Alta Labs includes a powerful Deep Packet Inspection (DPI) engine to provide content filtering for both wireless and wired networks. Whether you are an Enterprise Network Administrator or a concerned parent, content filtering allows you to restrict access to unauthorized or sensitive websites, applications, and application categories.
To start configuring content filtering for your Site, navigate to Settings → Filter.
The page is divided into two sections:
- Wireless - Applies content filtering to Wi-Fi clients connected through Alta Labs access points.
- Wired - Applies content filtering to devices connected through a Route10.
Within the Wireless section, you can create one or more Filter Profiles containing the desired content filtering rules. These profiles can be assigned to an AltaPass password within an SSID or directly to an individual client device, allowing content filtering to be applied selectively to wireless users.
Wired filtering through a Route10 remains site-wide and currently cannot be assigned on a per-device or per-user basis. In other words, it is currently an all-or-nothing configuration for wired traffic, regardless of whether Wireless Filter Profiles are in use.
Configuring Filter Policies for Wireless Devices
Navigate to the Wireless tab, click Add to create a new Filter Profile.
At the top of the list, there is an “Only show current site” toggle. When enabled, only Filter Profiles currently associated with the selected site will be displayed. When disabled, all Filter Profiles created under your account will be shown, including those not currently in use. Profiles that are not assigned to any site or not actively used will appear outside of the current site context.
When creating or editing a Filter Profile, you can configure the following sections:
- Blocked Applications - Allows you to select individual applications or application groups to block. You can type to search and filter the available list.
- Blocked Hosts - Allows you to specify individual domains or hostnames to block. For example, entering youtube.com or tiktok.com will block access to those sites.
Within each Filter Profile, you can also configure a Schedule. Schedules allow you to automatically enable or disable filtering based on time of day.
This works similarly to scheduling on SSIDs and AltaPass passwords, where access policies can be automatically applied or removed based on defined time windows.
Configuring Filter Policies for Wired Devices
Navigate to the Wired section. Within this section, you can configure the same types of filtering rules available for wireless traffic, as well as blocking regions and using Block Lists:
- Blocked Applications - Block specific applications or application categories.
- Blocked Hosts - Block specific domains or hostnames.
- Blocked Regions - Block traffic based on country of origin.
- Block Lists - Predefined IP-based block lists (explained below).
Block Lists
Under Block Lists, you can choose lists of IPs and IP subnets which you might want blocked on your network. The following explains each list available.
- Bad actors - this is a curated, consolidated block list from multiple sources. It includes compromised systems attacking others, abuse-friendly datacenters that do not generally host any legitimate activity, and other IPs and networks actively spamming, hacking, or other malicious activity.
- Bogons - bogons are networks that should never be seen on the internet. They are either not assigned to an end user, or reserved non-public IP space.
- FireHOL levels 1-4 - FireHOL is an open source project that maintains block lists of varying levels of risky IPs. Level 1 list is the strongest evidence of serious abuse, with very minimal false positive potential. Level 2 includes level 1 plus IPs and networks with consistently malicious behavior, but not to the severity of level 1. Level 2 is still very low risk of false positives, and is the recommended level to choose if enabling FireHOL. Level 3 includes everything from levels 1 and 2, plus hosting providers with high abuse density but not necessarily purely illegitimate networks. Level 4 includes everything in levels 1 through 3, plus entire networks with historical abuse, and addresses with weak or indirect evidence of abuse. Level 4 is prone to false positives. If using FireHOL, you should choose one level only. Choosing multiple levels is duplicative and unnecessary.
- Open Proxies - this is a list of open proxy servers which allow anyone to relay traffic through them. As such, they are magnets for abuse, and there is likely never a legit need to communicate with them.
- Public DoH servers - this is a list of public DNS over HTTPS (DoH) servers. These are not malicious, however for policy reasons you may want to block access to external DoH servers to require systems to use your authorized DNS servers.
- Tor exit nodes - Tor is a free overlay network which enables anonymous communication over the internet. Exit nodes are where traffic from Tor clients exit the Tor network to access the internet. While there are legit uses of Tor, it’s also a magnet for abuse.
- VoIP fraud - this is a list of IPs known to be participating in various forms of VoIP fraud and abuse.
Related to
Comments
0 comments
Please sign in to leave a comment.