We have an R3000ir.   All in all it's an OK appliance.  For features, I'd
say the most feature packed filters out there are this one and St
Bernard's iPrism, and maybe Websense.  Among these three, 8e6 has the
lowest ongoing support costs, though it's still not as cheap as products
in the class of Sonicwall.  What this product does for us that products in
that class generally do not is it allows us to set different filter
policies by Active Directory group (works with Novell, too, for those of
you that care), as well as by IP subnet.  So we can set one policy for
teachers, and another for students, and it will work properly even in
places where either group may be using a computer at different times, like
the library.  

Another nice feature is the ability to set up override accounts that will
cause the filters to revert to a different policy.  One use of that here
is that we normally block Youtube, because it's a bandwidth hog and kids
use it to view inappropriate videos.  But if a teacher wants a kid to see
a particular video, and the kid sees the block message, a teacher can walk
over, hit the more options button, hit override, enter a user name and
password I issue them, and then the kid can see the content.  The override
accounts do not disable the filters entirely, they merely cause a
different policy to be applied, so no one, no one, gets to surf for porn,
ever.

They have a couple of other interesting features, like they can turn all
google searches into safe searches, even if the workstation isn't
configured to do them, for instance, that you don't always see in these
appliances

There's a decision you have to make when you set the thing up, and have to
make with all content filters, really.  Do you want it to pass or block
sites that haven't been rated yet?  The few times I've read the unit's
report, about 20% of the pages kids request haven't been categorized yet. 
On one hand, that's a lot of sites.  On the other hand, if they have 80%
of the web categorized, that's kind of amazing.  What the unit does is
save uncategorized links, and sends them to 8e6 every night, where they're
aggegated and worked on the next day in order of most frequently hit, so
if you're trying to hit a site not categorized, and other customers are
too, you have a decent chance of being able to get in within a few days. 
The entire database of sites is cached on a hard drive in the unit, it
doesn't have to query the company's servers, like Sonicwall frequently
does, so it does have a performance advantage over Sonicwall.

I can't say that the appliance is 100% successful at keeping kids from
using remote proxies, if they're determined to do it.  It does try.  Once
when I was in a classroom, I happened to overhear one student say to
another, "I had to go 13 pages deep in google to find a myspace web proxy
that the content filters hadn't blocked!".  Well, if a kid is willing to
try 130 proxy servers to find one that works, and the teachers are willing
to give them enough time to do it, chances are they're going to succeed. 
I don't see anything in CIPA that requires our content filters to be 100%
successful, thank goodness, we'd have to pull the plug on the internet
altogether.  All it does is require us to have a policy in place, and put
in place reasonable technical means to enforce it, and I think we have
this covered.  

I have discovered on interesting gotcha with the R3000.  There's a new
major release of the firmware coming out in a few days, I hope they
address this.   One way you can tell an R3000 who it is that's sitting at
a particular machine at any given time is, is by mapping a drive to it. 
net use \\filter\r3000$, where "filter" is the ip address of the box,
passes my username to the filter.  It then queries Active Directory to
find out what groups I'm in, and applies the appropriate policy for that
group.  So far, so good.  The problem is, if you do net use \\filter\3000$
/user:teacher, where teacher is the user name of a teacher at the school,
a kid can get teacher credentials for surfing even if they don't know the
teacher's password, they only need to know the user name, but that's easy
to guess.  That's a major, major bug as far as I'm concerned, which I only
recently discovered.  You can disable net use authentication and use one
of several other schemes, but my attitude is, if they advertise a feature,
it ought to work right, and not open major security holes when you do it.

I discovered different, but just as glaring, bugs in Websense security
when I had one of those, so this is by not means a problem unique to 8e6. 
I may end up eliminating teacher profiles altogether, and just let the
teachers use the override accounts on their own machines when they want to
see stuff the kid's shouldn't, if they don't fix this pronto, though,
which is sad.

I guess the bottom line is: would I buy it again, having used it for a
year?  Well, if cost is no object, I might give iPrism a try.  If cost is
the only consideration, I'd probably give DansGuardian a try.  The R3000
is a reasonable solution that falls in the middle somewhere. I'll be
renewing the support for another year.  I will say I have found their tech
support to be quite good, I usually don't wait long to talk to them, and
they know what they're doing. 



School Information Technology Discussion <[log in to unmask]> writes:
>Hi list,
>
>Does anyone on the list use an Internet filter appliance made by 8e6  
>technologies? A sales guy called a few weeks ago, and for whatever  
>reason I decided to go on a web tour instead of blowing him off. What  
>I saw was very impressive. We need a better Internet filter than our  
>SQUID server. The sales guy said this is the "ONLY" solution out  
>there that will keep kids from using remote proxy servers. I'd love  
>to hear anything good or bad about this expensive toy.
>
>Bryan
>
>Bryan Thompson
>Technology Coordinator
>Winooski School District
>60 Normand Street
>Winooski, VT 05404
>802-655-2555



AdmID:DDE8CD6E9599DCF97ED118BE2E4986B4