OpenDNS Alternatives

[craigmash]

It has been reported that OpenDNS is ending their free web filtering products for everyone except home users. We have been using their Basic package for quite a while to filter.

So I am not looking at other alternatives that are free or inexpensive. I would like to have web filtering WITH reporting to see what computers are hitting what sites. Was wondering what other people use or know of the products I have found.

Untangle Lite

IPCop with urlFilter

Others?

[andrewf]

Have you considered contacting them for a price for the service?

While we all like the idea of "Free" services, the fact of the matter is that if we value a service we should be willing to pay/compensate for it.

http://www.opendns.com/web-filtering/

1 Timothy 5:18
For Scripture says. . . . . and “The worker deserves his wages.”

Just my thoughts.

[petereit]

Call OpenDNS's sales department. They'll be happy to work with you.

[[Admin] osborn4]

I use Phantom Techonolgies' iBoss and home and I know they have a commercial version as well. This is a hardware applicance. And it can be set up to send reports whenever you want.

[craigmash]

Quote:

Originally Posted by andrewf

Have you considered contacting them for a price for the service?

While we all like the idea of "Free" services, the fact of the matter is that if we value a service we should be willing to pay/compensate for it.



1 Timothy 5:18
For Scripture says. . . . . and “The worker deserves his wages.”

Just my thoughts.

I absolutely considered this. However, from what I have read, the basic price now is $1500 a year! Now people have reported they have given them a lower price, but it will probably only be for this one year and it was still $500. I could get Untangle commercial product for $800 a year and it will do a lot more for me than OpenDNS. I do not blame them for starting to charge, but I believe they are leaving out any options for small businesses and churches.

My church has decided that having me on staff if more valuable than a large IT budget. I cannot spend half of my yearly budget on web filtering.

That is why I am asking.

Thanks

[andrewf]

We deployed Sonicwall TZ100s at our two facilities with their premium filtering service. We also have gateway anti-virus, a point to point VPN between a couple locations, plus SSLVPN that I and another IT guy use for remote access to the network. We also use it to load balance between our two internet connections, automatically.

The hardware cost I think was $250. The yearly renewal for the premium services, I *think* was like $150.

We found that it was more economical to have the anti-virus scanning of all traffic at the network level, as it was more economical than buying A/V licenses for all the PCS, ensuring they were always updated, etc.

I also use one here at my house for my family.

I am not tied with Sonicwall. I've used their product for small offices, my church and my home.

On Edit: I found the invoice. We spent $347 for the device with the first year of all the advanced features included. I spent $215 for another location to renew the service and support for two years.

http://www.sonicwall.com/us/products/TZ_100.html

[EricE]

pfSense with the Dans Guardian package.

Free for non-commercial use and as good or better than many of the commercial offerings I have looked at, and definitely better than any of the other free solutions such as IPcop.

SuperMicro makes some great 1U Atom based servers that are perfect for pfSense. I prefer to get the ones with Intel NICs - usually the dual core 510 based ones. I got mine for a little under $300 on sale from Newegg. They had a bundle deal with a 2GB stick of memory. I used a 2GB SATA Disk On Module (SATA DOM) for the disk to keep the moving parts to a minimum. The only downside for this is you have to install pfSense in advanced mode since it will try to create a 2GB swap partition - it's not as bad as it sounds and if you want to try it I can walk you through it. Although with the content filter a hard drive might be better. SuperMicro also has a PCI Express dual Intel NIC that's great to add more ports - the 1U servers require an inexpensive bridge card to mount the NIC horizontally. Newegg didn't used to carry them in stock, but it was easy to find elsewhere.

Now that OpenDNS is changing their policy, I may have to play with that package some more myself. I upgraded my home firewall from an old VIA x86 compatible fanless computer (still ran pfSense just fine) to an HP Microserver - macmall.com had complete system (AMD Turon, 2GB RAM, 250GB HD) on sale for $200 last month - too good a deal to pass up! With a hard drive and better CPU playing with some of the packages for proxying (Squid) and Intrusion Detection (Snort) were a little more feasible. I scored the same SuperMicro Dual Intel NIC card from eBay to get another ethernet port and give me one extra for expansion. It didn't come with a low profile rear bracket so I just bent and shortened the one it came with. The Microserver doesn't require screws for cards - it has a screwless holder.

Every time I look at new offerings, I keep coming back to pfSense. The one that looks like the most promising to eventually provide a potentially better solution is Clear OS - but I think I prefer pfSense's FreeBSD base more than the Linux base Clear OS is based on - FreeBSD has a much stronger networking foundation...

[blonborg]

I wouldn't run the pc's without A/V protection.

Quote:

Originally Posted by andrewf

We found that it was more economical to have the anti-virus scanning of all traffic at the network level, as it was more economical than buying A/V licenses for all the PCS, ensuring they were always updated, etc.

The best defense is multiple layers of protection. While the gateway filter may catch most of the viruses coming into the network via the internet and/or email, it doesn't protect against someone bringing in an infected flash drive and using it on an unprotected pc.

Bill

[andrewf]

I agree, and we do run A/V on pcs, but some facilities cant even afford that, so having something at the gateway, covers the majority of the issue for a lower cost per PC than actually paying for a subscription service per PC and guarantees their high risk internet traffic is scanned and the user cannot bypass it (like they can disable A/V on a pc).

In our facility, there are over 80 pcs.

A majority of them have some form of A/V on them locally. However, we have found that our gateway A/V catches and blocks at least 99% of malicious content before it even gets to the PC. We have not had a single PC infection it over a year, since we put the gateway A/V in.

A gateway solution does not cover if someone brings in a USB drive, or some other method, with a file on it that is already infected, therefore why the multi layer approach is most ideal.

[EricE]

Quote:

Originally Posted by andrewf

I agree, and we do run A/V on pcs, but some facilities cant even afford that

Seems pretty reckless to me - I hope you aren't forgoing insurance on your building because it's not affordable either! One infected machine on your network could wreck havoc in seconds on an unprotected network. "Moat" security was breaking down in the 90's, and it's definitely not effective today. I'd say you've just been lucky so far.

If you haven't already, take look at Microsoft Forefront. Microsoft Charity Licensing is awesome - sometimes better than education. Use a reseller like Software One and set up a Charity Open agreement. You get a substantial discount on all licensing including Office, Windows upgrades, etc.

Shoot, we use Trend Worry Free Business Security Small Business edition on top of SBS 2011 right now (WFBS) but I may just price out Forefront and compare now that I've typed that...

[andrewf]

EricE, I am not sure if your comments are directed at me specifically.

I think some churches have no choice but to weigh the risks versus their cash flow/budget.

If they dont have A/V on their pcs, I wouldn't put it on the same level as not having insurance for ones facility. Maybe more like not having a flood endorsement on your policy if you live near a river.

I am a backup volunteer for our church and have advised them to maintain both, but knew that at a minimum they needed something at the gateway level since the "maintaining A/V on all their machines" had failed them more than once in the past.

This year, their IT guy was able to secure funding to address a number of IT shortcomings that have been identified in the past year, one is a central A/V management solution.

I am not advocating a facility only do one or the other. There are risks both way.

If one only relies on A/V on a PC, it can be disabled, it can become out of date, and it can miss things. If one only relies on A/V at the gateway, they cant scan encrypted files, protect users bringing in infected files via other methods, etc.

My apologies to the OP, this thread has de-railed from the original question of a replacement to OpenDNS for SMUT filtering. There have been a number of good responses to this thread that I hope have been helpful to answering your question.

[EricE]

Quote:

Originally Posted by andrewf

EricE, I am not sure if your comments are directed at me specifically.

Not necessarily - I think it applies to anyone reading this thread.

Quote:

I think some churches have no choice but to weigh the risks versus their cash flow/budget.
If they dont have A/V on their pcs, I wouldn't put it on the same level as not having insurance for ones facility. Maybe more like not having a flood endorsement on your policy if you live near a river.

Do any of the computers on the network have privacy or financial information? If so you are talking about the exact same liability as not having liability or fire insurance on a building. Could be worse, actually, depending on what the information is and the level of breach.

Just because it's on a computer doesn't mean you couldn't have as significant a liability as you would with something physical like a building or campus. At a minimum put it on those machines that have sensitive data.

Quote:

I am a backup volunteer for our church and have advised them to maintain both, but knew that at a minimum they needed something at the gateway level since the "maintaining A/V on all their machines" had failed them more than once in the past.

I understand and have been in similar positions. But there are certain things that are NOT optional - and I would consider AV on a windows machine - especially one that has sensitive data on it - paramount. If you can't afford AV on at least the critical machines, then you need to cut down the number of machines or other requirements elsewhere.

AV is like insurance. No one wants to pay for it until they need it and then its too late It's also a requirement just like insurance on a building. Just because it's an expense we would rather not spend, doesn't mean we are being good stewards of Kingdom resources by "hoping for the best". If that were acceptable why bother having insurance at all?

Quote:

I am not advocating a facility only do one or the other. There are risks both way.

I will. If you consider yourself anything but the most amateurish of an organization, AV for Windows machines is not optional. The only reason it's accepted as a reasonable risk by people who would (rightly) freak if you suggested dropping insurance on your building is they can understand the ramifications of not having insurance on a building whereas those "computer things" are far more nebulous - combine that with the over-confidcence of many of us in IT (I've been there too!) and it's a disaster waiting to happen.

You may skate by for years and never have an issue - but unfortunately it only takes once...