Webfilter for School

Hello all,
So I have a non-profit client that is also a school and they are in dire need of a new CFS. Currently they are using a Sonicwall but it is having problems and they just want it gone.

My problem is, I’m having a hard time finding an affordable solution that checks some major boxes they need checked.

The students are using Chromebooks, those Chromebooks are assigned a static IP address by the Sonicwall and the CFS rules are established for their IP range. So being able to replicate this is a requirement.

Secondly, for everyone else in the Windows domain the Sonicwall’s CFS rules are applied by the user that logs in. So this is also a requirement.

I actually have a used Barracuda 310 sitting here that I took out of another client that didn’t want it anymore. I know it would do the job, but they would hate the maintenance costs of it.

I’m looking for suggestions from people who have installed CFS systems for schools, what they used, and if it would support the aforementioned needs.

@skippITs-James Sounds like a a pf-Sense solution with pfBlocker to filter out the undesirable content and at the domain level. Check out the Netgate appliances at netgate.com the right one depends on the number of users logging on at any one time. The Ui will make config and support very easy for you. Look at Tom’s videos on pf-Sense.

pfsense is lacking when it comes to a having a granular content filtering solution. pfblocker is only doingit at the DNS level. I am not aware of any firewalls/routers that offer CFS without recurring costs due to the nature of needing the feeds for the CFS system. You could also take a look at the https://www.untangle.com/ system.

My suggestion is to contact Barracuda Networks. They have special prices when the end customer is education or governement.
They have excellent Web Filter Appliances for your needs.
I have sold and implemented many Barracuda Solutions and best of all the Support is outstanding.
Try it, give them a call.

1 Like

@pedracho I can confirm how good Barracuda is because that’s what we used at my corporate job before I started my own business. Support is literally top notch, which is so rare in the IT world. If you don’t know how to accomplish something they can remote in and build it with you!

1 Like

@LTS_Tom or anyone really - Can you confirm the untangle would be able to handle both situations?

  • Assigning specific IP addresses to MAC addresses, and a specific CFS allow list to that IP range.
  • For everyone else it’s based on user login.

I don’t have one nor the resources to spin one up to find out for myself. Thanks!

WebTitan is looking appealing. Integration looks easy. Anyone here with experience?

Does the school sync it’s AD accounts with G Suite? If so you could look at solutions that also support user based filtering on Chromebooks.

I recently had a demo from Securly they offer user, and IP based filtering, and filter Chromebooks out the box. The filtering also works outside the school, if the Chromebooks are taken home. It should also tick a lot of safeguarding boxes.

Securly is also free now without a support contract. The school will need the chrome gafe or admin license to manage and push the extensions though.

I had priced untangle, barracuda, meraki, and sonicwall. With cfs sonicwall had a package(advanced security I think) with the best price. However I was in the nsa 3600 size point.

I was looking at squidproxy with squidguard on an old poweredge 860 if the budget failed so there was something. I think dansguardian was something else I looked at.

As a note the new encryption of dns and stuff like Tom is covering makes all this stuff a mess. Local device filtering or at least certs is going to be mandatory soon.

I work for a public school system. We are using the iBoss system to filter content.

We’re in a similar boat in our district as well. We have a new Sonicwall, but it is falling on its face daily. My “plan” is more of an administrative solution than a technical one. We plan on setting up two pairs of Pi-Hole’s for content filtering. Students on the student VLAN get assigned the Student PI-Hole via DHCP that blocks the most (porn, gambling, social media, ads, etc). Staff on the staff VLAN get assigned the Staff PI-Hole via DHCP with a much less restrictive set of blocklists.

The idea is that we should move away from a situation where some staff are “trusted” with bypass accounts for the content filter, and other staff aren’t. We also get away from having to manage complex block rules for different people, in different departments, at different times. Its not really a productive use of IT resources. if a staff member is spending all day on Facebook, that is a disciplinary issue, not a technical issue.

another vote for barracuda works great and you can get pretty great pricing when your a .gov

@LTS_Tom Hi Tom it’s Edward from your stream I posted in the chat I think I will look into untangle hopefully will be what I’m looking for in our school but will come back if not.
FYI I am new to this sort of stuff have just got a new job and the school needs an upgrade don’t really know anything about firewalls and routers.