PDA

View Full Version : Web Content Filtering for k-12 School I need some input




shadyMedia
Feb 8, 2011, 06:32 PM
Hello as the title say's were looking for a web content filter for our lab.

The Lab is small only 26 Computer's but we also offer wireless networking which is mostly used for teachers but we might expand that to all others in the future.

So our setup goes like this

ISP Modem-->Mac OSX Server (MacPro Server)--ASANTE GX5-2400W (24 port Giaga Bit Switch...That we need to replace soonish---And from there to the local computer's and to the AP's throughout the school


The server act's as our-
-AFP
-DHCP
-DNS
-Firewall
-NAT
-Netboot
-NFS
-OD (Open Directory)
-Software Update
-VPN

We have 1 other server on the network Running just AFP and it's also a Open Directory replica


In the past we have used Apple Parental Control's but let's face it that's not that great so we looked into other option mostly free to save cost but they have all been very tricky and not really what were looking for

We really need something ether software or Hardware i,e rack or a stand alone computer. We would prefer a hardware option so if something happen's not everything goes down if you know what I mean.

We need content filtering for websites for google searches the ability to block websites and allow ones that might of been blocked.

We also want the ability to filter certain groups such as teachers compared to student's if we could get a combo unit that handles a firewall aswell then perfect!

So if anyone has any idea's please share.


Thanks



belvdr
Feb 8, 2011, 06:39 PM
There's always Websense, which allows you to filter by users, groups, or IPs.

On the other hand, OpenDNS is really cheap.

jedigeek5
Feb 8, 2011, 07:08 PM
K9 from BlueCoat is a good way to go. It's free for single users (I think there is per/user pricing for schools) and uses their cloud rating system for categories, allow/deny lists, Google safe search (and other search engines) and provides reporting. It is one desktop at a time however (also has an iPad/iPhone app).

www.k9webprotection.com

and yes....I do work for BlueCoat (but not K9).

pismobrat
Feb 9, 2011, 10:09 AM
I would recommend seeking a solution from Fortinet or Sonicwall

I've overseen the network in a private k-12 school as well as a NFP organization. In both situations I've deployed Sonicwall and Fortinet.

Having a hardware content filtering system is the most ideal for overhead and manageability. The sonicwall has been the easiest by far to impliment.

I currently use a NSA-240, but depending on the scale of throughput you need, a TZ-100 and up could do the job for you.

If you want to know more, I can post some screen shots. It can be managed by groups, acl's. You can have different filtering options per group via LDAP connectivity.

Cheers
Shawn

Les Kern
Feb 10, 2011, 08:12 AM
OpenDNS is free and does a pretty good job of blocking sites. Lock your machines down, set them and/or your DHCP server to ODNS's servers, done. It works just fine. We upgraded to the Pro version for 500 bucks. Good with most proxies, BUT will NOT block SSL https:// sites, so that to me is a huge deal-breaker. Won't block keywords, just domains. Students cracked it in seconds.

I use a SonicWall NSA firewall. They are the next step up perhaps. Not too pricey, BUT their yearly fees are. Their Intrusion Prevention is incredible, filter is fine. A little shaky on identifying proxies. REAL easy to manage. Students found holes in minutes. on non-IPS sites.

For the ultimate, use a packet shaper, in my case Cymphonix. Unbreakable as far as I can see. Don't go there. $$$$$

Good luck.

Old Muley
Feb 11, 2011, 05:34 PM
We use LightSpeed Systems (http://www.lightspeedsystems.com/) at work. I don't know anything about it other than it keeps the kids and staff out of places someone thinks they shouldn't go.

Chocomonsters
Feb 19, 2011, 01:30 AM
Have you looked at few Linux based UTM?

I have looked at using SonicWall and Netgear ProSecure UTM for home use, but decided against them mainly due to high throughput penalty with all UTM features and VPN option turned on (upto 60-90% hit). Main problem with these appliances are lack of CPU power needed for all those UTM features and VPN.

I found software based UTM solutions such as Astaro or Untangle to be better. I am running Astaro Security Gateway on old Dell OptiPlex 745 Small Form Factor (Core2 Duo E6600/2.4GHz, 2 GB memory) headless. Added second NIC card and took out videocard to save energy. Even with all antivirus, antispam, IPS, firewall, Webserver protection with proxy servers, antispyware, URL filtering, and SSL VPN for laptops and L2TP over IPSec VPN for iPhone running, there is absolutely no throughput penalty at all. It uses dual Avira and ClamAV for antivirus and allows bandwidth management for IM/P2P/Torrent, etc. My guess is that you will likely have extra spare PC laying around at school, you can pick appropriate level of hardware to scale up to support the number of users at school.

I found both Untangle and Astaro to be excellent, but chose Astaro as it supports more VPN options (SSL, PPTP, L2TP over IPSec, IPSec, and CISCO VPN) vs just OPEN VPN for Untangle. Astaro also has fast and excellent GUI.

I had no prior knowledge of server / UTM before implementing current setup of
ISP --> Astaro Gateway --> HP ProCurve 2848 Switch --> MacMini OSX server (DNS, DHCP, AFP, Address Book, iCal, NFS, OD, SMB, Webserver), PC's, Mac's, AP, Home Automation, and etc.

Both are free for Home usage but charge for SMB, Enterprise, and Education.

earlution
Feb 21, 2011, 10:49 AM
Hi

I think I have everything you need here and it's all free :)

Firstly, check Wazmacs (http://www.wazmac.com/index.html) site, it's a great resource for K-12 providers using OS X servers.

Most of the rest of the stuff you need can be found drilling in to this site, but for convienience:

Proxy - SquidMan (http://homepage.mac.com/adg/squidman.html)
Filter - Dans Guardian (http://dansguardian.org/)
GUI for DG - WebMin (http://www.versiontracker.com/dyn/moreinfo/macosx/15800)

Wazmac's guide (http://www.wazmac.com/quickstarts/pdf/proxy/squid_dg_osx.pdf) for setting up and configuring all the above ;)

HTH

funkahdafi
Feb 21, 2011, 05:49 PM
K9 from BlueCoat is a good way to go. It's free for single users (I think there is per/user pricing for schools) and uses their cloud rating system for categories, allow/deny lists, Google safe search (and other search engines) and provides reporting. It is one desktop at a time however (also has an iPad/iPhone app).

www.k9webprotection.com

and yes....I do work for BlueCoat (but not K9).

I second that recommendation. Blue Coat products are top notch and are being used by large enterprises. You might consider their smallest ProxySG model, it does much more than their K9 product and is affordable.

If you need help with that, drop me a message.

shadyMedia
Feb 21, 2011, 07:06 PM
Hi

I think I have everything you need here and it's all free :)

Firstly, check Wazmacs (http://www.wazmac.com/index.html) site, it's a great resource for K-12 providers using OS X servers.

Most of the rest of the stuff you need can be found drilling in to this site, but for convienience:

Proxy - SquidMan (http://homepage.mac.com/adg/squidman.html)
Filter - Dans Guardian (http://dansguardian.org/)
GUI for DG - WebMin (http://www.versiontracker.com/dyn/moreinfo/macosx/15800)

Wazmac's guide (http://www.wazmac.com/quickstarts/pdf/proxy/squid_dg_osx.pdf) for setting up and configuring all the above ;)

HTH


Wazmac's Site is very good but certain things are very outdated and in this case that Wazmac's walkthrough for DG and Squid is for 10.4 and finding the software is tricky.

Were looking for something that we can set it up with not much work.

Tho we are using WebMin now which is very nice btw.

shadyMedia
Feb 21, 2011, 07:08 PM
Have you looked at few Linux based UTM?

I have looked at using SonicWall and Netgear ProSecure UTM for home use, but decided against them mainly due to high throughput penalty with all UTM features and VPN option turned on (upto 60-90% hit). Main problem with these appliances are lack of CPU power needed for all those UTM features and VPN.

I found software based UTM solutions such as Astaro or Untangle to be better. I am running Astaro Security Gateway on old Dell OptiPlex 745 Small Form Factor (Core2 Duo E6600/2.4GHz, 2 GB memory) headless. Added second NIC card and took out videocard to save energy. Even with all antivirus, antispam, IPS, firewall, Webserver protection with proxy servers, antispyware, URL filtering, and SSL VPN for laptops and L2TP over IPSec VPN for iPhone running, there is absolutely no throughput penalty at all. It uses dual Avira and ClamAV for antivirus and allows bandwidth management for IM/P2P/Torrent, etc. My guess is that you will likely have extra spare PC laying around at school, you can pick appropriate level of hardware to scale up to support the number of users at school.

I found both Untangle and Astaro to be excellent, but chose Astaro as it supports more VPN options (SSL, PPTP, L2TP over IPSec, IPSec, and CISCO VPN) vs just OPEN VPN for Untangle. Astaro also has fast and excellent GUI.

I had no prior knowledge of server / UTM before implementing current setup of
ISP --> Astaro Gateway --> HP ProCurve 2848 Switch --> MacMini OSX server (DNS, DHCP, AFP, Address Book, iCal, NFS, OD, SMB, Webserver), PC's, Mac's, AP, Home Automation, and etc.

Both are free for Home usage but charge for SMB, Enterprise, and Education.



I like the idea of Untangle DL yesterday just haven't had anytime to test it out. Hoping we can get it to run on a mac ether locally or through VMware

Airforcekid
Feb 21, 2011, 07:25 PM
There's always Websense, which allows you to filter by users, groups, or IPs.

On the other hand, OpenDNS is really cheap.

+1 for OpenDns only VPNs get around it but 99.9 percent of students have no clue what that is and most cost them also deepfreeze is good to ensure your computers always remain like new.

albanwr
Feb 22, 2011, 05:45 AM
Try Bloxx Web Filtering, easy integration into Open Directory. www.bloxx.com
It's not cheap but good.

OpenDNS would work but tracking users is hard.

Waragainstsleep
Feb 22, 2011, 08:09 AM
You might also look at Kerio's new firewall offerings.

Cabbit
Mar 7, 2011, 08:02 AM
This may perhaps be a odd question to ask but why filter at all. During my time in Primary(7th year school got internet) and High School we were taught not to access these sites and to exercise our own judgement.

Is it the case that students are not able to do this or outside factors that make such filtering necessary?

shadyMedia
Mar 7, 2011, 09:10 AM
This may perhaps be a odd question to ask but why filter at all. During my time in Primary(7th year school got internet) and High School we were taught not to access these sites and to exercise our own judgement.

Is it the case that students are not able to do this or outside factors that make such filtering necessary?

Same rule applies to driving people know they shouldn't speed but they still do. So it's easier for us to just remove the temptation. But it's nice to see some student's police there own usage