Content filtering for enterprise network or educational institution can be a mandatory requirement in many institutions/organizations. Besides filtering web content by category, content control/filtering software can also helps us to filter out malware and virus sites, unwanted advertisements etc. Finding the right product and making it work for your organization can be a challenge. Click to find a list of content control software. When I first tried to implement content filtering system in my organization, the biggest challenge was to find the right product and get a demo running to check the integration aspects. After spending significant amount of time to identify a content filtering system that best fits my organization I did not get enough support from the local vendors. So later one decided to go with Squid Proxy with SquidGuard (some thing I used before). This works out very well for me. Besides being a little heavy on administration side, I have not much to complain about. This content filter can sit on the network as a proxy server and filter all web traffic as per the organization policy.
Educational institutors in many part of the world are bound by the law to protect children from inappropriate Internet contents. In business organizations or organizations of any type, Internet resources can be filtered for unwanted advertisements, malware, virus, pornography sites etc. Web content filtering or content control software is a smart way to address these issues and help enforce organizations policy and protect the network and its users.
Some of the categories that can be used to guide browsing behaviors are following
Advertisements, automobile, dating, education, gamble, hobby, isp, models, podcasts, recreation, ringtones, shopping, updatesites, weapons, webtv, aggressive, chat, downloads, finance, homestyle, jobsearch, movies, politics, redirector, science, socialnetwork, urlshortener, webmail, alcohol, drugs, fortunetelling, government, hospitals, library, music, pornography, religion, searchengines, spyware, violence, webphone, anonymous vpn, hacking, imagehosting, military, news, radio, tv, remotecontrol, sex, tracker, warez, webradio and more. These lists can be used to allow or disallow certain category of sites
Verities of content filtering software are out there, that sits on the gateway and keeps the enterprise network secured.
There are three major techniques web content filtering systems that we can use for a network wide filtering
- Url/host based content filters which can work with proxy server. Example SquidGuard (GPL)
- DNS based content filter, where sever a DNS server maintains various content types. Example OpenDNS
- A smart system where the content software tries to analyze the text and understand the content type. Example DansGuardian (GPL)
In this post, I shall discuss about content filtering with SquidGuard as an over view. I shall also refer to the full technical documentation you can use to make this implementation work.
When we are using SquidGuard as content filtering software, we are using Squid as a proxy server, a categorized black list to filter content against. All these can be installed on the content filtering server. this design is assuming all web traffic goes through the proxy server to be filtered.
To make this configuration transparent to the client we need to find a way to make all web clients to pass their traffic though the proxy server. There are two techniques we can use.
- Use transparent proxy
- Use proxy auto configuration (PAC) file with Web Proxy Autodiscovery Protocol (WPAD) (works well for enterprise network)
With option one (1) transparent proxy works well with http traffic (traffic without any encryption), however setting up transparent proxy can be troublesome. See the example of squid transparent proxy for https/ssl traffic.
Option two (2) is our preferred option, using a PAC file and WPAD to distribute proxy configuration for all web clients in the network. In this case the PAC file shall store all client side proxy configurations while the WPAD will tell the browser how to file the PAC file on the network.
This shall make all the traffic of the network passed thought the proxy server. We used SquidGuard as the content filtering application. SquidGuard can have multiple access list based on IP address or range of IP addresses. SquidGuard is a url re-writing application, which uses its data base to filter web contents. Follow the link for SquidGuard implementation step by step how to.
To summarize setting up Content control software/ Web Content filtering using SquidGuard for enterprise network can be done in few simple steps
- Setting up a squid server
- Setting up SquidGuard with black list
- Setting up a PAC file appropriate for your network
- Setting up WPAD for distribution PAC file for all web clients on the network
This setup works well for educational institution as no licensing fee is applicable and all codes are on GPL. This can also work for any enterprise organization.