The availability of internet access has exploded in Ghana in the last few years. Not only do we have a pretty good connection at our office in Tamale, but now many of the 33 project offices around the country also have internet connection options. There are many good things on line, but of course there is also a lot of junk. At the office we run an IPFire firewall that does content filtering. I have been doing some research into options for rural offices too and this is what I have found out so far.
1. Firewall Server
In many offices a firewall server like IPCop is very useful. It runs on cheap hardware and is highly configurable. It can provide content filtering through blacklists or by actually scanning the pages as they are loaded. With several simple and low cost Linux boxes becoming available this is a possible option. I dismissed a computer firewall mainly because of the hard drive. The failure rate of hard drives in Ghana is extremely high and I did not want to take chances. A solid state drive may have been possible, but would have increased the price. It also was a more complex setup than I wanted to manage for 33 different offices.
2. Appliance with Content Filtering
One of the big catch phrases for firewall appliances today is “unified security.” The idea is that along with keeping the bad guys out of your network, you also filter the traffic for viruses and unwanted content. That content could be inappropriate websites, P2P, IM, or anything else that your organization does not appreciate.
Following a recommendation from another IT guy, we purchased a ZyXEL ZyWALL USG 50 for our guest house in Accra. For a relatively low price (USD $250) it is a very sophisticated box. It has two Ethernet WAN ports, two USB ports for 3G modems, and four LAN gigabit ports which can be segmented in different subnets (LAN, WLAN, DMZ, etc). The device can failover between the WAN connections. It can also scan traffic for viruses and do content filtering (A feature that I love on it is that you can type in a URL into the interface and see what the results would be without actually having to try to load the page in your browser. The downside of the later is that if the URL is not blocked, you may be looking at content you do not want to see.). If it was not for our need of the update accelerator feature on IPCop/IPFire, I would strongly consider replacing our computer firewall with one of these at our head office.
There are several downsides to the USG 50: (1) For what it can do USD $250 is not a high price, but it is more than I want to spend for the project offices. (2) It is highly configurable which means it is pretty complicated. (3) The antivirus and content filtering each require an annual subscription fee which would be a high cost if I distributed these to all of our project offices. (4) It is very limited on what 3G USB modems it works with.
ZyXEL also has two lower end models, the USG 20 and 20W (wireless), for small offices and the home. They provide content filtering, but not the antivirus filtering.
3. DNS Filtering
A simpler device that we tested for providing a simple office network is the Zoom Wireless-N Router 4501. It retails for about USD $80. It has an Ethernet LAN, Ethernet WAN, and USB ports. The list of USB 3G modems that it works with is extensive and we had no problems with the modem we bought locally. It is not uncommon that one cell phone carrier will go down, so it would be easy for an office to plug in the modem from another carrier and keep working. The problem is how to provide content protection.
I have been toying with the idea of DNS filtering (DNS explained). Rather than installing software on each computer, you point them to a DNS service that simply does not respond to requests for blocked websites. The plus to this is that you do not need specialized equipment and your management effort it almost nil. The downside is that you do not have much control over what is blocked and what is not and it is extremely easy for a tech savvy user to bypass (they just have to manually put in another DNS server address on their computers, though you could perhaps block UDP port 53 on the router).
There are a few services that I have briefly looked at:
I have been a fan and user of OpenDNS for quite some time. The basic service provides two major benefits; it provides very quick DNS lookups, and it blocks known malware sites. OpenDNS provides two options that we could use. The first is to sign up for an enterprise account. This would allow us granular control, but would mean that we have to register each router and set it up with a service like dynamic DNS. The second is to use the FamilyShield service. This provides the benefits of basic OpenDNS service plus blocks sites that they feel are inappropriate for children. The downsides are that we have no control over what is blocked and there are some complaints that they do not add new sites quickly enough. (OpenDNS provides a clean website to test if a computer is correctly configured for their adult blocking service: http://www.exampleadultsite.com/).
3.2. Norton DNS
This is a service that I just came across today. It works much like OpenDNS FamilyShield, but allows for multiple levels of protection. There are services for both Home and Business. For example, there are different DNS servers to use if you want to protect just against security issues, security & pornography, or security & pornography & Non-Family Friendly. I have not looked through all of the business options yet.
I have looked around for other DNS filtering services. I think that ScrubIT has been around for a while, but am not sure how active it is anymore. Dyn also provides a free filtering service called Internet Guide, but it looks like you would need to set up an account and use it like OpenDNS enterprise. Of course there are a few paid for plans as well that I did not review.