solid small business router with URL filtering that works with HTTPS?

[Kremlar]

Looking for a solid small business router that has URL filtering that works, one that supports HTTPS.

I'm a fan of the Cisco RV042/RV082 series but even the latest revs with latest firmware still seem to have a limitation where they do not block https:// sites.

For example, you can block http://www.facebook.com but not https://www.facebook.com

I recently tried a TP-Link TL-ER6120 but it appears to have the same limitation!

Anyone know of a solid small business class router with a good URL filtering feature that covers HTTPS?

Thanks

 

[Crusty]

Well unless you plan on doing some man-in-the-middle type sniffing you're not going to be able to block https by URL. That stuff is encrypted in the packet.

 

[xSauronx]

Looking for a solid small business router that has URL filtering that works, one that supports HTTPS.

I'm a fan of the Cisco RV042/RV082 series but even the latest revs with latest firmware still seem to have a limitation where they do not block https:// sites.

For example, you can block http://www.facebook.com but not https://www.facebook.com

I recently tried a TP-Link TL-ER6120 but it appears to have the same limitation!

Anyone know of a solid small business class router with a good URL filtering feature that covers HTTPS?

Thanks

might want to look into something like open dns, i got my parents a netgear router that comes with some free extra open dns features and started blacklisting things. my dad was getting a virus or malware all the time until i set that up

 

[drebo]

Juniper's Enhanced Web Filtering on their SRX platform works with HTTPS. On appliances that don't do HTTPS decryption, typically the way it works is the web filtering component recognizes the connection by protocol and then verifies whether or not the IP address is allowed. These are typically not free because they rely on subscription services to work.

An SRX100H2 with EWF license would be like $1200 for 3 years of service.

 

[QuietDad]

Said it in another post. Push a HOSTS file to the PC's and block it there. If the user doesn't have admin athourity, they cab't change it and on the newer Windows, the directory is usually hidden.

 

[Cooky]

I've tried OpenDNS & BlueCoat's K9 Web Protection.
They seem to work ok for home & SOHO deployment.

 

[Kremlar]

Hi guys -

Thanks for the replies. I do use OpenDNS in many situations and am pretty happy with them, but I was hoping to find a small business router capable of doing just some basic blocks for times when OpenDNS might be overkill - but I think HTTPS is a must because that's such an easy workaround for sites like Facebook. I was hoping the DNS request could be blocked by the router.

A hosts file would work, but probably too much maintenance. Looking for something I can maintain remotely and easily, add a blocked site or remove one, perhaps even do time of day blocking (allow Facebook during lunch hours, etc.)

Thanks

 

[Kremlar]

An SRX100H2 with EWF license would be like $1200 for 3 years of service.

Thanks. Price-wise that's overkill for me in these situations because we'd probably just go with OpenDNS instead.

 

[drebo]

Cheap, easy, good...you get to pick two.

OpenDNS is cheap and easy, but it's far from good. Something like Squid/dansguardian would work, and is cheap and good but far from easy. Something like Juniper or Palo Alto is easy and good, but definitely not cheap.

Your choice.

 

[Kremlar]

Cheap, easy, good...you get to pick two.

OpenDNS is cheap and easy, but it's far from good. Something like Squid/dansguardian would work, and is cheap and good but far from easy. Something like Juniper or Palo Alto is easy and good, but definitely not cheap.

Your choice.

Curious, what don't you like about OpenDNS for use in a small to medium-size business? I've had pretty good luck with it.

 

[drebo]

Curious, what don't you like about OpenDNS for use in a small to medium-size business? I've had pretty good luck with it.

It's extremely easy to bypass with any degree of technical know-how. It's also pretty limited in its free form, and its pay form is way more expensive than it should be for what it offers.

 

[Kremlar]

It's extremely easy to bypass with any degree of technical know-how. It's also pretty limited in its free form, and its pay form is way more expensive than it should be for what it offers.

I don't find that to be the case. If you're running AD the client is using a local DNS server anyway so if they change their DNS servers they lose the ability to operate properly on their local LAN. You can also lock users out from changing their DNS servers so that can be a non-issue. But above all, I'm talking typical users here - not IT geeks that know how to circumvent these things.

I'm curious - how much $ do you think it's pay form is? I find the pricing quite reasonable.

 

[drebo]

I've talked to them before about it. They charge ~$30/yr per computer. The break-even point for Juniper's EWF (which cannot be bypassed) is 9 computers, and Juniper's EWF is considerably more flexible.

Also, even in a local domain environment, it's trivial to bypass DNS-based filtering. Even if you lock out all access. You can always visit sites based on IP address.

 

[Kremlar]

I've talked to them before about it. They charge ~$30/yr per computer. The break-even point for Juniper's EWF (which cannot be bypassed) is 9 computers, and Juniper's EWF is considerably more flexible.

Ahh... Perhaps it's a quantity issue. I pay a fraction of that, and it's per user not per computer - which can matter in some cases.

Also, even in a local domain environment, it's trivial to bypass DNS-based filtering. Even if you lock out all access. You can always visit sites based on IP address.

I don't think visiting sites by IP address would be practical. Could you get some kind of content through? Sure, but it's not going to be useable. You can't browse Facebook in a useable fashion via IP address.

And even that is beyond 99.99% of users you're trying to stop from goofing off at work. And if a user does attempt to bypass that's no longer a technology problem, that's an employee problem.

If an employee tries to bust through the lock on the CFO's door do you install a better lock? No, you fire the employee.

 

[SecurityTheatre]

I would echo the comment that you have good, easy and cheap and you get to choose two.

As far as the very best device for the purpose, I might recommend a Palo Alto PA-200, but that's also in the $2000 range. Though, it does double as an antivirus gateway, URL Filtering gateway, firewall, router, switch, VPN concentrator, bandwidth monitor, logging engine, network access controller and a few other things, in a pinch.

As far as good and cheap, a custom built squid proxy would probably do the trick (as was said above), but it's far from easy to build or manage.

Or you can go with OpenDNS which is relatively cheap and easy, but not great, functionally, though it does the basics.

 

[Crusty]

Ahh... Perhaps it's a quantity issue. I pay a fraction of that, and it's per user not per computer - which can matter in some cases.



I don't think visiting sites by IP address would be practical. Could you get some kind of content through? Sure, but it's not going to be useable. You can't browse Facebook in a useable fashion via IP address.

And even that is beyond 99.99% of users you're trying to stop from goofing off at work. And if a user does attempt to bypass that's no longer a technology problem, that's an employee problem.

If an employee tries to bust through the lock on the CFO's door do you install a better lock? No, you fire the employee.

Don't browse directly to facebook, connect by IP to a proxy site then you can do whatever you want.

 

[JackMDS]

I must say that the Computer technology Enthusiasts arena really amazes me.

No person (as an example) in the construction business when needing a truck to carry basic work materials will look into the MiniCooper segment of the vehicles market.

On the other hand on this forum (and few others) there are people looking for MiniCopper Trucks.

The Entry level Networking hardware meant for simple mundane use.

It costs $10 - $30 to manufacture a piece of hardware, after another few hands in the distribution channels (on which each one makes his own $5 -10) it ends-up costing $50-$200 to the consumers.

If a Business can not afford few hundred $$$ to protect itself from the Evil of the Modern Beast (the Internet) then it is a technology problem that they are facing.

 

[Kremlar]

Don't browse directly to facebook, connect by IP to a proxy site then you can do whatever you want.

Good point.

If a Business can not afford few hundred $$$ to protect itself from the Evil of the Modern Beast (the Internet) then it is a technology problem that they are facing.

That's a reality of the small business market. MOST small businesses will not pay $400 per year to stop their receptionist from goofing off on Facebook.