dslreports logo
site
 
    All Forums Hot Topics Gallery
spc

spacer




how-to block ads


Search Topic:
uniqs
855
share rss forum feed

hyde1

join:2012-11-16

Content Filtering

I read that we cannot block https with content filtering, but that's useless because any user can visit "https":// youtube and gain access easily. Someone mentioned blocking it via DNS by adding static entry. How is this done?

I also tried keyword blocking but that doesn't work either.


Kirby Smith

join:2001-01-26
Derry, NH
Reviews:
·Fairpoint Commun..

What corporations do is use proxy servers that point attempted connections to banned addresses to a web page with a warning.

Or, in a more SOHO or residential setting, the "at-risk" PCs could be connected to a separate LAN or VLAN. Then, within the firewall settings, block their access to whatever IP block Youtube occupies.

Unsophisticated users can be thwarted by modifying their hosts file so Youtube points to 127.0.0.1, or to a server playing 24/7 the recorded speeches of the Wicked Witch of the West (you can choose which one).

kirby


JPedroT

join:2005-02-18
kudos:1
reply to hyde1

Or if you got cash to spend

»www.proceranetworks.com/



Anav
Sarcastic Llama? Naw, Just Acerbic
Premium
join:2001-07-16
Dartmouth, NS
kudos:5

Try opendns. Unlike JPedros belief system, diamonds do not fall from the sky. Opendns has a paid version which may have more utility if the free version does not do what is required.



Brano
I hate Vogons
Premium,MVM
join:2002-06-25
Burlington, ON
kudos:10
Reviews:
·TekSavvy DSL
·Bell Fibe

1 edit
reply to hyde1

said by hyde1:

I read that we cannot block https with content filtering, but that's useless because any user can visit "https":// youtube and gain access easily.

That's exactly my point, content filtering on unencrypted traffic only is pretty useless. The typical most commonly used workaround is DNS blocking.
HTTPs is nowadays typically 'inspected' by using the 'man in the middle' approach, where you insert a corporate SSL proxy on edge of your network and terminate all SSL connection requests on that proxy, issuing back a fake certificate (for which you install a trusted corporate CA into user's browsers) and then the SSL proxy does the SSL connection to the end server. The pipe is broken in the middle however for inspection.
There are very expensive enterprise solutions that provide appliances and/or SW for this.
Alternative not widely used approach is real-time decryption but that really works for weak ciphers and rich clients.

Your best bet is OpenDNS as already stated and common education of your users or setting corporate policies (i.e. these sites are banned and if we catch you going there we'll slap your hands kind of a deal).

Back to my earlier sentiments, CF/AS is useless, IDP/AV/AppPatrol is seriously under-powered on USG series.


imanon

@comcast.net
reply to hyde1

You can filter both https and http sites via DNS, as others have suggested - note that this also work's for other things that may not be using typical http requests at all, for example IM clients, remote desktop, 'free' proxy server's, VPNs, etc.

Another alternative to OpenDNS is DNS Redirector, which you install on your own server behind the firewall. They have some documentation specific to the USG series as well: »dnsredirector.com/sample/Zyxel/



Anav
Sarcastic Llama? Naw, Just Acerbic
Premium
join:2001-07-16
Dartmouth, NS
kudos:5

Very nice for a one time low cost and a server. Any downsides??



Brano
I hate Vogons
Premium,MVM
join:2002-06-25
Burlington, ON
kudos:10
Reviews:
·TekSavvy DSL
·Bell Fibe

said by Anav:

Any downsides??

Yes, you have to install it one every single Windows machine, works with windows only (no OS-X, Linux, Android, iPhone, etc.)


imanon

@comcast.net

@Brano, you must not have read their site - it's a Windows service that installs on 1 Windows server in your environment - then any client (regardless of OS) can benefit from the filtering. You simply hand out that server's IP as the default DNS server.

@Anav, I've been using it for a few years, it does what I want and doesn't cost allot. Took me awhile to get a hang of white-listing a site, for example you want to allow youtube.com but you also need to whitelist ytimg.com and youtube-nocookie.com, some sites are like that where they need more than 1 domain to work, often a CDN/partner.