Hello all,
I hope you are doing well. My name is Michael Rodriguez and I recently took over the IT Director role for my home church. My question is does anyone have a more economical recommendation for content filtering over Sonicwall’s premium content filtering for an NSA 2600? Is anyone doing anything with any of the other offerings out there? Thanks in advance.
Michael Rodriguez
I’ve been using Untangle for years. It can be run virtually, or on existing hardware, or purchased as an appliance. I have always been pretty happy with the results. Also, I have started to use Webroot’s DNS Protection product as an additional layer, at clients where I am running Webroot as AV.
You can save a bundle on your SonicWALL renewal by contacting our Dell rep and telling him we (MBS) referred you. We make nothing on it, but he will get you a good discount.
His contact deets are: Drew Michelotti @ Dell (512.513.2637, drew_michelotti@dell.com).
I would recommend ChurchDNS for your guest network. It is easy and force the Google Safe and YouTube Restriction on contents. It is bit troubled with staff network but it is perfect for guest network. I am using SonicWall and ChurchDNS on my network.
My church used OpenDNS before till it became a paid service. You might want to explore running a DIY Squid Proxy Server with web filtering.
Optimally you want one that can be enforced on laptops that are mobile via an agent so one of the DNS filters is a good thing to have (by itself or with a UTM filtering at the main site… layer upon layer afterall). Comodo has a free one that’s a lot like Cisco Umbrella that works okay, but it’s Comodo and with Comodo it’s always a good idea to have a plan B. There is of course Cisco Umbrella which is the gold standard, but it has a minimum of 100 devices. Then there is also Webroot which has a newer DNS product and trying to fight it out with Umbrella but as far as I know they don’t have minimums. Finally, there is nxfilter which is a host-yourself DNS server that includes agents for laptops and whatnot for when they leave your site. Nxfilter will work up in the cloud as well if you want it off-site.
Important to remember with the Sonic-wall is the content filtering is part of a security subscription that provides intrusion prevention and application blocking at the firewall level.
We use the Premium Content Filtering at our church and at our Christian school.
App blocking allows, among other things, blocking of proxy servers (commonly used to bypass filters). HOWEVER, you will need to white-list personal filtering products like Covenant Eyes since such products use a proxy.
Sorry to bump a topic. I’m looking at moving to a different DNS from OpenDNS for the very reason that I need to be able to filter laptops when they leave campus. What are you all using on your church owned laptops for content filtering? I don’t want to manage an on premise device, so cloud based. ChurchDNS seems to be great for the filtering on our service on campus and at a good price. But I need something as a 2nd layer for the laptops when they go to homes, coffee shops, etc.
We deal with this a lot in the MSP world, the way to go is with a DNS service/product that has an agent for roaming: the OpenDNS solution is Cisco Umbrella and it has an agent to force DNS traffic through it. It’s a bit pricey and I think the minimum device count is still 100. Webroot also has a DNS service and I believe the agent is out now. Comodo has Dome/Dome Shield that can install an agent and is free (but it’s Comodo). I believe WebTitan also has a DNS protection product that includes agents for mobile devices. Finally, there is NxFilter/NxCloud that can run agents but you’ll need to self-host it either on-site or up in the cloud.
EDIT: Just realized I had some of this up above, but those are the general contenders to OpenDNS/Umbrella for roaming device DNS filtering/protection.
We ended up going with ChurchDNS mainly because of cost. $25/mth is much easier to swallow than Cisco’s price and others. It does seem to take a bit longer for policy changes to apply, but otherwise it works well.
We use thirtyseven4’s antivirus & content filtering on endpoints. We also use OpenDNS on our internal network but I’m thinking we’ll be switching because it’s super expensive. Probably will use ChurchDNS for that.
One option also could be is if you use Sophos for your AV solution, you can set certain types of sites to block through it. The business edition has the ability to lock the user from changing it as well. So you get av protection as well as content filtering.
If the user does have a legitimate page that is being blocked you can unlock it from the sophos portal and within a minute or two the endpoint updates.
URL filtering to me is like pattern file recognition based anti-virus or port based firewalls. It’s rarely effective and can give you a false sense of security. Your goal here is risk management, depth-in-defense. Knowing your attack surface is no longer limited to your physical perimeter, operating system or application. Utilizing behavior based, next generation traffic analyzing tools are a more effective approach. You’ll hopefully see more intelligence around firewalls, switches, access points and clients communicating east-west traffic between clients/servers in order to isolate malignant traffic. Squid is probably a fine alternative for anyone on a budget, but you will ultimately have to stay on top of patches for all the moving pieces. We’re currently using Palo Alto Networks FW, URL,+Threat Prevention Subscriptions + Traps (Endpoint Protection)
DNS based filtering is meant to be one layer in the security stack, I’m pretty sure nobody is seriously arguing against that… at least I would hope not. Anyhow, ones like Umbrella can be very effective and reasonably low cost. Pretty common to see them employed even alongside a Palo Alto (I would argue there is some advantage there in having a few vendors in a layered stack).
People just hear URL filtering and think they’re done not realizing that’s just the beginning. All DNS/Content filters are not created equal (speed, privacy, false positives) are trade offs with some “freemium” models vs. paid services. I know I’m probably “preaching to the choir” but even the executive pastors/ministry leads do not understand the complexities of security and assume “we have a filter” why isn’t it blocking bad content? Going back to the original post, the question was what are people using out there? Just expanding the security topic a bit in case Michael wanted to unpack a layered security approach. I completely agree with you re: multi-vendor layered approach, but we found PAN’s URL solution made more sense for our environment. I love the depth of discussion and appreciate everyone’s feedback.
Hi Michael, as a new partner of ChurchIT, can I recommend Roqos Core RC10 Intrusion Prevention Firewall router. We have been shipping for 2 years, and quickly growing startup. Price wise, existing and future features are very competitive to existing solutions. More at http://roqos.com. Thanks.
Would you recommend Webroot as AV?
No, Webroot has fallen to the bottom of the AV reviews. Windows Defender, meanwhile, has risen to the top alongside staples like Bitdefender.
Here’s Webroot Home edition being tested (they usually refuse to submit because they don’t do well, but this gives you an idea of why you should not use Webroot today):
Any of these options would be considerably better:
Churches, as a nonprofit, have the advantage of being able to deploy Windows 10 E5 very cheaply which includes Windows Defender for Endpoint (formerly ATP), which is a next-gen AV that’s really good and works with other signals from M365 like cloud app security. We do it with all our client churches and missions organizations and I highly recommend looking at that route for your own church. 