Website filtering/Firewall Feature request

I’d like to request a feature where Groups can have whitelist/blacklist (default allow/default deny) website lists that would be pushed to endpoint firewalls to allow ITSM to block access to things like Social Media sites or whatever category possible, and Comodo would create/update category lists. Doesn’t have to be perfect, but just as a way for employers to get the message across that time wasting sites are blocked on work computers.

Hello @indieserve ,

CCS is already has a website filtering section where you can define allowed/blocked websites, but unfortunately it doesn’t have a correspondent section in profiles (we are working on this feature though). There is a workaround for this inconvenience:

  1. Edit the Website filtering section on an endpoint and define the allowed/blocked websites.
  2. Import the profile from that computer in ITSM and download it on your computer.
  3. From Profiles, import the XML file as a new profile and apply it on the target machines.

However, currently we do not provide this type of categories (e.g. Social media, Adult, etc.), we only have signatures for malicious websites. We will escalate your request and we will keep you updated on the progress.
Comodo Dome Shield is a DNS based filtering system that would block access. I believe its available (subscription based as it has a cost to us) under your Comodo ONE platform.

I’ll look into it. I do like endpoint based filtering because if it’s a laptop user and they aren’t “at work” the laptop is still filtered and is then protected from threats as well as non-work-based use.

by simply changing the DNS settings, you can start protecting.

Thanks Melih (pardon my ignorance, but are you the founder Melih? You had a great sales team at BlackHat on the show floor, btw!)

Question though- if I set up cDome shield for a customer, how can I enforce that on endpoints (ie laptops) when they are not on site (I know how I can enforce DNS based filtering while they are on-site though).

Hello @indieserve

To answer your Dome question, you would have options in this regard. For example, if the laptop is a company one and managed by Active Directory, you can restrict access from those configuration features on the machine. Basically not allowing the user to change network configurations. This would be used for the Dome Shield.

For Comodo Dome Standard, the Agent intended for roaming devices is password protected, as described here:

So primary DNS would be the companies internal DNS/domain controller server (which would forward to Comodo for non internal queries) at work and the secondary DNS would be Comodo when they are at home or somewhere else and can’t reach the internal corporate DNS server?

I expect this would likely break some captive portals (hotel/airport wifi) that would try to assign DNS servers by DHCP would it not?

Does cDome Shield have a way to authenticate the user so different AD security groups can be granted different levels of content or is it all-or-nothing?

Hello @indieserve

Yes, there is an option for User specific rules or groups specific rules, as described here:

The main DNS will be the Comodo One, the only difference being the Location, which can be used when creating rules. The office will have one location, and when roaming, you can set it to “Any”.

In regards to the portals that you mentioned, I would assume that is the case. In airports in specific the traffic nowadays seems to be filtered by them and I cannot say for sure if Internet access would still be allowed since the DNS would be different. I will escalate your question and we will return with an answer as soon as we can.
Thank you.

I may do a trial and see how it goes. The pricing in the shopping cart in C1 seems a little vague - is that amount listed per “client company” (eg site) or is it per end user (that would seem expensive) and is it monthly, yearly, etc. Perhaps my questions are answered somewhere I wasn’t looking.

Hello @indieserve

In regards to pricing details, I would advise you to consult our Sales Team at which will be able to best answer your questions.
Also, if you have any technical issues you can contact Support here

Thank you.

Yes I am the founder of Comodo :slight_smile: Thank you, they are a fun bunch to hang out with!

With the latest release, cDome Shield has also client option that can be used for in/out of the office DNS based security enforcement. Besides we have added DNSCrypt implementation ( so that it is more secure and authentication is possible via key distribution.

Cool, I’ll check it out soon. I signed up for cDome Shield while ITSM was in maintenance yesterday morning and I think it has broken my access to that module through the C1 interface, support is working on it. I’ve looked into similar solutions like the opensource NxFilter so pretty keen to see this in action.

For information, having tested the DOME solution:

  1. first, it impose a virtual server to be bought at Amazon, surprised, after having done all the steps to have the server, I received an invoice from Amazon, even if I was in the “free 1 year” period, so after some exchange with the Amazon support, they refunded. Attention, only tested 1 user, on 3 days, it was more than 35€ from Amazon to be paid.
  2. it was not working efficiently everytime, the “proxy” inserted delay in all user internet surf attemps
  3. impossible to set up on iPhones
  4. using smartphone data connexion was not compatible with usage of Dome DNS proxy, so impossible to use it as I have nomad users.

So up to now I stopped Dome Trial.

Hi rbo, sounds like you tried cDome not cDome Shield. I’m only looking at Shield which does the DNS filtering and nothing more.

I just tried to enable what I saw, and now if I try to enable the “shield” it says that product is already installed, but, yes, you are right, it looks like describe experience of a full proxy and not only a DNS filter… I will contact the support.

Hello @rbo ,

Indeed, cDome standard is a web traffic solution and cDome Shield is a web filtering solution and for using cDome Standard you need to have an AWS (Amazon Web Services) account. We will contact you by email to troubleshoot the issue reported.

CDome and CDome Shield are 2 different products.

Having a cloud based security delivery model is what CDome does. Everything from Containment to URL filtering to Spam filtering from the cloud…
CDome Shield is dns based version of it.

Hello @indieserve ,

Your previous request: “Website categories in Website Filtering” is planned to be implemented in the Q1 of 2017!