Web Content Filtering
ExpiredDrayTek's Web Content Filtering (WCF) facilities enable you to protect your network and your users from web content according to your preferences. There are many reasons for doing this, for example:
Reason to Block | Example |
---|---|
Unsuitable | Adult material for children |
Undesirable | Time wasting sites for employees |
Dangerous | Malware or virus-ridden web sites |
Fraudulent | Confidential data leaving your network |
As DrayTek WCF is performed by your router - your point of entry to the Internet - it is far more difficult to circumvent than software solutions installed on each client/PC or Tablet and applies to guests too.
DrayTek's Web Content Filtering can be applied to any device capable of accessing the Internet, such as Smart TVs, Tablets and Mobile Phones, which may not otherwise have filtering solutions available.
Blocking/filtering can be selective for certain computers, users or groups too, so that, for example, managers can have less filtering imposed than other users and time schedules can apply content filtering for specific time periods only (the facilities and granularity of this depends on the specific model of router selected).
Internet Control for families and children
Whilst the Internet can be hugely beneficial to any family users, both for adults and children, there is also the opportunity for it to become distractive, over-consuming as well as risky. For children, a common use of control is to block inappropriate content, such as web sites with sexual, violent or other adult-oriented content in schools or anywhere else that children might use the Internet. That's the inappropriate content, but even age-appropriate content can be undesirable. Facebook might be great for your teens, and CBeebies for your younger children, but not if they are supposed to be doing something else.
Many parents want to control access to the Internet, for example allowing access to acceptable web sites for specified times of day only. For your adult users in the home, you may want to block access to sites which have a high probability of being infected with malware. You may also wish to block your own computers from sending emails in case of trojan/zombie infection. There are infinite combinations of content filtering and firewalling you might want to impose in your home.
Staff Internet Abuse - A real cost to your business
The Internet provides your business with an effective, useful and often essential facility. Your staff can use it to find quick answers, liaise with customers, send and receive emails and many other productive tasks. Unfortunately, the Internet also provides the opportunity for mis-use. DrayTek products can help you restrict, control and monitor staff Internet usage.
Staff using your Internet facility for time-wasteful activities are costing you. Even more importantly these activities can put your businesses computers and network at risk. A recent survey of 10,000 employees indicated that 44% admitted to spending time on the Internet for personal use, for up to 2.1 hours per day.
Most staff are responsible and prudent with their Internet use and we always recommend a suitable AUP (Acceptable Use Policy) to be in place so that staff or any users of your systems know what they are and aren't permitted to use the computers for. This AUP can be re-inforced by DrayTek routers which can block specific content (either at certain times only or all times) and also block potentially harmful file/code types from being installed by rogue web sites. There are some staff who will make severe abuse of the Internet facilities - spending literally hours on personal matters or social networking sites.
Top 5 Personal Internet Uses for Employees
- Personal Email: Hotmail, Gmail, Yahoo etc.
- Intant Messaging: Skype, AOL, Yahoo etc.
- Social Networking: Facebook, Twitter etc.
- Buying: Using Amazon, Ebay etc.
- Multimedia : YouTube, iPlayer etc.
It's easy to let a 'quick visit' become a prolonged stay without realising and losing track of time. All of the above activities can be immensely time consuming and addictive.
What doesn't quite make the list but could be even more serious in its consequences is adult or illegal material being accessed in the workplace, as well as the higher likelihood that such sites are infected with malware which will then get onto your business network. There is also the potential to 'innocently' download software and install it on local PCs, unwittingly introducing spyware or trojans onto your network.
Introducing DrayTek Web Content Filtering
DrayTek Web Filtering allows you to block web content in six main ways:
1 - By matching keyword / specific sites |
2 - By web site category (Subject to Subscription) |
3 - By digital content type |
4 - IP Filtering (Actually part of the firewall, along with many other security features.) |
5 - Filtering HTTPS with DNS |
6 - Network Level SafeSearch |
Features 1, 3, 4, 5 and 6 of the above are included with the router. Feature 2 is included but requires an annual subscription to the external server, which keeps a real-time constantly updated database of web sites. More details of that later.
Features supported varies with router model; please check on specification for confirmation of Web Content Filter capabilities.
1. Keyword Matching URL Content Filter
In Keyword Matching you can specify a list of either banned (blacklist)) or permitted sites (whitelist). The DrayTek method is 'object' oriented, which means that you create lists of keywords or sites, can then group them and then apply them into specific user groups or time periods
Using a blacklist, all sites would be accessible by your users except those that match the keywords you specify. This would be useful, for example where there are specific sites known to be causing disruption or timewasting in your organisation such as social networking or webmail. The example below would allow access to all sites except the ones listed:
A whitelist, on the other hand, is much more restrictive on what your users can access as it blocks all web sites by default and then only allows access to web sites which match your keywords. This is useful when you really want to lock down your Internet access to only allow very specific web site access. The example below would block access to all web sites except those listed:
The URL blacklist and whitelist feature support varies with router model; Please check the specification of each product for details of keyword matching support.
2. Web Site Category (powered by URL Reputation)
DrayTek's WCF is built into most of our routers and allows you to select specific categories of web site which your router will allow access to. For example, an office may wish to block access to social networking or other company time-wasting sites or a home user might want to block adult sites from their children. In public Internet access facilities, you might want to block various unsuitable categories.
URL Reputation covers 78 separate categories, including the security-focused section, which you can select as blocked or permitted. Every time one of your users attempts to access a site, the router automatically queries the central URL Reputation server to ascertain its classification. This takes only milliseconds. If a site is blocked by URL Reputation, according to the categories you have selected, instead of the requested web page, a warning message is displayed to the user (you can customise the message).
The URL Reputation central database is continuously updated with new sites and changes to sites but also records normally legitimate sites which have become compromised or contain malware (a unique feature to URL Reputation). Access to the URL Reputation server requires an annual subscription. A free 30-day trial is included with all new routers so that you can try the feature out before subscribing. Scroll down the box below to see the 78 different categories which can be blocked by URL Reputation, either permanently or at certain times of day/week according to your chosen schedule and for the PCs you choose.
URL Reputation Compatibility List
URL Reputation requires a subscription to the URL Reputation server. This is a 12-month subscription available from your dealer. There is no additional licensing for the number of users you have; it is a flat fee based on your router model that must be compatible and run appropriate firmware:
Subscription Type | EAN | Supported Series | Firmware Requirement |
---|---|---|---|
Group A URLR-A |
4710484746603 | Vigor 2865, 2866, 2927 series | 4.4.3 or later |
Group B URLR-B |
4710484746610 | Vigor 2135ax, 2763, 2765, 2766 series | 4.4.3 or later |
Group S URLR-S |
4710484746597 | Vigor 2962, 3910, 3912 series | 4.3.2.5 or later |
Some of the older routers can also use the above licence keys to continue with the previous WCF provider - Cyren. Many models listed below are likely to receive a firmware update that will make them compatible with URL Reputation. Please check this page for further updates.
Subscription Type | EAN | SKU | Supported Series | Firmware |
---|---|---|---|---|
Group A |
4710484746603 | URLR-A | Vigor 2860, 2925 Vigor 2862, 2926 Vigor 2832 |
3.9.5 or later 3.9.9.2 or later 3.9.7 or later |
Group B |
4710484746610 | URLR-B | Vigor 2620Ln Vigor 2762 series |
3.9.8.6 or later 3.9.7 or later |
Group S |
4710484746597 | URLR-S | Vigor 2952, 3220 | 3.9.8 or later |
Why URL Reputation?
DrayTek's Web Content Filtering, powered by URL Reputation, uses a unique method of categorisation to ensure the most accurate, relevant and up to date database of web sites. In particular compared to other services, these are some important advantages of URL Reputation:
-
URL Reputation is built into the hardware
There are software solutions for category blocking or parental control but they have to be installed on each PC, tablet or device and maintained on each. Someone with the right skills (a skilled employee or smart child!) can often find a way to bypass or disable the software. DrayTek's URL Reputation operates at your Internet point of entry so examines all web site URLs requested and cannot be turned off without administrative rights to the router. -
URL Reputation is a commercial/professional Service
Unlike some other services, URL Reputation does not rely on volunteers to submit suggestions for sites to include or rely on volunteers to categorise each site submitted (and multiple users to then concur with the category proposal). Relying on community-driven categorisation can lead to inaccuracies, delays, mischief and an incomplete database which omits many sites, particularly those which are more obscure or unknown (which are also more likely to be undesirable). The URL Reputation WCF service continuously evolves to improve performance and accuracy. This cloud-based technology dynamically updates each category as often as every 5 minutes to keep your network safe. -
URL Reputation is not a Domain Resolution Service
Therefore it is not possible to bypass it merely by changing the DNS settings on your PC, or by browsing by IP address instead of URL. URL Reputation intercepts and examines all web requests for their specific destination, in addition to intercepting DNS requests and blocking requests in that way. -
Categorisation uses an automated mechanism
URL Reputation filtering is based on a hugely scalable cloud-based architecture that uses the extensive cloud computing resources available for categorization. URL Reputation uses a dynamically built, relevant local database with real-time connectivity to a hugely scalable cloud-based repository. URL Reputation therefore provides more complete, relevant categorization of the Internet. URL Reputation's main benefit is the highly intelligent and accurate categorisation algorithms which are used to build its database. -
Zero-Hour Protection
The Internet is a living, continuously growing and evolving system. As URL Reputation operates in real-time, it can categorise a site from the moment it becomes available from the first time it is requested, and re-categorise it if it changes at a later date without requiring community-driven or user intervention. Users do not have to manually submit sites for categorisation. -
Categorise IP Addresses
Some other content filtering services can be bypassed simply by the user browsing to an IP address so that the URL is never considered/checked. URL Reputation will categorise sites based on their IP address if a user tries to access via that method. i.e. Both www.facebook.com and 69.63.190.18 would be blocked by URL Reputation if you have prohibited social networking. This is also particularly useful in combating phishing emails which commonly use IP addresses instead of URLs. The DrayTek router can, in addition, block browsing by IP address altogether. -
Multiple Categories Per Site
URL Reputation can identify a single web site or page as falling into several categories, for example a site might provide both 'dating' and 'adult' content so if you choose to block either of those, URL Reputation will correctly identify it as both. -
Site granularity
Whereas other services consider only the top level domain (TLD) i.e. the URL up until the first “/”, URL Reputation will parse/consider the whole URL. This is particularly a problem for Web 2.0 sites such as blog sites (members.tripod.com/sitename) where one user's blog might be for kids and other user's contain adult-suited material. Another example is commercial sites which contain different materials types. For example, URL Reputation will distinguish between "sportsillustrated.cnn.com" (Sports pages) and "sportsillustrated.cnn.com/swimsuit/" (Swimwear models/nudity). -
Embedded Links are examined
Another common methods that users might use to bypass web controls is using parsing or translation web sites.
For example, if you try to visit: "http://translate.google.com/translate?tl=it&u=http%3A%2F%2Fwww.swimwearplace.com%2F"
then URL Reputation will correctly identify that you have asked Google to display 'www.swimwear.com' and block it if that is a category you have prohibited, whereas other services will just see 'Google'' and permit access based on the categorisation of Google (search engine).
3. Digital Content Type
DrayTek's Content filtering allows you to specify particular data types or web content to be blocked by the router. The Vigor is pre-set with many different content types or protocols. You can select any or all of them for blocking. There are infinite combinations but some examples of commonly blocked content are:
- Block download of executable (EXE) or compressed (ZIP) files to reduce the chance or virus infection or installation of untested software.
- Block Peer-to-Peer (P2P) software such as BitTorrent, to avoid users using vast amounts of your bandwidth or engaging in media piracy.
- Block HTTP/FTP upload or webmail to prevent theft/espionage of your company data
- At Home, block Instant Messaging protocols to prevent your children from unsupervised chat with strangers.
- Block SMTP from all devices other than your mail server to stop Trojan Zombies
For a detailed list of the protocols and content types which can be blocked, Click Here.
4. IP Filtering
This is a more technically complex method. All data sent across the Internet is sent as a 'data packet' between devices (for example between your PC and a web site) Each device has its own IP address (such as '203.0.113.86'). In addition, each data packet can be one of several data types (TCP, UDP, ICMP etc.) and may also have additional information such as TCP port numbers. Don't worry if this all sounds a bit complicated; the useful factor here is that these packets can be distinguished and therefore rules can be set up on the router to block or pass packets which match parameters you choose.
Examples of useful IP filters might be to block incoming mail from all but known mail servers, or to allow access to your internal web server from all addresses except known remote locations. IP Filters can be nested so that a chain of filters can all be tied together and data passed only if one of, or all of the rule criteria are met. As we said, it's a technically complex feature but immensely powerful.
Note : Although we include IP filtering here, most users actually consider that to be part of the main firewall features as it's not filtering 'by content' as such.
5. Filtering HTTPS with DrayTek DNS Filter
Concerns regarding privacy and security have increasingly lead to web sites moving their services to web servers that offer SSL/TLS connections as standard. SSL/TLS connections are those prefixed with https:// or commonly shown with a 'padlock' symbol in your browser.
SSL/TLS is a protocol that allows communication to be secured with encryption so that it can't be read by a third party - anyone in between you and the server. This security also extends to the actual URL (web address) that the user enters, which has an impact on web content filtering methods that categorise websites based on the URL that is being accessed.
DrayTek Vigor routers can control access to web sites accessed over SSL/TLS with the DNS Filter, which builds upon the router's Content Security Management functionality. When a PC tries to access a web site, it has to always convert that web address into an IP address (e.g. 203.0.113.67). That IP address itself cannot be encrypted by SSL/TLS because your router has to know where to send the data to!
DrayTek's DNS Filter examines all DNS lookups from your PCs, Tablets and other devices and then makes categorisation or content filtering decisions. DNS Filter can be used with both the Keyword matching URL filter (whitelists/blacklists) and the URL Reputation Web Content filter.
This cannot be bypassed by changing the DNS servers used to one that does not employ filtering; the router intercepts and inspects all DNS queries, applying filtering to each one.
The DNS Filter links to the Vigor router's IP Filtering Firewall which gives full control of whom the Content Filtering is applied to. For instance, the DNS Filter could apply a restrictive profile to a child's Tablet or a wireless network for guests, with a less restrictive profile for other devices on your network.
More details on DrayTek's DNS Filter can be found here:
6. Network Level SafeSearch
Filtering adult content on large web sites or search engines can prove difficult; blocking access to popular sites such as YouTube, Google or Bing is not a desirable option but applying content filtering to these sites, which force HTTPS connections instead of unencrypted HTTP, is often not possible.
Access to these web sites is secured with TLS encryption, which limits what a router's URL Content Filter or Web Content Filter can achieve because the URL cannot be inspected and additionally may not be indicative of the actual content being displayed.
DrayTek Vigor routers that support LAN DNS can enforce SafeSearch for web sites that offer this facility to network administrators.
YouTube, Google search and Bing search each provide a network level method to control SafeSearch through the use of a special hostname.
Many popular sites now offer this form of SafeSearch that doesn't rely on enforcing settings on individual computers and devices, which can be potentially bypassed and is time consuming to configure.
With DrayTek's LAN DNS feature, accessing "www.google.com" can be redirected to "forcesafesearch.google.com", which enforces SafeSearch for all devices accessing Google search through the DrayTek Vigor router's network.
This can be applied to Google for all countries (or Top-Level-Domains) using wildcards, such as "www.google.*", which avoids the limitation of this being bypassed simply by accessing another country's Google site i.e. "www.google.co.jp" or needing to manually enter every TLD when configuring this facility.
Similarly to the DNS Filter, the LAN DNS feature takes effect on all DNS Lookups passing through the router, so configuring a PC to use another DNS server will not avoid the enforcement of SafeSearch.