DrayTek Web Content Filtering
DrayTek Web Filtering allows you to block web content in six main ways:
1 - By matching keyword / specific sites |
2 - By web site category (Subject to Subscription) |
3 - By digital content type |
4 - IP Filtering (Actually part of the firewall, along with many other security features.) |
5 - Filtering HTTPS with DNS |
6 - Network Level SafeSearch |
Features 1, 3, 4, 5 and 6 of the above are included with the router. Feature 2 is included but requires an annual subscription to the external server, which keeps a real-time constantly updated database of web sites. More details of that later.
Features supported varies with router model; please check on specification for confirmation of Web Content Filter capabilities.
- Keyword Matching URL Content Filter
In Keyword Matching you can specify a list of either banned (blacklist)) or permitted sites (whitelist). The DrayTek method is 'object' oriented, which means that you create lists of keywords or sites, can then group them and then apply them into specific user groups or time periods
Using a blacklist, all sites would be accessible by your users except those that match the keywords you specify. This would be useful, for example where there are specific sites known to be causing disruption or timewasting in your organisation such as social networking or webmail. The example below would allow access to all sites except the ones listed:
A whitelist, on the other hand, is much more restrictive on what your users can access as it blocks all web sites by default and then only allows access to web sites which match your keywords. This is useful when you really want to lock down your Internet access to only allow very specific web site access. The example below would block access to all web sites except those listed:
The URL blacklist and whitelist feature support varies with router model; Please check the specification of each product for details of keyword matching support.
- Web Site Category (DrayTek GlobalView, powered by Cyren)
DrayTek's GlobalView is built into most of our routers and allows you to select specific categories of web site which your router will allow access to. For example, an office may wish to block access to social networking or other company time-wasting sites or a home user might want to block adult sites from their children. In public Internet access facilities, you might want to block various unsuitable categories.
GlobalView covers 64 separate categories which you can select as blocked or permitted. Every time one of your users attempts to access a site, the router automatically queries the central GlobalView server to ascertain its classification. This takes only milliseconds. If a site is blocked by GlobalView, according to the categories you have selected, instead of the requested web page, a warning message is displayed to the user (you can customise the message).
The GlobalView central database is continuously updated with new sites and changes to sites but also records normally legitimate sites which have become compromised or contain malware (a unique feature to GlobalView). Access to the GlobalView server requires an annual subscription. A free 30-day trial is included with all new routers so that you can try the feature out before subscribing. Scroll down the box below to see the 64 different categories which can be blocked by GlobalView, either permanently or at certain times of day/week according to your chosen schedule and for the PCs you choose.
GlobalView Categories
GlobalView requires a subscription to the GlobalView server. This is a 12-month subscription available from your dealer. There is no additional licensing for the number of users you have; it is a flat fee based on your router model:
Subscription Type |
Supported Series |
EAN |
Group A |
Vigor 2820, 2830, 2832, 2850, 2860, 2862, 2920, 2925, 2926, 2927, 3200, PBX2820, BX-2000 |
4719853553767 |
Group B |
Vigor 2110, 2130, 2620, 2710, 2750, 2760, 2762 |
4719853553828 |
Group S |
Vigor 2930, 2950, 2955, 2952, 2960, 3220, 3300V+, 3510, 3900, 3910, 5510 |
4719853554306 |
Why GlobalView?
GlobalView, powered by Cyren, uses a unique method of categorisation to ensure the most accurate, relevant and up to date database of web sites. In particular compared to other services, these are some important advantages of GlobalView:
- GlobalView is built into the hardware
There are software solutions for category blocking or parental control but they have to be installed on each PC, tablet or device and maintained on each. Someone with the right skills (a skilled employee or smart child!) can often find a way to bypass or disable the software. DrayTek's GlobalView operates at your Internet point of entry so examines all web site URLs requested and cannot be turned off without administrative rights to the router.
- GlobalView is a commercial/professional Service
Unlike some other services, GlobalView does not rely on volunteers to submit suggestions for sites to include or rely on volunteers to categorise each site submitted (and multiple users to then concur with the category proposal). Relying on community-driven categorisation can lead to inaccuracies, delays, mischief and an incomplete database which omits many sites, particularly those which are more obscure or unknown (which are also more likely to be undesirable). The GlobalView WCF service has been available for many years, and continuously evolves to improve performance and accuracy.
- GlobalView is not a Domain Resolution Service
Therefore it is not possible to bypass it merely by changing the DNS settings on your PC, or by browsing by IP address instead of URL. GlobalView intercepts and examines all web requests for their specific destination, in addition to intercepting DNS requests and blocking requests in that way.
- Categorisation uses an automated mechanism
GlobalView URL filtering is based on a hugely scalable cloud-based architecture that uses the extensive cloud computing resources available for categorization. GlobalView URLF uses a dynamically built, relevant local database with real-time connectivity to a hugely scalable cloud-based repository. GlobalView URLF therefore provides more complete, relevant categorization of the Internet. GlobalView's main benefit is the highly intelligent and accurate categorisation algorithms which are used to build its database.
- Zero-Hour Protection
The Internet is a living, continuously growing and evolving system. As GlobalView operates in real-time, it can categorise a site from the moment it becomes available from the first time it is requested, and re-categorise it if it changes at a later date without requiring community-driven or user intervention. Users do not have to manually submit sites for categorisation.
- Categorise IP Addresses
Some other content filtering services can be bypassed simply by the user browsing to an IP address so that the URL is never considered/checked. GlobalView will categorise sites based on their IP address if a user tries to access via that method. i.e. Both www.facebook.com and 69.63.190.18 would be blocked by GlobalView if you have prohibited social networking. This is also particularly useful in combating phishing emails which commonly use IP addresses instead of URLs. The DrayTek router can, in addition, block browsing by IP address altogether.
- Multiple Categories Per Site
GlobalView can identify a single web site or page as falling into several categories, for example a site might provide both 'dating' and 'adult' content so if you choose to block either of those, GlobalView will correctly identify it as both.
- Site granularity
Whereas other services consider only the top level domain (TLD) i.e. the URL up until the first “/”, GlobalView will parse/consider the whole URL. This is particularly a problem for Web 2.0 sites such as blog sites (members.tripod.com/sitename) where one user's blog might be for kids and other user's contain adult-suited material. Another example is commercial sites which contain different materials types. For example, GlobalView will distinguish between "sportsillustrated.cnn.com" (Sports pages) and "sportsillustrated.cnn.com/swimsuit/" (Swimwear models/nudity).
- Embedded Links are examined
Another common methods that users might use to bypass web controls is using parsing or translation web sites.
For example, if you try to visit: "http://translate.google.com/translate?tl=it&u=http%3A%2F%2Fwww.swimwearplace.com%2F"
then GlobalView will correctly identify that you have asked Google to display 'www.swimwear.com' and block it if that is a category you have prohibited, whereas other services will just see 'Google'' and permit access based on the categorisation of Google (search engine).
- Digital Content Type
DrayTek's Content filtering allows you to specify particular data types or web content to be blocked by the router. The Vigor is pre-set with many different content types or protocols. You can select any or all of them for blocking. There are infinite combinations but some examples of commonly blocked content are:
- Block download of executable (EXE) or compressed (ZIP) files to reduce the chance or virus infection or installation of untested software.
- Block Peer-to-Peer (P2P) software such as BitTorrent, to avoid users using vast amounts of your bandwidth or engaging in media piracy.
- Block HTTP/FTP upload or webmail to prevent theft/espionage of your company data
- At Home, block Instant Messaging protocols to prevent your children from unsupervised chat with strangers.
- Block SMTP from all devices other than your mail server to stop Trojan Zombies
For a detailed list of the protocols and content types which can be blocked, Click Here.
- IP Filtering
This is a more technically complex method. All data sent across the Internet is sent as a 'data packet' between devices (for example between your PC and a web site) Each device has its own IP address (such as '203.0.113.86'). In addition, each data packet can be one of several data types (TCP, UDP, ICMP etc.) and may also have additional information such as TCP port numbers. Don't worry if this all sounds a bit complicated; the useful factor here is that these packets can be distinguished and therefore rules can be set up on the router to block or pass packets which match parameters you choose.
Examples of useful IP filters might be to block incoming mail from all but known mail servers, or to allow access to your internal web server from all addresses except known remote locations. IP Filters can be nested so that a chain of filters can all be tied together and data passed only if one of, or all of the rule criteria are met. As we said, it's a technically complex feature but immensely powerful.
Note : Although we include IP filtering here, most users actually consider that to be part of the main firewall features as it's not filtering 'by content' as such.
- Filtering HTTPS with DrayTek DNS Filter
Concerns regarding privacy and security have increasingly lead to web sites moving their services to web servers that offer SSL/TLS connections as standard. SSL/TLS connections are those prefixed with https:// or commonly shown with a 'padlock' symbol in your browser.
SSL/TLS is a protocol that allows communication to be secured with encryption so that it can't be read by a third party - anyone in between you and the server. This security also extends to the actual URL (web address) that the user enters, which has an impact on web content filtering methods that categorise websites based on the URL that is being accessed.
DrayTek Vigor routers can control access to web sites accessed over SSL/TLS with the DNS Filter, which builds upon the router's Content Security Management functionality. When a PC tries to access a web site, it has to always convert that web address into an IP address (e.g. 203.0.113.67). That IP address itself cannot be encrypted by SSL/TLS because your router has to know where to send the data to!
DrayTek's DNS Filter examines all DNS lookups from your PCs, Tablets and other devices and then makes categorisation or content filtering decisions. DNS Filter can be used with both the Keyword matching URL filter (whitelists/blacklists) and the GlobalView Web Content filter.
This cannot be bypassed by changing the DNS servers used to one that does not employ filtering; the router intercepts and inspects all DNS queries, applying filtering to each one.
The DNS Filter links to the Vigor router's IP Filtering Firewall which gives full control of whom the Content Filtering is applied to. For instance, the DNS Filter could apply a restrictive profile to a child's Tablet or a wireless network for guests, with a less restrictive profile for other devices on your network.
More details on DrayTek's DNS Filter can be found here:
- Network Level SafeSearch
Filtering adult content on large web sites or search engines can prove difficult; blocking access to popular sites such as YouTube, Google or Bing is not a desirable option but applying content filtering to these sites, which force HTTPS connections instead of unencrypted HTTP, is often not possible.
Access to these web sites is secured with TLS encryption, which limits what a router's URL Content Filter or Web Content Filter can achieve because the URL cannot be inspected and additionally may not be indicative of the actual content being displayed.
DrayTek Vigor routers that support LAN DNS can enforce SafeSearch for web sites that offer this facility to network administrators.
YouTube, Google search and Bing search each provide a network level method to control SafeSearch through the use of a special hostname.
Many popular sites now offer this form of SafeSearch that doesn't rely on enforcing settings on individual computers and devices, which can be potentially bypassed and is time consuming to configure.
With DrayTek's LAN DNS feature, accessing "www.google.com" can be redirected to "forcesafesearch.google.com", which enforces SafeSearch for all devices accessing Google search through the DrayTek Vigor router's network.
This can be applied to Google for all countries (or Top-Level-Domains) using wildcards, such as "www.google.*", which avoids the limitation of this being bypassed simply by accessing another country's Google site i.e. "www.google.co.jp" or needing to manually enter every TLD when configuring this facility.
Similarly to the DNS Filter, the LAN DNS feature takes effect on all DNS Lookups passing through the router, so configuring a PC to use another DNS server will not avoid the enforcement of SafeSearch.
Comments
0 comments
Please sign in to leave a comment.