Firewall Features – Content Filters
About the only control you don’t get for IP filtering is day / date control. That’s reserved for the Content Filtering feature (Figure 7).
Figure 7: Content Filtering
As you can see, this is a pretty complete set of content filtering features, all of which can be scheduled by time of day and day of week. You get eight sets of URL keyword blocks with multiple keywords allowed per set (as long as you don’t exceed 32 characters per set).
In case your LAN users are savvy enough to try using website IP addresses to bypass the keyword blocking, you can enable the Prevent Web access from IP address feature. This blocks web access for any IP address entered (or clicked into) a client browser by any LAN user.
There’s also the ability to block access to Web Proxies and download of ActiveX and Java applets and browser Cookies – features commonly found on other products. However, the 2900G also has the not-so-common ability to block download of common compressed, executable and multimedia file types – the first time I’ve seen this feature. This will be a welcome addition to anyone trying to control bandwidth usage by download-happy teens or employees.
The downside of the Content Filtering features is that they apply to all users. The only feature that can be bypassed by “trusted” users is the Prevent Web access from IP address feature, where you have four entries in the Enable Excepting Subnets feature that can be used to enter individual IP addresses or subnets that will be allowed IP address-based web access.
Finally, I’d be remiss if I didn’t mention the 2900G’s DoS Defense settings (Figure 8).
Figure 8: DoS Defense setup
This screen controls the stateful inspection features of the router’s firewall that are focused on Denial of Service types of attacks. These features are disabled by default, which is probably appropriate for most users. I’ve always wondered about the value of this feature category for consumer firewall / router products, since any DoS attack will flood a user’s broadband connection, essentially taking it down no matter what the router / firewall does anyway. But at least the Port Scan detection that I tested worked well, sending a series of messages to the syslog stream (more later) as soon as I started the scan.
My test of the Email Alert feature didn’t fare as well, though, with not one email received throughput my port scans.
No comments:
Post a Comment