Problem: Using Astaro content filter, we were having issues with people using anonymous proxies to bypass the filter using HTTPS (port 443) instead of standard port 80. Turns out that the Astaro content filter only processes port 80 traffic, thus leaving a pretty big hole for us to fill. I could use packet filter rules to block these sites but that would be a never ending ordeal of individually adding site after site. Since these types of sites come up everyday, there would be such a long list, it would, most likely, affect the performance if the firewall.
Solution: Listen to a Security Now podcast that was on TWIT.TV and heard about OpenDNS. This free service filters your email by DNS request instead of port. Therefore HTTPS traffic and any other traffic requests for that site will be blocked. All you have to do is register with OpenDNS, configure your network and setup what you want blocked. This took me about 20 minutes to accomplish.
OpenDNS is a perfect tool for a business, school or home environment where you need a bit of added security and comfort. Would, I recommend using OpenDNS by itself? Probably not. The reason being that it’s based on DNS so all someone needs to do is have the IP address of a site or change the DNS settings on the workstation and they can bypass the filter. But a tow pronged approach of Astaro and OpenDNS is very useful indeed. I’m sure there will be ways to circumvent this solution coming soon but in the mean time, I’ll take solace in knowing there are some frustrated students that can’t get to MySpace today. : )
Links of Interest: