Redirecting mobile devices through content filter


Recommended Posts

We plan on moving to a full content filtering solution at the end of the school year, but would like to finish out the year using what we have, or pushing external traffic through a separate filter. Our current solution is an 8e6 R3000. They are recommending buying another appliance and using it with a virtual appliance for mobile devices. I'm fine with that, but getting runaround on pricing and information.

At previous school, we had CIPAFilter and could redirect to our in-house filter by using DNS settings on the mobile devices. I'm not sure to do with our current solution, if it's even possible. I don't mind setting up another box, but redirecting traffic and making everything work, I'm not familiar with. I'm looking at OpenDNS which has a new service out specifically for mobile devices, but waiting on pricing.

Just wonder if anyone could help to shed some light on how to make this work. We don't NEED authentication to AD, but it would be nice.

Link to comment
Share on other sites

You should be able to do this via ip or subnet. If the wireless devices use a different subnet that should be easy to do, if not you should be able to reserve an address and put them into a group which can apply a different policy to allow or deny access to what ever without the need of doing squat with opendns or other services. You can do this with barracuda I can't see why you can't do this with your appliance. If you get stuck let me know, I'll read up on you appliance.

Link to comment
Share on other sites

I'm sorry. I left out a very important part, LOL.

I want to redirect external traffic through our internal filter. Wasn't paying attention when posting apparently.

Link to comment
Share on other sites

Can you better define external.

External meaning a subnet having nothing to do with your network? If that is the case you would have to at some point marry the networks. Be it through a dmz subnet and everything accesses through your web filter or your web filter will need some sort of remote client app to run on these devices and the devices would then go through your web filter regardless of where they are at in the world.

Link to comment
Share on other sites

External meaning, when the devices are outside our network (at home, McDonalds, etc.).

At a previous school, we could use an IP we had tied to our content filter, and point the device DNS at that particular IP. It would then process requests through the filter. It didn't use authentication, just a default filtering policy, which is fine, for now. We will get a better solution during the summer.

The systems we are looking at do have apps, and would be easier to work with and manage, but we didn't really budget for that. Our current solution has a mode for mobile devices and there is a virtual appliance available, but they are kind of giving us the runaround. They want us to get a new appliance, because our current unit will be End of Life in July. Anyway, just looking for something to get us by.

Link to comment
Share on other sites

Barracuda has it built into their appliance. I think it starts in their 400 series appliance.

Regardless though. To get you by perhaps opendns would be best. There are individual content filters that you would have to manage that you could use. I believe k9 offers mobile support. And there are parental control apps you can use.

http://www1.k9webprotection.com/news/highlights

Link to comment
Share on other sites

So are these mobile devices locked down so they can not change dns? Great you might be able to setup the mobile device to use a specific dns that in turn would return a block page IP for fqdn you want to block say www.playboy.com or something

But what happens when any user with an IQ of say 70 or higher figures out that he can just change his dns to dhcp and not be filtered while at his house, starbucks, local inet cafe, etc.

I have to assume you can lock these devices down to prevent them from changing that? Another issue that comes to mind with mobile devices and locking dns to say opendns. What if they are at a location and need to resolve local zones for resources say www.localdomain.lan while at a customer/vendor site? Opendns is not going to be able to resolve non public based zones that are only served by the local dns to local clients.

Just some stuff to take into account - filtering devices that are outside your network can be a tough battle. One that many companies have decided not to fight. So while you can not surf porn while at the office on your smartphone - once you take it out of the network you can surf what you want, etc.

Yes this is added risk to be sure, but unless its company owned device and can be completely locked to prevent user tampering in such a way to not at same time restrict productivity or access while on some odd ball network it can be difficult.

Link to comment
Share on other sites

So are these mobile devices locked down so they can not change dns? Great you might be able to setup the mobile device to use a specific dns that in turn would return a block page IP for fqdn you want to block say www.playboy.com or something

But what happens when any user with an IQ of say 70 or higher figures out that he can just change his dns to dhcp and not be filtered while at his house, starbucks, local inet cafe, etc.

I have to assume you can lock these devices down to prevent them from changing that? Another issue that comes to mind with mobile devices and locking dns to say opendns. What if they are at a location and need to resolve local zones for resources say www.localdomain.lan while at a customer/vendor site? Opendns is not going to be able to resolve non public based zones that are only served by the local dns to local clients.

Just some stuff to take into account - filtering devices that are outside your network can be a tough battle. One that many companies have decided not to fight. So while you can not surf porn while at the office on your smartphone - once you take it out of the network you can surf what you want, etc.

Yes this is added risk to be sure, but unless its company owned device and can be completely locked to prevent user tampering in such a way to not at same time restrict productivity or access while on some odd ball network it can be difficult.

You actually have the ability to do just this through an MDM solution such as airwatch or mobileiron. They give you the option through the mdm profile to specify the network profile and then restrict the ability to change the settings. The solution I am describing works on iOS devices....not sure if it works on android or windows phones.

Link to comment
Share on other sites

We are using Novell's MDM as it is pretty cheap for us on our SLA. We might switch at a later date. I really like Airwatch, but I think the Novell solution is going to work pretty well.

I do need to verify the locking down of network settings. OpenDNS has their own client also that they are working on. It's not supposed to be released until closer to summer, but they called me today about possibly beta testing and we can control the app selection and lock those down, so I'm assuming if the app stays in the place the DNS would stay locked, but without that app, I'm not sure. I will look specifically at that tomorrow.

Thanks for the information, guys.

Link to comment
Share on other sites

This topic is now closed to further replies.