-1

how do you approach blocking bad websites such as malicious websites, porn and etc in ISP Level.

yagmoth555
  • 16,758
  • 4
  • 29
  • 50
Mohamed
  • 109
  • 1
  • 4

4 Answers4

6

A simple and free solution would be to point the DNS servers to OpenDNS.

At OpenDNS, you the admin, can setup an account (free), and then you can go through a very simple process to block websites bases on 20 or so predefined categories that they have setup.

The nice thing is that they update the list of websites every day so it's automatic for you and your users.

Richard West
  • 2,978
  • 12
  • 44
  • 49
  • 2
    The problem with a DNS-based solution is that the customer can just change their DNS settings to use one that won't impose those restrictions (unless you block DNS packets to everyone but OpenDNS), and you put a mission-critical service in someone else's hands. – Justin Scott Jun 08 '09 at 21:52
  • 3
    This is not a solution to *STOP* it there is no way to do that... even if you blocked every other DNS provider and every porn site there are still hundreds of thousands of proxy sites. – Unkwntech Jun 08 '09 at 22:16
1

Sounds tricky:

  • How do you define "bad"? If you have some criteria, they would need to be agreed by all your users, otherwise you'd be blocking something they might want.
  • How do you maintain the database of what's "good" and "bad" ? New web sites are created every day, and "good" ones change into "bad" ones and vice versa.

Surely you're saying

"I want to impose an arbitrary policy on my users"

There are plenty of products out there which will do that on the basis of categorisation (which is much more fine-grained than "good" or "bad"), heuristics (looking for undersirable content or malware) and signatures (which is useful for anti-malware).

There is a multi-gazillion dollar industry providing software, appliances and managed services to manage web client policy, which of course you are free to pay for and use. Licensing is normally per-seat, so if you intend to use it for a large user base, it's going to get expensive.

MarkR
  • 2,928
  • 17
  • 13
1

MarkR is right. This is a tricky topic. Once you agree or impose what you consider bad or good, you can give a try to Astaro Software. Astaro is a Firewall system, they have a free version, a personal version and a small business version. The system is pretty impressive, one of the really nice things is the content blocking system, is based of categories like Richard pointed out, and is kept uptodate by a third party.

I am not sales rep or gaining anything from this Astaro company, just giving the input because I have used it.

I hope you find your solution!

Geo
  • 3,071
  • 11
  • 42
  • 52
  • 1
    As an Astaro customer, I don't know if their devices would be robust enough to run at the ISP level. Maybe a cluster of them in active/active mode to handle the load, but I'm not sure I would trust an entire ISP to their device (unless it were a bunch of dialup customers, then maybe, but not broadband). – Justin Scott Jun 08 '09 at 21:49
  • Hello Justing: Thanks for the explanation. I did not understand at the beginning that you were an ISP, I thought you meant by ISP level in the Edge of your network. Sorry for that. You are right Astaro will not work on the ISP level. Maybe you should consider WCCP if using CISCO and a good Caching mechanism like SQUID. – Geo Jun 08 '09 at 22:01
1

If you're the ISP, you can blackhole the IP addresses of the offending sites at your router(s) which will cause your customer traffic to get dropped before it leaves your network. An alternative may be to redirect that traffic to an internal server which responds to web requests with a "we're sorry, this is blocked" type of message with a link to your blocking policies. This approach, of course, would require you to identify and block those IP addresses individually.

If you want something more robust, there are a number of companies that produce and license filtering devices that you can put inline within your network that will monitor the traffic and block based on content type. One such device is Webliant (never used it personally), though there are others if you look for them.

Justin Scott
  • 8,798
  • 1
  • 28
  • 39