and am about to get a shiny new BlueCoat Proxy SG, but in fairness the urlfilter package for IPCop does pretty much everything that even small-to-medium businesses are likely to want. Different rules for different users, at different times... it's great. If you've got a number of different machines, and want to do something like limit Facebook to between 5 and 6 pm for particular users but not everyone, you can do that.

Option 2 - Filtering Software

I assume you're probably running Windows.

BlueCoat offers the K9 Web Filter for home users, which is absolutely free. They use the same data for all their filtering systems - appliances, K9, filtering software for corporate use on travelling notebooks, the data they sell to other appliance vendors. K9 "phones home" a query about each site visited, and relies on the result to make a decision about whether to let you go there or not. If it's a site they haven't previously classified, they'll set their automated classification system loose on it and update their data accordingly. What do BlueCoat get in return? Access to details of sites visited by thousands of home users, which can be used to enhance the services they sell to their paying customers - home users will benefit from both the data they get from their network of commercial installations and data from other home users. It's not as flexible as I would like something in my home to be, and it's not centralised - if you have five computers, you'll need to install it on each one - but the data they use is excellent and it's easy enough for a home user to install. It's definitely fit-for-purpose, and a worthwhile option. It's also something that will go wherever the machine does, so if Junior takes the notebook to McDonalds after school you can be sure he'll be less popular than his friends without filtering.

Option 3 - OpenDNS

OpenDNS offers another approach, one that usually requires installing little or nothing on individual machines. It works by "hijacking" DNS lookups for sites in categories you've selected, and instead returning the address for an OpenDNS system that tells you what you tried to access and why it's blocked.  It'll require reconfiguring your DSL router to use OpenDNS instead of your ISP's DNS servers, and it'll also either need your router to support updates to dynamic DNS services or software on at least one of your machines to do that for you, as that's how OpenDNS figures out who you are and sets your filtering preferences for your IP address. All the necessary info is on the OpenDNS site and I'll stick more details here when I can be bothered (assuming you don't have me set it up for you...). The up-side is that once it's set, you don't need to do anything else to filter - and they're great at filtering out dangerous sites. The down-side is it's one-size-fits-all, and not really suited to places where you need granularity e.g. you want to keep the kids of Facebook, but you want or need to go there. If you need different filtering for different machines, you'll need to use something else - either instead, or in addition to. For what it's worth, when I finally get around to letting my kids loose on the internet, I believe I'll be going with a combination of OpenDNS (limited to phishing and malware blocking) and SquidGuard with the data (the kid-safe whitelist only, plus a few things I've vetted as the need arises, at first). That'll keep all my machines away from most of the dangerous things, and keep the kids away from the offensive and time-wasting ones.

Other Options, or at least some of them...

A number of antivirus software makers offer "internet protection suites", some of which offer web filtering and parental controls and all kinds of neat buzzword-compliant features that their marketing departments love to use to hook unsuspecting parents. Some of them are even reasonably good, apparently, and they're not going to be much more expensive than weekly updates from would be. Like K9, they'd also have the advantage of going wherever the machine goes and filtering anything they connect to - and with netbooks and notebooks getting cheaper it's likely that many kids will be taking them to McDonald's or some other place with free wifi after school, so local filtering on the machine may be important to you.

Does your head hurt yet? Good, so does mine.


Update: 2010-11-23

I am no longer using dialup; I have had 1.5Mbit ADSL since April. So, what do I do for filtering? Especially considering the always-on nature of broadband, and the need for filtering at any time, and ever-increasing power bills? Microsoft Family Safety. I'm at that point in my life where "it just works, and I don't have to think about it" is important, and until an aggressive filtering regime is no longer appropriate for my kids it's what I'll probably stick with. Or until they figure out what to do with one of Daddy's Ubuntu CDs and an ethernet cable... but then, that'll probably be one of the signs.