This is a description of how one person enabled content filtering on his home network. The aim is first to protect his growing family from the worst excesses of the internet. The second is to protect himself from teenage visitors who might want illegally to download music and/or other copyright protected materials.
I realise that some people think content filtering is evil. I know other people download music and games without paying for them as a point of principle, in the belief that the publishers of games and music are profiteering.
I have some sympathy for these ideas. Nevertheless, I have implemented content filtering on my network.
Why content filtering?
There are some pretty nasty sights on that thar intarweb. And I'm not just talking about Rick Astley and Goatse. Pedophile grooming and child pornography are the headline dangers, though in all honesty, I think they might be a bit over-hyped. Lesser dangers - yet greater threats - include Phishing sites, malware and other scams. Nevertheless, I'd prefer that no-one on my network downloads child porn, thank you very much.
The first thing to say is that education and open, honest discussion about these dangers are far more important than rigid, knee-jerk filtering. At all times I have discussed the filtering options with my growing kids; shown them what restrictions I am placing on them and why. We have discussed viruses, malware, chatroom dangers, personal privacy and copyright issues. As they have grown, we have discussed what filters can be lifted and how they can protect themselves against the bad stuff out there.
Second, I make my living from writing. Copyright law works in my favour. If everyone ignored copyright law, then I'd have a problem making any money. So whatever I might think of the business model of the gaming companies and the music publishers, I'm not going to allow people on my network to download copyright-protected files.
Third, AspieBoy is just 12 years old. For the time being he mostly plays Runescape and watches Top Gear and suchlike online. More recently there have been some soft porn sites on his list and he's started looking for some uhm, "interesting" videos on YouTube recently.
AspieGirl is nearly 16. Although there's not much that would faze her nowadays, there are still some limits to what she ought to be looking at, even in the privacy of her own room.
Finally, when they do their homework, the interweb is a great opportunity for distraction and procrastination, so we have a spare machine which is used for homework, and I want to prevent them going on their favourite time-wasting sites when they are supposed to be doing homework.
The bottom line is that I want to be able to prevent anyone -- visitors or kids -- from doing illegal stuff on my network, and I want to be able to prevent the kids from doing silly, dangerous stuff on the web.
But I repeat, it's far more important to teach them about internet safety than it is to implement draconian filters. One day they will be out on their own. I won't be able to filter everything then, so education and open discussion are far more important than technological solutions.
Types of content filtering.
At the most basic, there's free filtering and expensive filtering. You can buy commercial products which do these things. If you have the money, then good luck to you. I've never used Netnanny or other commercial products, so I have no idea how good they are. My impression is that they are less configurable than the free products, and more subject to political influences but I might well be wrong. This piece focusses on free solutions.
I think there are three approaches to filtering, but I'm willing to be corrected.
At one level you can set up filters and controls on an individual machine. Each machine can be tailored with a specific level and type of filter. This is the Net Nanny approach.
The next level is to set up a proxy which routes all traffic through a separate machine. This proxy implements filtering rules, which in general apply to all traffic passing through the proxy. Some of these systems have an account setup which permits the administrator to implement different rules for different machines and different users. A transparent proxy with configurable filter is by far the most secure and flexible content filtering option.
Finally, there is DNS level filtering, which is a bit of a blunt instrument, but has its uses.
For each filter, whether machine level, proxy level or DNS level, they can be blacklist, whitelist, category-based or intelligent.
A blacklist is a blunt instrument, in that it will block all traffic attempting to visit, say pornotube.com. Set up correctly it will block www.pornotube.com; gay.pornotube.com; straight.pornotube.com and everything below. Blacklisting pornotube.com (or not) is a pretty easy decision, as everything on there can be regarded as unsuitable for an 11-year-old. Blacklisting youtube.com is less obvious. There is some interesting, funny, educational stuff on Youtube. There is also some unsuitable stuff on there.
A whitelist will permit everything from a site. Add Youtube.com to your whitelist and it will permit everything, including the funny stuff and the unsuitable stuff.
Another option is keyword filtering. With this, you can add a keyword to a list, and the system will block anything containing that keyword. Personally I think this filter is too blunt. You might want to block 'fuck' but that also blocks a dictionary page, for example. It blocks pages which analyse the use and etymology of curse words. More importantly, it blocks almost all useful discussion forums.
Personal data filtering allows the administrator to add personal information -- such as the street name; surname; telephone number and so on. The software then prevents the computer from sending any pages or forms which contain that data. The aim is to prevent kids from sending out their personal data to a chatroom for example. Trouble is, this also blocks most webmail pages, like gmail.
Many filters - especially the commercial ones -- employ category lists. They scour teh Intarwebs for different sites and assign these sites to categories -- chatroom; proxies; adult; phishing; gambling, hate, sports and suchlike. Individual administrators can then select which categories they want to block and which they want to permit.
When a user requests one of these sites, the software compares the request with the lists of sites in the forbidden categories and either permits or blocks the request accordingly.
Many of the commercial products use their customers' feedback to maintain these category lists. When a user blocks a specific site, that gets fed back to central servers and added to the relevant category lists. Users of such software need to be aware that some users of this software are, erm, shall we say at the ultra-conservative end of the social spectrum and will want otherwise innocent sites blocked, just because of a mention of fuck or willy. Parents may need to be reminded that kids nowadays regularly hear these words in the playground from the age of 7 or 8 or below.
Less funny is the commercial packages' tendency to block sites which contradict the far-right agenda: sites which promote homosexuality, alternative lifestyles and suchlike.
My strong desire was to pick a system which permits me to configure the system to suit my own priorities, not to rely on someone else's agenda.
The more intelligent packages employ a form of intelligent filtering. In some, you can tailor the level. You can set up a list of words and assign values to those words. If a site goes over a pre-determined cumulative limit (the 'dirtiness score') of these penalty words, then the site gets blocked.
You might give 'penis' a value of 0.5 and 'cunt' a value of 3 and 'fuck' a value of 1.5. Add some more words and set a limit. Set a high threshhold score and you have a relatively relaxed filter. but set it low and the filter becomes a lot more restrictive. This system works pretty well. Some packages even allow negative values for weighting, so that you might choose to assign a negative value to 'educational' for example, and thus reduce a page's 'dirtiness' score.
Most filtering software can prevent the user from downloading specific file extensions, such as .JS (java), .exe; .com. .zip . tar .swf and so on.
An additional option is the ability to limit usage according to pre-determined limits, based on either bandwidth or a clock, Examples might be to prevent access after 10 pm; or block access after a user has used the web for a cumulative 2 hours out of three; or cut the connection after 100 MB has been used on any one day. All these should be admin-configurable.
Some software can be configured to block specific ports. So if Skype operates on port 36013, a block on that port will effectively prevent use of Skype. This can be an effective way of preventing the use of specific software packages.
Combinations of blacklists, whitelists, categories, intelligent filtering, port blocking and time-or bandwidth limits can deliver accurate filtering which can be tailored to each individual user.
I have tried the following products:
Astaro on a virtual machine web link
DansGuardian with squid web link
Integard web link
OpenDNS web link
Foxy proxy web link
Astaro is a sophisticated commercial product offered to blue-chip international corporations, but it offers a free licence to home users. It will do everything you ever wanted it to do and more. It is effectively, a transparent proxy, but allows the administrator to manage every aspect of the network, including filtering. It is awesome. The normal implementation requires a dedicated Linux machine, but you can set it up as a virtual machine on VMWare player (free) on a windows box. I was unable to configure it to make it work effectively.
DansGuardian is an open source filtering system, which runs on many variations of Linux. It's well-established, infinitely configurable and effective, or so I am told. I managed to get it working on a single machine, but I wanted to use it with squid as a transparent proxy. Unfortunately, I couldn't configure the machine to do that.
OK, so my illusions have been shattered. I used to think I was pretty tech-savvy and could do these things. After spending weeks trying unsuccesfully to get one or both of these products to work effectively, I resigned myself to paying for a product and started looking for a commercial product which I could configure easily.
First, I would say that if you really understand networks, and are capable of driving Linux, then use one or other of these products. They are effective. They are also all-but impossible to by-pass. But you need to have a solid understanding of networks, how to configure them and how they operate.
Once I admitted my lack of technical knowledge, the next step was to scour the web for effective paid-for filtering systems. I came across Integard. This was developed by a company called RaceRiver in cooperation with the Australian government. Australians can use it for free. The rest of us have to pay for it.
Integard is installed on each computer that needs filtering, and offers intelligent filtering, keyword filtering, personal data filtering, blacklists/whitelists and time and bandwidth-based limits.
The final product I've tested and found useful is the free OpenDNS. Despite the name, it is not opensource. Their business model is to bring up their own search engine whenever the system blocks a page, and that contains paid-for links. This is not a big deal; you can just navigate away from the blocked page and use the search engine of your preference.
It can be set up in a matter of minutes from the router settings. Once set up, the user can configure the level of filtering and access stats on traffic, sites visited and so on.
OpenDNS uses a category filter combined with blacklist/whitelist. Whenever you make a page request, it intercepts the DNS request and sends the request to its own domain name server. This compares the request with its own internal list, and either filters or not, according to your settings.
Foxy proxy was my first attempt at a filtering proxy. It was a very cheap one-off purchase, without annual subscriptions. It was easy to configure and offered a lot of flexibility. I liked it. It's not a real commercial product, but some geek in Russia (I think) wrote it and sells it through the shareware system. I sometimes wondered if it logged all my passwords and sent them back to the author, but nothing untoward seems to have happened while I was using it.
Loopholes and by-passes
I started this essay by saying it is more important to inform the kids about safety and discuss with them about the limits, rather than impose draconian filtering rules. Kids are smart; they will try to circumvent over-zealous filters if they feel the filters are preventing them from doing things they want to do.
It is really important, as administrator to understand your own motives for implementing these filters. Is it really for their safety, or do you want to keep them as kids for as long as possible?
It's possible to circumvent most of these if you really want to. As kids get older and smarter, they will discover hacks and loopholes which get around your supposedly locked-down systems.
If you install software on a computer, then a savvy user can install a second operating system, such as Ubuntu, or a virtual machine which will by-pass any software a concerned parent might have installed.
Smart kids will find a web proxy and use that to access forbidden sites. Residents of China, Vietnam, Burma and other countries routinely use this technique to by-pass national censors.
Check the softlinks below and you will see that users of this site are much more interested in by-passing these filters than in implementing them. Perhaps, as the users are ageing and starting to have families, the emphasis will change.
Nowadays, phones and iPods and games consoles have browsers and download capabilities. The filtering options on these devices are extremely limited. If your kid has one of these, they can navigate to forbidden sites, download software and transfer it to their computer.
A web-savvy parent can make things difficult for them in a couple of ways. First by installing a transparent proxy which intercepts all traffic going through your router. A well-set up transparent proxy is almost impossible to circumvent. The second way is to use a DNS service, which does the same, but through a different technology. It is quite easy to by-pass DNS filters, simply by setting the computer's internet preferences.
Jack says: the one problem with proxies is that they assume your kids are connecting to your own router. As open networks proliferate, it's stupidly easy for them (assuming a wireless card) to hop networks and circumvent everything you've set up. Some combination of proxies and client-side software is probably smart.
None of these will apply filters or limits to a phone which has been enabled for web browsing over the phone network. So once again, education and discussion are the best options.
Furthermore, most parents (not you, but their friends' parents) have very limited controls on their networks. If your kid is savvy, they will get a friend to download software and music files and transfer them to their own machines.
In the end, whatever technological solutions you implement, it will merely slow them down a bit, or encourage them to research methods for by-passing your technology. You have to talk to your kids and educate them to make their own decisions.
OK, so having explained all that. Here is what I have done.
The first level is to set up the router to use OpenDNS. That blocks the worst stuff. Anything going through my router uses the Open DNS servers and that will block the porn, the phishing, the malware and the file sharing and the web-proxy sites.
AspieGirl has an iPod Touch. We've been open with her about the dangers of the web and she's free to use that to surf in any way she wants within the restrictions imposed by OpenDNS. OpenDNS allows me to see anything that has been blocked and I'm pretty sure she's not doing anything dodgy. If she's at Starbucks, or any other open WiFi place, then she's on her owwn. All I can do is hope my help and talk has made her responsible.
The next level is to use Integard on most of the computers around the house. Again, this has logging facilities, so I can check what has been sought and blocked, and also what has been sought and passed. Each machine is set up with one default user for the way it is typically used. One can log in to Integard under a different user name, but we hardly ever use that option.
AspieGirl's machine has very light filtering. If there is anything it blocks, she comes to me to ask it to be released. We have a discussion about it and I release it. The only things I am refusing to unblock are the file extensions of .exe; .zip and .com. if she wants to download them, she has to ask me and I'll download it and pass it to her over the network.
That's so that I know what she is installing. She went through a phase of loading all kinds of software on her machine, and it got a bit silly. I'll probably release that restriction pretty soon. In any case, the iPod touch makes the filter a bit superfluous.
We only get problems when she has guests around. Most of her friends surf the web completely unrestricted, so they feel frustrated when they can't go to some of their favourite slightly-dodgy sites. She's pretty good about telling me what gets blocked, and I always ask if she wants it unblocked. Sometimes she wants me to unblock it, and I do. Mostly she is not bothered either way.
AspieBoy has more restrictive filters, but the same applies. If he wants something released, we talk about it and then I'll usually release it.
The public machine is tied down pretty tight. They use it for homework and we have specifically blocked all their favourite time-wasting sites.
In extremis, I can use the DHCP setup on the router to cut the connection for any specific device on the network. I can and do use this option when there is good reason.
The main filter, however, is their own self-control. And that is by far the most important. My policy is to show them what I can filter and how and why I do it. I don't of course, tell them the administrator passwords. But far more important is to talk to them about the kinds of dangers and risks out there and to listen to their views on what should and should not be filtered.
In the end, I am 99 percent confident that if I switched off all the filters, they would not do anything silly. Except, perhaps downloading and installing all kinds of software. And AspieGirl would download a lot more copyright music.