dslreports logo
site
spacer

spacer
 
    All FAQs Site FAQ DSL FAQ Cable Tech About DSL Distance DSL Hurdles »»
spc

spacer




how-to block ads



This FAQ was inspired by the following post:
How to Configure Internet Access restrictions?

In some organizations or companies, there might be policy to restrict Internet access. The idea behind this is that to either block or restrict access to Internet site or to unknown/unapproved Internet application unrelated to business requirement or even disruptive to business objectives.

Typical approach of controlling and restricting such access is to deploy proxy server between internal network and the Internet gateway. This proxy server could be some Windows or Unix server, or vendor-specific proxy appliance such as BlueCoat ProxySG.

In smaller networks, organizations, or companies; the proxy appliance deployment could be either financial or technical burden. In this case, this kind of network management might consider other alternatives such as using either router or firewall to do the restriction. Following is the discussion.

Router Approach

A solution which uses the router to filter Internet access (web traffic), allowing what is defined to go through and deny all others.

Option 1: Using CBAC feature

This "work around" is the use of Cisco's Web Filtering functionality which goes hand in hand with the Websense products. This FAQ will utilise the current functionality of the Websense solution without a server by deviating from the original design of this suite of technologies by Cisco.

Note that this is only supported in IOS that have the CBAC functionality.

First off, create an ACL which will be used in the Java filter statement that allows everything through to avoid triggering the Java applet scanner which can be CPU intensive and degrading router performance.

access-list 10 permit any
 

Define the IP INSPECT statements as below and then add what URLs are allowed to be accessed such as www.google.com and www.froogle.com in the example below:

ip inspect name inspect-out http urlfilter audit-trail off
ip inspect name inspect-out http java-list 10
ip urlfilter exclusive-domain permit www.google.com
ip urlfilter exclusive-domain permit www.froogle.com
 

The statement "ip urlfilter exclusive-domain www.xxxx.com" adds a domain name to or from the exclusive domain list so that the firewall does not have to send look-up requests to the Websense server. So, regardless of the Websense server being available or not, which in this case does not exist, the router will allow all HTTP requests to the above domains through.

There is a setting which is defined by the statement "ip urlfilter allow-mode on/off" where if the router can't talk to the Websense server, it will allow web traffic through or deny it depending on this setting. There is no Websense server defined at all but what we will do is turn off the allow-mode so all traffic will be denied bar the ones defined in the exclusive-domain statement.

ip urlfilter allow-mode off
 

Now the configuration has been setup, it then has to be applied to the interface like a normal ip inspect statement, for example:

interface Dialer1
 description PPPoX dialer to ISP
 ip inspect inspect-out out
 

or

interface FastEthernet4
 description Interface to Cable modem
 ip inspect inspect-out out
 

Option 2: Using QoS CBWFQ feature

Using the same previous situation, the permitted web sites are only www.google.com and www.froogle.com; while traffic to other sites are blocked. This time the filtering technique is utilising CBWFQ which is also applied to the WAN interface.

access-list 100 remark DNS traffic
access-list 100 permit tcp any any eq 53
access-list 100 permit udp any any eq 53
!
class-map match-any Internet_Sites
 match protocol http host "*www.google.com*"
 match protocol http host "*www.froogle.com*"
 match access-group 100
!
policy-map Restricted_Internet_Access
 class Internet_Sites
   bandwidth percent 20
 class class-default
   police cir 8000
     conform-action drop
     exceed-action drop
!
interface Ethernet0
 description Facing LAN
 service-policy input Restricted_Internet_Access
 

CBWFQ (Class Based Weighted Fair Queue) is Cisco QoS (Quality of Service) feature that can be used to shape or to drop certain traffic. In this sample configuration, outbound traffic to www.google.com, to www.froogle.com, and to ISP DNS servers are set to guarantee 20% bandwidth during congestion. Other traffic will be dropped even when there is no congestion.

Let's review another illustration. Some organizations prevent their employee to access public social sites such as www.myspace.com and adult (porn) sites such as www.playboy.com; while still permit access to other Internet sites. Using the CBWFQ, following is blocked-access sample configuration.

class-map match-any Internet_Sites
 match protocol http host "*.myspace.com*"
 match protocol http host "*.playboy.com*"
!
policy-map Restricted_Internet_Access
 class Internet_Sites
   drop
!
interface Ethernet0
 description Facing LAN
 service-policy input Restricted_Internet_Access
 

More illustration on CBWFQ technique to restrict/maintain website access

QoS with CBWFQ to prioritize a website
Throttling web traffic

Notes:

* Using similar approach, you can also implement NBAR (Network Based Application Recognition) to restrict or even to drop/block Internet access, especially P2P (Peer-to-Peer) traffic. Check out the following FAQ for more info.

Restrict Traffic Flow including P2P (Peer to Peer) using NBAR: An Overview

* The router may need to run IOS image of either IP Services, Advanced IP Services, Enterprise, or Advanced Enterprise to support QoS. If the router does not run such IOS image, check out the next option as alternative.

Option 3: Using ACL IP Address-Based

The downside of the two previous sample configurations is that your router may not support such feature. A good side is that most routers support access block by IP addresses or subnets. Following is illustration on how to block access by the site's IP addresses, which the filter is applied to the LAN interface.

Let's revisit the www.myspace.com access block. Using DNS A record and WHOIS checks, it is revealed that currently myspace.com subnet is 216.178.32.0/20 (from 216.178.32.0 to 216.178.47.255). Following is the sample configuration of block access to myspace.com based on its IP addresses.

access-list 100 remark Restricted Internet Access
access-list 100 deny ip any 216.178.32.0 0.0.15.255
access-list 100 permit ip any any
!
interface FastEthernet1
 description Interface to LAN
 ip access-group 100 in
 

Side Note:
You can use one of following sites for public DNS A record and WHOIS checking

http://www.whatismyip.com/ip-tools/
http://www.dnsstuff.com/tools#
http://network-tools.com/

Keep in mind that this block access method only works when myspace.com still occupies the 216.178.32.0/20 subnet. It was known that originally myspace.com did not occupy this subnet. When the blocked site IP addresses are moved to different subnet, then there will be a need to adjust the blocked IP subnet to the new one. This adjustment is not needed when one of the two previous options is deployed.

ASA/PIX Firewall Approach

Cisco documentations on sample configurations

PIX/ASA URL Filtering Configuration Example
Cut-through Proxy for Network Access using TACACS+ and RADIUS Server
Allow/Block FTP Sites Using Regular Expressions with MPF
Block Certain Websites (URLs) Using Regular Expressions with MPF
Block the Peer-to-Peer (P2P) and Instant Messaging (IM) Traffic Using MPF

Non-Cisco approach

As mentioned at the first paragraph, in typical network setup there are either Unix-based or Windows-based proxy server, or vendor-specific appliance such as Bluecoat ProxySG appliance to do the Internet access restriction. The advantage of using vendor-specific appliance such as Bluecoat ProxySG appliance is that you don't have to manually update website link database in order to keep up with changes in the website links or with new websites, not to mention free hardware replacement possibility. In addition the Internet access restriction can be based by the internal user Windows or RADIUS credential so that you can pick and choose which users will and will not be affected. The disadvantage is that this vendor-specific appliance requires certain costs that may be financial prohibitive to certain organizations, small businesses, or home users.

For those who are savvy enough in networking world or would like to experiment, there are alternative (free) solutions from OpenDNS and Untangle. While OpenDNS uses DNS IP address assignment as part of its solution, Untangle uses any generic PC to be a dedicated server running (free) Untangle software on either routing or transparent (bridging) mode. The solution from OpenDNS and Untangle could be free or low cost depending on your network environment or need. The advantage to use either one of these solution is that there is free or low cost solution with similar offering that vendor-specific appliances use. Check out the following links for more info.

OpenDNS
Overview
OpenDNS - A Technical Overview

Untangle
Overview
Why Untangle?

DNS Approach

With DNS approach where you manage the name resolution, options are following.

Option 1

You could create domain records for the sites you want to block (no hosts records are needed... or you could point the domain to 127.0.0.1). Then, on the router, filter DNS requests from all computers except for the DNS server.

Option 2

Assume you have Windows 2003 as DNS server, you could try the following steps which might work or it might not, depending on how the network is configured to append the primary DNS suffix when doing name lookups. Regardless it is not an ideal solution.

1. Open the DNS admin console
2. Navigate to your forwarding zone
3. Right-click and choose 'New Alias (CNAME)'
4. Fill in the Alias Name field as 'www.facebook.com' , 'facebook.com' or whatever
5. Fill in the FQDN field as your internal web server that hosts the busted.html page.
6. Click OK
7. do an "ipconfig /flushdns" on your client and then ping facebook.com - you should see it reply from your internal server's ip. If it doesn't then check your client's dns configuration.

Another cheap way round it would be to edit the

\windows\system32\drivers\etc\hosts

file on each client machine and add a line as follows:

aaa.bbb.ccc.ddd www.facebook.com

Where aaa.bbb.ccc.ddd is your internal web server. This method would work but isn't very practicle when you've got a lot of machines to administer.


Expand got feedback?

by Covenant See Profile edited by aryoba See Profile
last modified: 2014-09-23 09:57:37