If security’s a big concern, then it would be wise to implement this in addition to having a DPI firewall anyway.
Depth of defense = ++good
I understood this, sure. Most operating systems like OSX and UNIX support this out of the box. Windows has a slight problem with it since everyone not being “Administrator” is seriously disabled in his work.
Let’s see what the enhanced DNS filtering option for domains will allow in the upcoming RouterOS release. Until then I have implemented (and can recommend) the following two measures:
- Implement domain filtering in the built in web proxy based on common blacklists - guarantees at least ad-free web pages
- Tunnel traffic through another appliance like http://www.untangle.com in “bridge mode” to allow for all further traffic filtering and inspection
For the latter I would love to see a sample setup from Mikrotik that explains
- How to implement a rule set to selectively tunnel traffic through a transparent device that is connected to two ports (in, return) on the Mikrotik router
- traffic could then be sent through an external filter based on protocol, source or destination or what ever packet mark would be favorite
Other approaches that come to my mind were
- Implement ICAP to interface a dedicated Antivirus solution that most companies already might have in house
- Implement support for common blacklist importing. Scripting possibilities on RouterOS are currently too limited to allow for on board processing of existing lists. Mikrotik couls make it a service and provide blacklists ready for import.
Just some innovative ideas to enhance the products capabilities and make it worth much more.
Address is a bad idea, youtube for example use proxy instaled in ISP (provide by google), so, the block in BGP is a waste of time!
four years on, stil strong.