Restricting Web Access from Firewall

[Carlosinfl]

I was wondering if I wanted to restrict any and all access to www.myspace.com (for example) via the Firewall, what is the best practice? I am sure something as huge as myspace has multiple IP's to load balance the traffic but how can I block all traffic to the site? I don't just want to prohibit users from authenticating / login but also just accessing this site in general.

Can someone please help me and explain what the more logical and successful method would be to block access?

Thanks!

 

[JDMs14]

What type of firewall are you using?

 

[AMD_RULES]

www.opendns.com - Open DNS is free and works well!

Are you using any kind of linux firewall such as smoothwall or pfSense?

 

[Carlosinfl]

What type of firewall are you using?

PIX 515E

 

[MorfiusX]

For a basic solution, OpenDNS works pretty well. For a more business grade solution (user/group/ip control) Websense or Websense Express is what I recommend and integrates with the PIX.

 

[shabazkilla]

Is this a business environment? If your client PCs are using an internal DNS server the easiest way is through DNS manipulation. You can create a forwarder for myspace.com and point the forwarder to an invalid IP like 1.1.1.1. That will prevent your clients from resolving requests for MySpace. It's not the prettiest solution, but it works. Obviously if you have a lot of sites you want to block I wouldn't recommend doing this, but for one or two it works. A smart user will know how to get around it but most will not.

 

[Carlosinfl]

Shabazkilla - yes all my clients are pointing to an internal DNS server and this is the only site I am restricting so I like your idea. I can just create a forwarder for myspace.com to 1.1.1.1 and then it should work, right?

 

[shabazkilla]

Yep. I just tested it to make sure. Works like a charm.

 

[edicwhun]

They could then just access it using the IP, correct?

 

[Vito_Corleone]

If they're smart they'll just use the IP address for browsing, or use an external DNS server.

I would also nslookup myspace.com and create an outgoing ACL blocking the IPs it resolves to (I'm only seeing two IPs).

 

[shabazkilla]

Yes, they could. As I stated, it will stop most users but it's certainly not foolproof. For a more robust solution something like Websense would be in order. Also forcing all access through a proxy server would allow more control.

But I'm assuming that since it's just one site that needs to be blocked a simple DNS manipulation should suffice.

 

[Ockie]

Shabazkilla - yes all my clients are pointing to an internal DNS server and this is the only site I am restricting so I like your idea. I can just create a forwarder for myspace.com to 1.1.1.1 and then it should work, right?

Better yet, forward it to an internal or hosted page out there that warns the user and reminds the user to stick to work related activities. You can even put a little warning that your activity is being monitored and continued abuse of company resources can result in termination.

That should send the message pretty quick.


If you are the more humorous admin, then put a embedded audio file "hey everyone, I am looking at Porno!!!"

 

[Grentz]

You should have proxy blocking as well, as there are TONS of myspace proxies out there that will easily jump around an IP or DNS block of myspace.com

 

[atomiser]

is this for a business environment? if so, here's some input from an additional perspective...in addition to the technical suggestions above (which are all very good), you really ought to also consider an acceptable use policy to go with the countermeasures you put in place. every employee should sign up to this, therefore accepting any consequences you choose to put in place as a result of breaking it. i know it seems a little like a dictatorship, but my viewpoint (in a business environment) is that your computer and the networks it is connected to are a business asset and should be treated as such. just my two penneth!

 

[Vermillion]

Better yet, forward it to an internal or hosted page out there that warns the user and reminds the user to stick to work related activities. You can even put a little warning that your activity is being monitored and continued abuse of company resources can result in termination.

That should send the message pretty quick.


If you are the more humorous admin, then put a embedded audio file "hey everyone, I am looking at Porno!!!"

I used to do that as my old job. Blocked sites via the firewall (GUI interface for mine made it quick and easy) like Match.com in the past and put up a huge page that said something like:

You have been caught trying to access a website that contains inappropriate material. Management has been notified.

People generally stopped trying to access the website after that.

Another good one was just a joke I pulled occasionally since it was a small business and I could get away with it.

"March Madness websites have been held hostage unless lunch has been provided to the admin with the password."

 

[thewooster]

www.opendns.com - Open DNS is free and works well!

Are you using any kind of linux firewall such as smoothwall or pfSense?

Yes, kudos to Opendns. One of the major upsides to using Opendns over other solutions is that it actually speeds your connection up (granted not a lot), instead of slowing it down dramatically.

btw, just make sure you block proxies and such if you choose opendns.