 |
| ||||
 |
Home | Reviews | Speed Test | Tools | News | Forums | Info | About | Join |
|
This FAQ was inspired by the following post: How to Configure Internet Access restrictions? In some organizations or companies, there might be policy to restrict Internet access. The idea behind this is that to either block or restrict access to Internet site or to unknown/unapproved Internet application unrelated to business requirement or even disruptive to business objectives. Typical approach of controlling and restricting such access is to deploy proxy server between internal network and the Internet gateway. This proxy server could be some Windows or Unix server, or vendor-specific proxy appliance such as BlueCoat ProxySG. In smaller networks, organizations, or companies; the proxy appliance deployment could be either financial or technical burden. In this case, this kind of network management might consider other alternatives such as using either router or firewall to do the restriction. Following is the discussion. Router Approach A solution which uses the router to filter Internet access (web traffic), allowing what is defined to go through and deny all others. Option 1: Using CBAC feature This "work around" is the use of Cisco's Web Filtering functionality which goes hand in hand with the Websense products. This FAQ will utilise the current functionality of the Websense solution without a server by deviating from the original design of this suite of technologies by Cisco. Note that this is only supported in IOS that have the CBAC functionality. First off, create an ACL which will be used in the Java filter statement that allows everything through to avoid triggering the Java applet scanner which can be CPU intensive and degrading router performance. Define the IP INSPECT statements as below and then add what URLs are allowed to be accessed such as www.google.com and www.froogle.com in the example below: The statement "ip urlfilter exclusive-domain www.xxxx.com" adds a domain name to or from the exclusive domain list so that the firewall does not have to send look-up requests to the Websense server. So, regardless of the Websense server being available or not, which in this case does not exist, the router will allow all HTTP requests to the above domains through. There is a setting which is defined by the statement "ip urlfilter allow-mode on/off" where if the router can't talk to the Websense server, it will allow web traffic through or deny it depending on this setting. There is no Websense server defined at all but what we will do is turn off the allow-mode so all traffic will be denied bar the ones defined in the exclusive-domain statement. Now the configuration has been setup, it then has to be applied to the interface like a normal ip inspect statement, for example: or Option 2: Using QoS CBWFQ feature Using the same previous situation, the permitted web sites are only www.google.com and www.froogle.com; while traffic to other sites are blocked. This time the filtering technique is utilising CBWFQ which is also applied to the WAN interface. CBWFQ (Class Based Weighted Fair Queue) is Cisco QoS (Quality of Service) feature that can be used to shape or to drop certain traffic. In this sample configuration, outbound traffic to www.google.com, to www.froogle.com, and to ISP DNS servers are set to guarantee 20% bandwidth during congestion. Other traffic will be dropped even when there is no congestion. Let's review another illustration. Some organizations prevent their employee to access public social sites such as www.myspace.com and adult (porn) sites such as www.playboy.com; while still permit access to other Internet sites. Using the CBWFQ, following is blocked-access sample configuration. More illustration on CBWFQ technique to restrict/maintain website access QoS with CBWFQ to prioritize a website Throttling web traffic Notes: * Using similar approach, you can also implement NBAR (Network Based Application Recognition) to restrict or even to drop/block Internet access, especially P2P (Peer-to-Peer) traffic. Check out the following FAQ for more info. Restrict Traffic Flow including P2P (Peer to Peer) using NBAR: An Overview * The router may need to run IOS image of either IP Services, Advanced IP Services, Enterprise, or Advanced Enterprise to support QoS. If the router does not run such IOS image, check out the next option as alternative. Option 3: Using ACL IP Address-Based The downside of the two previous sample configurations is that your router may not support such feature. A good side is that most routers support access block by IP addresses or subnets. Following is illustration on how to block access by the site's IP addresses, which the filter is applied to the LAN interface. Let's revisit the www.myspace.com access block. Using DNS A record and WHOIS checks, it is revealed that currently myspace.com subnet is 216.178.32.0/20 (from 216.178.32.0 to 216.178.47.255). Following is the sample configuration of block access to myspace.com based on its IP addresses. Side Note: You can use one of following sites for public DNS A record and WHOIS checking http://www.whatismyip.com/ip-tools/ http://www.dnsstuff.com/tools# http://network-tools.com/ Keep in mind that this block access method only works when myspace.com still occupies the 216.178.32.0/20 subnet. It was known that originally myspace.com did not occupy this subnet. When the blocked site IP addresses are moved to different subnet, then there will be a need to adjust the blocked IP subnet to the new one. This adjustment is not needed when one of the two previous options is deployed. ASA/PIX Firewall Approach Cisco documentations on sample configurations Using hostnames (DNS) in access-lists - configuration steps, caveats and troubleshooting PIX/ASA URL Filtering Configuration Example Cut-through Proxy for Network Access using TACACS+ and RADIUS Server Allow/Block FTP Sites Using Regular Expressions with MPF Block Certain Websites (URLs) Using Regular Expressions with MPF Block the Peer-to-Peer (P2P) and Instant Messaging (IM) Traffic Using MPF Non-Cisco approach As mentioned at the first paragraph, in typical network setup there are either Unix-based or Windows-based proxy server, or vendor-specific appliance such as Bluecoat ProxySG appliance to do the Internet access restriction. The advantage of using vendor-specific appliance such as Bluecoat ProxySG appliance is that you don't have to manually update website link database in order to keep up with changes in the website links or with new websites, not to mention free hardware replacement possibility. In addition the Internet access restriction can be based by the internal user Windows or RADIUS credential so that you can pick and choose which users will and will not be affected. The disadvantage is that this vendor-specific appliance requires certain costs that may be financial prohibitive to certain organizations, small businesses, or home users. For those who are savvy enough in networking world or would like to experiment, there are alternative (free) solutions from OpenDNS and Untangle. While OpenDNS uses DNS IP address assignment as part of its solution, Untangle uses any generic PC to be a dedicated server running (free) Untangle software on either routing or transparent (bridging) mode. The solution from OpenDNS and Untangle could be free or low cost depending on your network environment or need. The advantage to use either one of these solution is that there is free or low cost solution with similar offering that vendor-specific appliances use. Check out the following links for more info. OpenDNS Overview OpenDNS - A Technical Overview Home Internet Security Untangle Overview Why Untangle? DNS Approach With DNS approach where you manage the name resolution, options are following. Option 1 You could create domain records for the sites you want to block (no hosts records are needed... or you could point the domain to 127.0.0.1). Then, on the router, filter DNS requests from all computers except for the DNS server. Option 2 Assume you have Windows 2003 as DNS server, you could try the following steps which might work or it might not, depending on how the network is configured to append the primary DNS suffix when doing name lookups. Regardless it is not an ideal solution. 1. Open the DNS admin console 2. Navigate to your forwarding zone 3. Right-click and choose 'New Alias (CNAME)' 4. Fill in the Alias Name field as 'www.facebook.com' , 'facebook.com' or whatever 5. Fill in the FQDN field as your internal web server that hosts the busted.html page. 6. Click OK 7. do an "ipconfig /flushdns" on your client and then ping facebook.com - you should see it reply from your internal server's ip. If it doesn't then check your client's dns configuration. Another cheap way round it would be to edit the \windows\system32\drivers\etc\hosts file on each client machine and add a line as follows: aaa.bbb.ccc.ddd www.facebook.com Where aaa.bbb.ccc.ddd is your internal web server. This method would work but isn't very practicle when you've got a lot of machines to administer. Discussion URL filtering using ZBFW  got feedback?by Covenant | ||||
- ISP Reviews
- Review an ISP
- Latest
- GBU
- Information
- Hardware
- FAQs
- Community
- Join
- Welcome
- Members
- For Sale
- Forums
- All Forums
- Follow
- Site
- Mobile mode
-
© DSLReports.com
Est. 1999
Tuesday, 16-Apr 00:31:21
Hosted by
Liquid Networks