Friday, December 5, 2008

Home Content Filtering

If your family is like many others these days, you may have home network instead of just a home computer. And if you do, it's probable that your kids have a computer to use or even their own, and you're concerned about all the dark places they might venture into, whether intentionally or accidentally.

I'm going to address home content filtering from a network security professional’s standpoint. In network security, a foundational concept is security in-depth. That simply means you protect your network assets in layers, so if a malicious attack is launched at you, it has to defeat multiple technologies to succeed. This might be access lists on your edge router, then a firewall, an IDS/IPS, an application firewall, a host based intrusion detection and all the hardening and limiting of access you did on your server. You still might get popped if the attacker is good, but you should at least be alerted it's happening so you can shut it down, even if only after the attack has occurred.

Applying this concept to home content filtering (blocking access to objectionable material), we can stop the traffic at multiple places, in multiple ways. This isn't a silver bullet that can ensure your kids (especially older ones) will never circumvent your controls, but it's a strong deterrent for all but the most determined teenager hacker, and will certainly stop most accidental and unintentional misclicking.

By the way, if you have a teen who's rigidly set on surfing porn or visiting anarchist or hate sites, you have to know he/she will just go elsewhere to do their surfing (like the local library, a friend’s house or an Internet cafe). You have bigger problems than can be addressed here and need a different kind of help. Consult your pastor or rabbi or a counselor you trust.

On to the steps...
1) Internet filtering software. This is the one most folks know about, the typical "Net Nanny" software you install directly on the computer that looks at URL's and keywords and blocks access to sites. Be aware that even though it's a layer of security, it's a pretty weak one, especially if you don't block access to anonymizer sites (Web sites you log onto that proxy your surfing and actually pull down the Web pages for you and send them back to your machine). Kids as young third and fourth graders trade tips on the playground on how to evade net filtering. It's still a layer, though, and will keep very young children from accidentally clicking on the wrong link.

2) Your home cable/DSL router. Most modern home routers have some sort of filtering technology built into them that allow you to block sites by keyword, or add your own URL's or IP's to block. You can get some false positives with this, like anything, but newer ones will allow you to override the block with a password. (By the way, DON’T have Internet Explorer remember your password to your router. Make it a good password, and if you must write it down, store in a place you know no one else should ever find, or you defeat the purpose of using the filters.

3) OpenDNS. Instead of using your ISP's DNS servers to resolve names to IP addresses (the whole Internet depends on this function to surf by human friendly names instead of having to know the IP address of every site you want to visit), you can use OpenDNS. This is a (free) DNS service you can point your PC or router at to provide this service. There are several advantages to this. One, OpenDNS can block phishing sites you may be enticed to go to that have been set up to steal your login info or credit card information. Secondly, OpenDNS can keep track of stats and logs of your surfing, if you have need of or are interested in that type of data. And finally the third reason, and the one that applies to content filtering, is that OpenDNS allows you to choose levels of filtering (and customize those levels) by categories of sites you don't want to allow through. If for example you have chosen to block Playboy and someone tries to go to that site, they will get a nice block page instead. If the person believes they should be able to access a page, they can flag the site for review or send an email to the administrator (you) accessing to be allowed.

All of these are layers, and are mostly effective to keep the accidental access from happening, or to keep a younger but increasingly curious child from making bad decisions.

Who knows, though, if you have a problem teen and he sees all the trouble you’ve gone to to try and protect him from himself, it just might make a difference.

No comments:

Blog Archive