| Content Filtering I read that we cannot block https with content filtering, but that's useless because any user can visit "https":// youtube and gain access easily. Someone mentioned blocking it via DNS by adding static entry. How is this done?
I also tried keyword blocking but that doesn't work either. |
|
| What corporations do is use proxy servers that point attempted connections to banned addresses to a web page with a warning.
Or, in a more SOHO or residential setting, the "at-risk" PCs could be connected to a separate LAN or VLAN. Then, within the firewall settings, block their access to whatever IP block Youtube occupies.
Unsophisticated users can be thwarted by modifying their hosts file so Youtube points to 127.0.0.1, or to a server playing 24/7 the recorded speeches of the Wicked Witch of the West (you can choose which one).
kirby |
|
|
|
| reply to hyde1
Or if you got cash to spend
»www.proceranetworks.com/ |
|
 AnavSarcastic Llama? Naw, Just AcerbicPremium
join:2001-07-16
Dartmouth, NS
kudos:3 | Try opendns. Unlike JPedros belief system, diamonds do not fall from the sky. Opendns has a paid version which may have more utility if the free version does not do what is required. |
|
 BranoI hate VogonsPremium,MVM
join:2002-06-25
Burlington, ON
kudos:6
 ·Bell Fibe
1 edit | reply to hyde1
said by hyde1:I read that we cannot block https with content filtering, but that's useless because any user can visit "https":// youtube and gain access easily.
That's exactly my point, content filtering on unencrypted traffic only is pretty useless. The typical most commonly used workaround is DNS blocking.
HTTPs is nowadays typically 'inspected' by using the 'man in the middle' approach, where you insert a corporate SSL proxy on edge of your network and terminate all SSL connection requests on that proxy, issuing back a fake certificate (for which you install a trusted corporate CA into user's browsers) and then the SSL proxy does the SSL connection to the end server. The pipe is broken in the middle however for inspection.
There are very expensive enterprise solutions that provide appliances and/or SW for this.
Alternative not widely used approach is real-time decryption but that really works for weak ciphers and rich clients.
Your best bet is OpenDNS as already stated and common education of your users or setting corporate policies (i.e. these sites are banned and if we catch you going there we'll slap your hands kind of a deal).
Back to my earlier sentiments, CF/AS is useless, IDP/AV/AppPatrol is seriously under-powered on USG series. |
|
| reply to hyde1
You can filter both https and http sites via DNS, as others have suggested - note that this also work's for other things that may not be using typical http requests at all, for example IM clients, remote desktop, 'free' proxy server's, VPNs, etc.
Another alternative to OpenDNS is DNS Redirector, which you install on your own server behind the firewall. They have some documentation specific to the USG series as well: »dnsredirector.com/sample/Zyxel/ |
|
AnavSarcastic Llama? Naw, Just AcerbicPremium
join:2001-07-16
Dartmouth, NS
kudos:3 | Very nice for a one time low cost and a server. Any downsides?? |
|
BranoI hate VogonsPremium,MVM
join:2002-06-25
Burlington, ON
kudos:6 Reviews:
·Bell Fibe
| said by Anav:Any downsides??
Yes, you have to install it one every single Windows machine, works with windows only (no OS-X, Linux, Android, iPhone, etc.) |
|
| @Brano, you must not have read their site - it's a Windows service that installs on 1 Windows server in your environment - then any client (regardless of OS) can benefit from the filtering. You simply hand out that server's IP as the default DNS server.
@Anav, I've been using it for a few years, it does what I want and doesn't cost allot. Took me awhile to get a hang of white-listing a site, for example you want to allow youtube.com but you also need to whitelist ytimg.com and youtube-nocookie.com, some sites are like that where they need more than 1 domain to work, often a CDN/partner. |
|
