Router with Internet Controls?

[fw2004]

Hi;
I have a home network with 3 computers. I am connected to the Internet over Optimum Online (Cablevision) cable modem, and have my own router(s) to distribute the network throughout the house.

I am looking into the possibility of increasing Internet security by installing a "smarter" router between the cable modem and the rest of the network.
I would like this router to handle Internet filtering, to prevent anyone from going onto sites that will cause harm to the computer, as well as parental controls for my 12 year old niece.

I could run a proxy server, and I already own a license for Win 2K server I could set up on another machine and use it as the proxy, but I think that purchasing a new router would be a lot less expensive and more efficient.

My current router(s), D-Link DI-724U and DI-624 will perform very rudimentary Internet filtering and parental control, but this is neither sufficient or convenient.

I also will have Internet security installed on all PC's to handle virus, malware, etc, but I am having so much trouble with seemingly legitimate web sites downloading spyware, and other non-invited software.
I can set my Internet software for tighter controls, but it is difficult to do this with three PC's, and would like to block certain sites from all computers at once.

Can anyone suggest a router that would handle this requirement?

Thanks

FW

 

[raybay]

When you get it figgered out, will you please let us know?

 

[fw2004]

So, you're telling me there is no such animal?
I am going to try signing up for some security seminars / webinars.

FW

 

[DelJo63]

You can use two concepts here:

• A DMZ host
• and an ICS connection

I can set my Internet software for tighter controls, but it is difficult to do this with three PC's, and would like to block certain sites from all computers at once.

The primary router connected to the modem is the GATEWAY Router. It will perform the
'high level' controls, such as DENY all inbound non-session traffic.
The HOST file (on the DMZ system) can setup the typical denial technique of using 127.0.0.1 www.some-porno-website.com

The secondary router to which the lan is attached is the final arbitrator and you can monitor results from this
router's log. The DMZ host then needs TWO NIC adapters:

modem --gwr---(nic1)DMZ host(nic2)---ics connection---secondary.router---lan systems

The ICS connection (on windows) is always at 192.168.0.1 which will show-up as the gateway address on the secondary.router.
This then requires

• the DMZ host is not 192.168.0.1
• and neither is the GWR

With this setup, and filtering (ie firewall settings on the DMZ host and the GWR) will control everything downstream on the ICS.

1) the default route on the DMZ host must be the GWR address
2) the default route on the secondary.router SHOULD be the ICS address.

Use DMZ mode on the gateway router is a risk, but necessary if all ports are to be available to the secondary.router.
This implies that the DMZ host FW needs to be robust
(ie not jst the XP default, but a bidirection FW like Comodo or Sunbelt)

Parental Controls and filtering (on the DMZ host) will need to target hard IP addresses (of the lan.systems)

use static addresses or MAC filtering to predict IP address assignments​

Running online games which required portforwading will be difficult and once set,
exclude all other systems on the lan.

I also will have Internet security installed on all PC's to handle virus, malware, etc, but I am having so much trouble with seemingly legitimate web sites downloading spyware,
and other non-invited software.

and that is the Achilles heal of the net today
Add Spywareblaster to each lan system to control know ActiveX junk.
The HOST file above will filter bad Sites, but even good sites can get infected.
Once the browser makes a connection, only browser filters will inhibit specific MIME-Type content.

On all the lan systems, I would still install anti-virus and configure the email readers to scan all inbound email.

 

[fw2004]

This all seems a bit complicated and expensive for a home network.
I did a bit of searching and came up with some web filtering appliances, such as the Barracuda web filter.
It looks like the one the company I used to work for used. I'm sure something like that would cost me in the area of $1,000.

Perhaps all that I need is a better router, that is easier to set up.
The D-Link is old, and not very sophisticated.

The problem with all of that is I have to manually enter the sites I want to block or allow.
The software or hardware would do a lot of that for me.

I am thinking that maybe I could get some free software (like that DMZ you are talking about) for my Win 2K server.
All I would need then is a second NIC, which I think I already have.

In any case, I have to do a lot more research before I install anything.

FW

 

[DelJo63]

DMZ is a typical router setting which basically allows anything

The HOST file is free from http://www.mvps.org/winhelp2002/hosts2.htm

The problem with all of that is I have to manually enter the sites I want to block or allow.
The software or hardware would do a lot of that for me.

Nope -- YOU will need to configure it. The only 'silver bullet' will be the Parental Control software.

btw: some routers (link my netgear) have keyword filtering, so I set a keyword like porn and every URL that contains that fragment is denied access. Expand the list and you can get very effective controls without knowing the domain name or full URL.

 

[fw2004]

I guess my lack of education is showing again<g>
I used to be up on all the terms (DMZ, etc) but have let all of that slip over the years. Time to hit the books again.

I'll take a look at what my current router can do. If I can buy a better one for about $50, then I'll go for that.
Other than that, I think I am going to have to install a software app on the kid's computer as well.

FW

 

[fw2004]

Found out that my router's parental controls are really weak, and the filtering is horrendously poor.
For example, if I type into the blocked domain list ".ru", thinking I am going to block all sites from Russia, it will block those, but also "runnersworld.com", because that domain also contains the letters "ru".

So, I decided to scrap the router filtering, and use my HOSTS file instead.
I downloaded a very comprehensive listing of attack/spy, etc sites and copied it into the host file.
I think this is all I need in addition to my Norton Internet Security.

FW