Content control tools restrict access to specific kinds of Web content, for example pornography or material that is deemed inappropriate in an organization. Most corporate environments run large-scale proxy appliances or software that not only controls employee access to Web content but also conducts virus scans and protects from malicious content. These are often combined with tools deployed on local clients like Microsoft’s Windows Defender, Checkpoint’s Endpoint Security, Symantec’s Protection Suite or McAfee’s Total Protection that provide security from viruses and malware. In small office and home environments an organization may rely on a solution provided by a third-party or an ISP, sometimes supplemented with locally installed client-side tools like NetNanny.
Most of these tools are proprietary and often expensive, especially in larger configurations. Alternatively, similar Linux-based and open source tools are available that can be deployed for potentially a lot less money. Some of these tools also have the potential to scale to suit larger environments. We’re going to examine some of these tools and highlight their features and their strengths and weaknesses.
The simplest of these solutions is to make use of a proxy such as Squid, supplemented with a filter plug-in called SquidGuard. While not sophisticated, this solution can operate as a flexible but basic URL blocker. It provides some content control but no protection against malicious content like viruses and malware. The SquidGuard filter plug-in works as a blacklist-based solution that when combined with Squid allows you to control which users access the Web and which URLs they can access. The user’s access can also be limited by time, days of the week, date and different rules can be provided for particular users or groups of users. Squid and SquidGuard are also pretty easy to scale. However, the inability to do anything beyond URLs limit the overall effectiveness of the solution.
Moving up to more sophisticated solutions we have DansGuardian. It works in combination with a proxy, such as Squid or TinyProxy, to provide more granular filtering and controls. Because DansGuardian can use a proxy, it is relatively easily to scale up to large implementations using your chosen proxy’s scaling methodology. Unlike the Squid/SquidGuard solution, in addition to URL blocking, DansGuardian also allows blocking of content. You can specify words or phrases to block and block ads. It can also operate in a whitelist mode, only allowing access to a particular list of sites, which is useful for kiosks or public machines.
Dansguardian is shipped with a number of Linux distributions, including Ubuntu, Debian and Fedora (which means it’s available as RPMs that you can also use in Red Hat Enterprise Linux and CentOS), and is easy to obtain and install. It also runs on other Unix and Unix-like platforms including Solaris. The team behind Smoothwall firewall (which ships with DansGuardian) also provide commercial support if this is required for your environment.
To make using DansGuardian easier there is also the Parental Control GUI that provides a management interface and integrates a proxy and firewall for DansGuardian to use. It is available for Debian and Ubuntu as packages but can be built from source.
There is also a fork of DansGuardian called MinD that claims better performance, integrates an internal proxy rather than requiring Squid or another proxy, and has a stronger focus on Web content filtering. At this stage it seems fairly early in its development life.
Another possible solution is WebCleaner, which incorporates a built-in proxy and includes URL and content blocking. In addition to this it is also configurable to block advertising and comes with a plug-in that provides some anti-virus filtering. WebCleaner also supports several forms of authentication, importantly including built-in NTLM which can allow you to easily integrate with an Active Directory server. It can also integrate with the SquidGuard blocking URLs blacklist. Of the open source solutions, WebCleaner is the most well-rounded because it covers some virus and malware blocking in addition to URL and content filtering. Its ability to scale and the performance of its internal proxy would require some additional testing to confirm if it’s a suitable fit for your environment.
The Privoxy proxy can also perform some content control functions, mostly focused on ad blocking but it’s also capable of blocking URLs. It can be run both on your network and locally on clients to control their browsing. It’s not as strong a solution as some of the others but may be useful given its ability to be run locally.
Then there’s the client-based tool, Gnome Nanny. It is a content control application for the Gnome Desktop. It provides most of the typical content control features like URL blocking, content filtering, and time-limiting. But it also provides controls over email use, IM and chat, and other elements of computer use. If you use Linux desktops, or have one in your home, this could be useful supplement or as a small deployment in place of a larger proxy solution.
It is important to remember that most of these solutions (except Gnome Nanny) require that you configure your client hosts to use the proxy you’ve installed rather than go directly to the Internet. You can configure Windows, Linux, OS X and most of the major browsers including IE, Firefox and Chrome to only allow browsing through a nominated proxy, although this does require some control over the client’s configuration to prevent users circumventing your proxy.
But no single layer of defense can protect you or help you control your environment. For example, many of the content control solutions we’ve just looked at do nothing to prevent viruses and malware. If you run Windows (but also to a lesser extend OS X and Linux) desktops you should ensure you have sufficient controls (desktop security software) installed to ensure your environment is sufficiently protected from attackers.
Interestingly, even mobile platforms are not being ignored in this space. SmartWeb and Mobicip offer iPhone and iPad content control systems. While not free or open source it’s an interesting development. (Editor’s note: There are some interesting discussions going on in the Android forums regarding Content Control as well.)
ABOUT THE AUTHOR: James Turnbull is a former IT executive in the banking industry and author of five technology books, including Hardening Linux, Pulling Strings with Puppet and Pro Linux System Administration. He has been involved in IT Operations for nearly twenty years and is an advocate of open source technology. He currently works at Puppet Labs as head of operations. James manages operations, documentation, testing, support and release management for Puppet Labs.