Content Filtering - Using DNS or more?

The conversation came up about content or web filtering recently in our offices. We have had numerous reports of pornographic pictures being printed, MySpace and Facebook surfers and many more instances of adware, spyware, virii, etc.

I don't control the purse strings, our company controller does that. Before I came on the company had a long standing relationship with an external company to do all the server and network setup. This relationship has lessened in the past few years but he still helps out and gets some things done that we otherwise wouldn't have time for. Back to the point....

I said that Barracuda or Marshall/8e6 would be the best choices for doing such filtering. Both have very high reviews in ease of use, technology and methods used, high volume capacity and strong controls for blocking or tracking.

Our external partner suggested using DNS alone. The company controller (the financial guy) decided this was the best option.

DNS is always a part of any content filtering solution, when a small number of sites are needed to be blocked. This is no doubt they way to go in terms of price, but what about all of the other issues that could be avoided with other means?

DNS is not going to block malicious software. The cost of the equipment in a corporate environment can easily be mitigated by the fact that tech will be spending up to 40% less of their time cleaning up after the latest weatherbug download.

In the case of PCI compliance and hard security issues allowing the possibility of the proliferation of spyware etc would blow any compliant status you might have attained with just one infection. Anti-virus software is supposed to catch these things but how many times has any tech had to clean up where the Anti-virus didn't?

Work productivity is another selling point for me. Not something a tech would concern himself with, but I am looking for selling points. If a staff member is spending just 10% of their time on the internet surfing in general lets take a look at the hard numbers:

$12 an hour - 40 hour week. That would be 4 hours on the internet for non work related purposes. adding up to $48 a week in stolen productivity. Multiply that out over just one year it adds up to $2400. Take that a step further and apply it to an office staff of 50 and you get $120,000 in stolen productivity.

No solution is going to stop all web surfing and some may be legitimate. Let say that half of the time spent surfing can be blocked, that would be $60,000 from a $6000 investment.

DNS filtering, I do not think, will give anywhere near that kind of return by just filtering and redirecting domains and the small number of domains that you can effectively manage when compared to the cost and time saving benefits of a more robust solution.