4

Our ISP forced us to use their router that doesn't have any option to block certain URL/IP like our 3Com OfficeConnect router has.

Is there any other easy way to implement this without an intelligent router (we are also using a D-Link 1016 switch). Or shall we buy a more recent 3Com router?

Thanks.

abenci
  • 503
  • 1
  • 7
  • 17
  • 4
    There's a number of ways to do this, but without knowing much about your network's configuration or your budget I don't think anyone can really give an appropriate recommendation. One thing that will be fairly consistent though, is that you should have another piece of hardware between the clients you are trying to block and the Internet. – Iszi Feb 13 '11 at 17:49
  • I dont think so, they can force you to use their router, because all what they can check is MAC, so you can use your one and fake MAC – Ency Feb 13 '11 at 18:58
  • Don't. Or do you really want to demoralise your staff? – Tom O'Connor Feb 13 '11 at 23:56
  • @TomO'Connor (and everyone) ordinarily I agree with the sentiment, but I had a recent run-in today that justifies the blocking for another reason; browse-by infections. Most users don't want to be blocked, but on the other hand they don't want to take responsibility for safe web browsing and keeping systems protected. There are vulnerabilities that lead to infections and data theft without the user ever knowing. Sometimes the blocking of sites helps prevent this, so you're protecting users from themselves with filtering. – Bart Silverstrim Feb 16 '11 at 22:20

3 Answers3

5

OpenDNS, or another (and possibly more controlled) option is to build a proxy server between your network and the router. You can do something open source like Squid and an addon for blocking or you can purchase any of many commercial solutions for blocking websites by category.

If you're going to be blocking websites, it's generally better in my experience to use a proxy filter instead of your router since the proxy can log traffic and be used to extract reports.

Bart Silverstrim
  • 31,092
  • 9
  • 65
  • 87
  • 1
    +1 I'd also talk it over with management and determine how you want to implement this: I've had better results by quietly logging activity and when/if warranted, address with problem users individually, as most employees were not an issue. An over-zealous blocking policy can often lead to bad morale, or worse, employees looking to bypass through upstream proxies, tethering 3G phones, etc. – gravyface Feb 13 '11 at 20:32
  • I was assuming this was coming from management in the first place, but what you're bringing up is a topic that makes a lot of sysadmins squirm...censorship in the workplace is not a comfortable thing. But on the other hand it's amazing how often assuming people won't abuse privileges works against you. But again that's been my experience. – Bart Silverstrim Feb 13 '11 at 21:03
  • It can go either way, depending on the culture, but the majority of my clients that decided to 1) notify the staff 2) monitor the activity 3) react accordingly found that #1 alone deterred excessive facebook/time-wasting and that only a very small minority were actually abusing their privileges. Obviously adult/hate/gambling/drugs, etc. categories are blocked outright as there's no place in the workplace for that. – gravyface Feb 13 '11 at 22:17
  • @Bart: Thanks, what do you mean with _(and possibly more controlled)_? – abenci Feb 14 '11 at 14:44
  • @devdept: you would have finer control over what you block and monitor. – Bart Silverstrim Feb 15 '11 at 01:32
  • @Bart: is it possible to exclude one machine from OpenDNS filtering if I setup it on the router? – abenci Feb 25 '11 at 13:18
  • 1
    I suppose if you have the machine statically configured, you could point it to whatever DNS server you want so it wouldn't get influenced by OpenDNS. – Bart Silverstrim Feb 25 '11 at 14:31
1

I am assuming this also means you have virtually ZERO protection on your network other than NAT. NAT is not a true firewall (but does a good job...)

Check out the PFSense project - Free OpenSource and very good. www.PFSense.org add the Squid support and you are golden.

Another simple project - (both free or paid) would be Untangle. Easier - imho.

These can each operate in a transparent mode - allowing you to lock down your network but also protect it.

Glenn Kelley
  • 1,294
  • 6
  • 10
0

Use OpenDNS.

Jason Berg
  • 18,954
  • 6
  • 38
  • 55