dslreports logo
 
    All Forums Hot Topics Gallery
spc
Search similar:


uniqs
1255
hyde1
join:2012-11-16

hyde1

Member

Content Filtering

I read that we cannot block https with content filtering, but that's useless because any user can visit "https":// youtube and gain access easily. Someone mentioned blocking it via DNS by adding static entry. How is this done?

I also tried keyword blocking but that doesn't work either.
Kirby Smith
join:2001-01-26
Derry, NH

Kirby Smith

Member

What corporations do is use proxy servers that point attempted connections to banned addresses to a web page with a warning.

Or, in a more SOHO or residential setting, the "at-risk" PCs could be connected to a separate LAN or VLAN. Then, within the firewall settings, block their access to whatever IP block Youtube occupies.

Unsophisticated users can be thwarted by modifying their hosts file so Youtube points to 127.0.0.1, or to a server playing 24/7 the recorded speeches of the Wicked Witch of the West (you can choose which one).

kirby
JPedroT
Premium Member
join:2005-02-18

JPedroT to hyde1

Premium Member

to hyde1
Or if you got cash to spend

»www.proceranetworks.com/

Anav
Sarcastic Llama? Naw, Just Acerbic
Premium Member
join:2001-07-16
Dartmouth, NS

Anav

Premium Member

Try opendns. Unlike JPedros belief system, diamonds do not fall from the sky. Opendns has a paid version which may have more utility if the free version does not do what is required.

Brano
I hate Vogons
MVM
join:2002-06-25
Burlington, ON
(Software) OPNsense
Ubiquiti UniFi UAP-AC-PRO
Ubiquiti NanoBeam M5 16

1 edit

Brano to hyde1

MVM

to hyde1
said by hyde1:

I read that we cannot block https with content filtering, but that's useless because any user can visit "https":// youtube and gain access easily.

That's exactly my point, content filtering on unencrypted traffic only is pretty useless. The typical most commonly used workaround is DNS blocking.
HTTPs is nowadays typically 'inspected' by using the 'man in the middle' approach, where you insert a corporate SSL proxy on edge of your network and terminate all SSL connection requests on that proxy, issuing back a fake certificate (for which you install a trusted corporate CA into user's browsers) and then the SSL proxy does the SSL connection to the end server. The pipe is broken in the middle however for inspection.
There are very expensive enterprise solutions that provide appliances and/or SW for this.
Alternative not widely used approach is real-time decryption but that really works for weak ciphers and rich clients.

Your best bet is OpenDNS as already stated and common education of your users or setting corporate policies (i.e. these sites are banned and if we catch you going there we'll slap your hands kind of a deal).

Back to my earlier sentiments, CF/AS is useless, IDP/AV/AppPatrol is seriously under-powered on USG series.

imanon
@comcast.net

imanon to hyde1

Anon

to hyde1
You can filter both https and http sites via DNS, as others have suggested - note that this also work's for other things that may not be using typical http requests at all, for example IM clients, remote desktop, 'free' proxy server's, VPNs, etc.

Another alternative to OpenDNS is DNS Redirector, which you install on your own server behind the firewall. They have some documentation specific to the USG series as well: »dnsredirector.com/sample/Zyxel/

Anav
Sarcastic Llama? Naw, Just Acerbic
Premium Member
join:2001-07-16
Dartmouth, NS

Anav

Premium Member

Very nice for a one time low cost and a server. Any downsides??

Brano
I hate Vogons
MVM
join:2002-06-25
Burlington, ON
(Software) OPNsense
Ubiquiti UniFi UAP-AC-PRO
Ubiquiti NanoBeam M5 16

Brano

MVM

said by Anav:

Any downsides??

Yes, you have to install it one every single Windows machine, works with windows only (no OS-X, Linux, Android, iPhone, etc.)

imanon
@comcast.net

imanon

Anon

@Brano, you must not have read their site - it's a Windows service that installs on 1 Windows server in your environment - then any client (regardless of OS) can benefit from the filtering. You simply hand out that server's IP as the default DNS server.

@Anav, I've been using it for a few years, it does what I want and doesn't cost allot. Took me awhile to get a hang of white-listing a site, for example you want to allow youtube.com but you also need to whitelist ytimg.com and youtube-nocookie.com, some sites are like that where they need more than 1 domain to work, often a CDN/partner.