 So a question that comes up all the time is website filtering. So that's the topic today. We're going to dive into it with how it's handled on tingles, show you how SSL inspection works and a couple other methodologies that you can use to get fine-grain control of the websites people visit. But if you could take a second and visit some of the sponsors below and some of the affiliates we have, such as IT Pro TV and Tech Supply Direct, the links are down below or even our Amazon store and kits we have for products, that would be very helpful to the channel and much appreciated to keep this channel going. Thank you. Back to Untangle. Untangle here is a really good firewall. It's not 100% free if you want all the bells and whistles and specifically the website filtering. And this seems to be a big point of confusion for a lot of people because they're always looking for that free, absolutely no cost to them granular control over websites. And I just keep replying an email. So now I'm going to reply with a video that there isn't any good free solutions. Now you can do DNS level blocking and things like that of many websites, but it's also kind of a cat and mouse game of trying to keep up the list of websites and keep up the categories you want blocked, et cetera, et cetera. Those are where the money comes in, so to speak, because there are entire teams and companies that just curate these lists. That takes time. It takes effort. There's only so much people have been able to do for free in regards to that. That's where things like Untangle and their paid subscriptions are for getting those feeds. Specifically, we're going to talk though about the web classification feeds. So how does it all work? Well, like I said, I listen to Untangle here and I'll just throw it out there for the home users. I think this is pretty cool. For those of you that want this at home because you care so much about filtering, they do have a really cheap option for home users at an annual price of 50 bucks a year with all the bells and whistles. That's actually pretty cool to me. That they have it. That's a very reasonable price for those of you that want web filtering. Second option, you can go buy some type of web filter like web root. Or in our case, we use SolarWinds. And SolarWinds comes with a tool that allows us to do granular web filtering on each device we load the SolarWinds on. That is for those wondering how we sometimes will use a non-SSL filtering firewall, but still have granular control over the individual workstations for the clients we manage. Those are different methods by which you can do it. If you want it to be handled at the firewall, any firewall you get will have these same requirements. You need an SSL inspector and the web filtering functions built in. Specifically, we're talking about untangled, but like I said, this can apply really to any other commercial firewall from Maraki, Palo Alto, Watchcard, Checkpoint. You name the firewall that probably has a sonic wall and there's going to be the same methodologies because the same process needs to exist to make this work. So first, SSL inspection. This is because everything has become encrypted. Thanks, election crypt. I can't say everything, but we'll just say the majority of things. The internet is more encrypted now than it ever was before in terms of web traffic. And that's due to less encrypt making certificates really easy to install. This has obviously caused many problems and we've seen many, including authoritarian governments, try to encourage their clients. Well, they're populists, I should say, to install a certificate so they can view it. This is one of the hangups, so to speak. You need to install a certificate that is trusted by both the system and the firewall in order to see within that traffic. So that's what we're going to dig into. Then of course, send a web filtering itself. I bring up the web filtering that is untangled because, well, like I said, you're paying that subscription fee to get the latest web traffic. And they admit real time classification updates come from they use the web route like break cloud lots of actually other companies do this is kind of a behind the scenes. So they have their own tools within the firewall that do it. But the feed itself comes from the web route break cloud. To maintain the list, the applications you need to set up on your entangle are going to be SSL inspector and the web filter. Like I said, this is if you want that more granular detail control and you want the firewall to be able to see within that traffic. Now I have a virtual machine set up. And currently SSL inspection is turned on. And let's actually look at it real quick here. Configurations rules. I do have my phone as an exception on here because I want to bring that up as well. It is a pain, not impossible, but much more difficult and breaks things if you try to put your phone on a network. And I actually wanted to kind of show that real quick. And I'll just kind of do it as a screenshot here. So right now, source address is my phone's IP address. And we're going to go ahead and save and just I'll share a screenshot of what happens to my phone here when this happens. So my phone will connect to the network that I have set up front angle, but it won't actually do anything. It just keeps telling me limit or no connectivity, which means it just falls back to using the 4G connection. So we're going to hit save and go and turn it off. This is kind of a challenge because a lot of phones have gone to certificate pinning, which means they don't care what other certificates you use. And you have to use some more advanced tools for that. So I will admit you may need to put in a bypass for the phone. Want to bring that up. The other thing here, it's only set up right now to inspect this particular traffic so you can get the details of what pages people went to and things like that. And then we ignore other traffic and we'll actually show how that works. So we don't have the certificate installed yet. We do have this. So we're going to open it up and go over here to Google. And you can see not secure certificate issued to issued by Lawrence Systems. So it's inspecting the Google traffic here. So if we turn off the Google inspection, we'll say don't inspect Google. Save. We'll go back here. Let's open and close it so it doesn't cache anything. And now Google works perfectly fine. But we have a Bing. I don't know if anyone uses it, but if anyone does. Now we get an insecure certificate here. Now other traffic and we'll go here like to SSL Labs. It's allowing this to pass. So it's only filtering very specific things on this list here. So let's increase this a little bit. Also, I want to bring up that your agent supports TLS 1.3, the latest version of TLS. Now TLS 1.3, by the way, has a double encryption. Essentially you have the first cert and then you have a secondary temporary ephemeral cert or a key exchange that happens via Diffie Helmet as part of the 1.3. When we switch this over, it's going to break that. And the reason why is because there's not any way currently, and I don't know that there will be, because part of the thing about TLS 1.3 that's been a big hang up for a lot of companies, Cisco has an entire article about the problems they have with it, is once you go to TLS 1.3, even with the SSL inspection, because there's another key immediately issued in between, that actually breaks it again. So that's why you don't see TLS 1.3 on here. I'm not sure they're going to find a methodology around it because TLS 1.3 was literally designed to stop deeper inspection of your data even when you have a certificate installed. So we'll have to see how that goes. But you can see this is clearly a problem. We'll also bring up very briefly here over in the web filter that when you go in and look at some of the advanced features, block QIC UDP 443. That is also because UDP is difficult for this to inspect. It is unable to parse it, so they block this. This obviously creates a big problem with a lot of sites such as YouTube, Facebook, Google. They all use this QIC protocol because it's very fast. It's very efficient. I have a video specifically on this protocol because it's a better way to transport data across the internet. It's quite good, but it also breaks inspection. So a couple side notes, once you go to web filtering, these things are going to be broken. TLS 1.3 and the quick protocol. So we have this wonderful thing right here, and now we're going to change it to filtering all the traffic. So we know we got 1.3. We know everything's working. So we're going to go over here to the SSL inspector, the rules. We're not going to ignore other traffic. We're going to inspect all the traffic, even the Google traffic here. Now we're going to hit save. Now if we go here and refresh the page for SSL Labs, it's now falling in there because we're saying inspect all the traffic that comes. So now we got to install the certificate. Now from Entangle, if we go over to config, administration, certificates, you can download the installer. So we can go ahead and do this, and then you can install it on a Windows device, which we've already done. So we'll go over here and run this as administrator. So now we open up SSL Labs again. And by the way, Firefox, the reason I had to check the box here is it does have a separate maintained list of certificates. So it installed it in Firefox. It also installs it in Chrome. Chrome is using Windows certificates there. But right away, you notice that our TLS 1.3 is gone and the signed certificate here. Lawrence Systems Cert Issue to SSL Labs. It's injecting itself in the middle of each thing we do. So now when we go to sites like Google, it still works. But once again, right here's the certificate issued. All right, so we have the SSL installed. Let's test the recruiting. So let's try sites like ziprecruiter.com. That one's working. This is the default config for the system. But it does by default block things like this. So we can't go to the adult websites. They are a violation of network policy. Now, let's say you do want someone to be able to access things. And we'll show you the IP address as computer. 192.168.55.144. Either because you think you should be able to access all sites or you just want to pass, for example, job sites. So ziprecruiter, we don't necessarily, we see it's working right now, so we can block it. So let's go back to ziprecruiter.com. We see it works. And let's filter it first. And we just say, block the job searching site. And you may want to flag them instead. And the difference is going to be flagged. So you can do reporting, but it allows the person to go there. So we'll start with actually flagging it. So we're going to hit Save, switch back over, and we'll refresh shiprecruiter. We see we can still get there. And indeed.com, I think, is a job site. Yes, indeed.com and monster.com. So we're able to go to any of the job sites, but you may want to know if someone's going there. So let's go over to look at the reporting here. And I will get a new tab, open reports, flagged categories. We have some adults. We have some job searching going on here. What about my host name? Flagged clients. This is the client that's clearly doing something. And this will allow you to then start drilling in and you can get those fine-grain reports. You want to say everything that this particular client, we filtered for a client by saying yes to that. So start digging into what websites were blocked, six hits, top flag sites. And here we are, secure.indeed.com, MediaWorks, newjobs.com. Well, there's a few other back-end sites apparently. It goes to ziprecruiter.com. So you can start drilling down and saying, all right, this is the flagged site. So this person is going to. We can download the image. You added a dashboard, data view. So we can actually get the list right here. And now you can see you can sit down and have a conversation with someone who is getting flagged in there. Let's talk about blocking. So let's remove these filters. And we'll go ahead and block it. So hit Save here at the bottom. And now it's blocked. But what if you need them unblocked? So you want no one going on job sites, but you want them to be passed? Well, we can go over here and add it by IP address. So 2216855.144. And we'll say maybe someone in HR needs to go to sites that didn't need to check things and such. So HR, allow, all. Hit Done. Hit Save. And now ziprecruiter.com is unblocked specifically for this user, but not for other users or other IP addresses. Now, yes, some tingle to support further integration. It goes beyond the scope of this talk where you could do per username or a more fine-grained control based on active directory integration. But like I said, it goes beyond scope of the talk. But you get the idea. You can just do reporting on sites. You can block sites. You can specifically whitelist a site or blacklist a site that you may not want people to go to. And they have right here for block sites and pass sites. And it's just an add, remove. Now you can start digging in and fine-grained controlling thing. And it even gives you block or flag as an option. So if you just want reporting on the site, because you want to want to know people went there because of a report you want run versus absolutely stopping from going there. But like I said, this is a great system for filtering. It's get a lot of the reporting people like. It does the fine-grained controls that will stop people from going to adult sites or looking for jobs while they're wandering it or wandering around at work. You don't want them looking at jobs. You have the ability to block that. And like I said, it's a pretty solid system. So if web filtering is a requirement and you want these fine-grained controls, head over to untangle.com. You can set up a 14-day free trial with a demo. You can get the home user edition for only $50 a year right now, which is to me a really great deal for that. If you're looking for a commercial deployment that you need help with, feel free to reach out to us and we can help you with that. All right, thanks. And thank you for making it to the end of the video. If you liked this video, please give it a thumbs up. If you'd like to see more content from the channel, hit the subscribe button and hit the bell icon. If you'd like YouTube to notify you when new videos come out. If you'd like to hire us, head over to laurancesystems.com, fill out our contact page and let us know what we can help you with and what projects you'd like us to work together on. If you want to carry on the discussion, head over to forums.laurancesystems.com where we can carry on the discussion about this video, other videos, or other tech topics in general, even suggestions for new videos that are accepted right there on our forums, which are free. Also, if you'd like to help the channel in other ways, head over to our affiliate page. We have a lot of great tech offers for you. And once again, thanks for watching and see you next time.