2

I want to stop employes of using social media and other sites i might think i dont want them to visit, yet there are some times we need to use it so i need some flexible customizable solution.

I tried router and it only blocks up to 8 sites. I can use a DNS filtering solution e.g. OpenDNS.com yet how can i stop users from just changing their dns manually to (e.g. google dns 8.8.8.8 and 8.8.4.4) to avoid my block?

I can setup machine with proxy server and make it a gateway, yet I still face same issue with proxy they can just remove proxy settings in browser and use direct connection.

Is there some way to block all connections other than to custom dns or proxy server that I can setup somewhere at router or gateway? I have a use Netopia 3700, but I might be able to buy a new one.

  • Only reason I am not putting this into an answer is I can't really give you all the specifics on it but... Group Policy via Active Directory would seem a good path for you. I really don't have a lot of idea on how to give you the "customization" you seem to want though. The hardest part I think is the idea that sometimes they can and sometimes they can't... I really don't see how you get that to fly if you can't trust them to run correctly in the first place. Only thing I can think of off the top of my head would be to give them a separate AD account for when it's OK to use that stuff... – Charles Mills Dec 16 '11 at 21:26

3 Answers3

3

The simple solution is that must setup an egress filter on your border appliance that either blocks outgoing udp/53 if you want to force a DNS server or outgoing tcp/80,tcp/443 connections that do not come from your proxy.

There are an extremely large number of Linux firewall appliances, and router fireware replacements that could do this easily. Some of the appliances you could get allow you to place squid/squidguard on the box, and you can set it up in transparent mode, meaning the users do not have to configure anything.

Instead of filtering or in addition to filter, I suggest you consider setting up some kind of logging of all traffic. Make it clear to everyone that you are logging everything, and that any serious abused will be dealt with. This way you can ignore the person who only spends a couple minutes, and deal with the people who spend all day on time wasting activities without making all the less abusive staff mad at you.

Zoredache
  • 128,755
  • 40
  • 271
  • 413
  • Considering your desire for that customization where sometimes it's ok and sometimes it's not... this makes a lot of sense. – Charles Mills Dec 16 '11 at 22:12
0

As OG Chuck Low suggests in his comments, if you are on a Windows Domain (you didn't mention OS's for the clients) you can use Group Policy in conjunction with DHCP to set the users' DNS settings (for example to use OpenDNS), and disallow them from changing them. UNLESS they have Administrator access on their computer, in which case they can change always it, at least until the next Group Policy refresh interval (usually once an hour).

See this MS article for info on which Group Policies you need to examine and set:

Group Policy for Network Connections

By using the Group Policy snap-in, an administrator can configure the desktop settings of many computers at once. Some Group Policy settings apply specifically to Network Connections, such as user access to connections and the ability to change the properties of connections. These settings can be found in the Administrative Templates of the Group Policy snap-in.

Where? Group_Policy_object_name/Computer Configuration (or User Configuration)/Administrative Templates/ Network/Network Connections

Another option is to get a more robust firewall/router that allows blacklisting more than 8 sites. :)

In reality the best way to keep people from surfing sites they shouldn't is company/people policy ("Surf Facebook and get fired" often works well), as things like proxies, portable browsers, LiveCD's etc. make is VERY difficult to stop a savvy user from a technical point of view; especially if they have Admin access to their system, or it's not fully locked down to prevent booting other devices.

techie007
  • 1,892
  • 17
  • 24
  • Thank you Techie! Much better than my half assed attempt at an answer :) – Charles Mills Dec 16 '11 at 22:10
  • No problem. ;) In the end, this is a ServerFault question (since it's about supporting a work network), and is most likely a dupe over there. :) – techie007 Dec 16 '11 at 22:13
  • You are probably right. I am still pretty new here so I'll leave that stuff to you cats to decide :) – Charles Mills Dec 16 '11 at 22:18
  • The thing is i dont want to go to every machine and change settings in future i might need to change it back and it is a lot of work. Is there solution i can install right before gateway (or after). e.g. some routers they can forward outgoing connection to any ip on port 53 to ip you specify on port 53 so i can just make default all dns to ones i set up at opendns.com without no need to reconfigure all computers, someone know of such router or additional thing i can install to do so? –  Dec 17 '11 at 01:19
  • 2
    @MrCHong The point of [Group Policy](http://en.wikipedia.org/wiki/Group_Policy) is so that you DON'T have to visit each computer. – techie007 Dec 17 '11 at 01:22
0

You are trying to use technology to solve a policy problem.

Please don't - it won't work. Persistent offenders will always find a way to work around any technical measures you impose to try and prevent access.

At the same time those technical measures will cause inconvenience and frustration to those who don't abuse your trust.

Misuse of computer resources is mostly an HR problem. Don't treat is as a technical problem.

Alnitak
  • 20,901
  • 3
  • 48
  • 81
  • It can help in many environments - if you think differently, that's ok, but this is not a helpful answer (although not untypical of very tech lead folks) – Tom Newton Jan 26 '12 at 20:42
  • @TomNewton my point is that if you attempt to use technology to solve policy issues, people will inevitably find a way to work around it. Properly written HR policies and appropriate application thereof is far more effective. – Alnitak Jan 26 '12 at 21:37
  • Certainly wouldn't use tech alone - but sometimes if folk know their browsing is logged, it helps. And not being able to accidentally access porn at work is a useful protection (its not that hard). – Tom Newton Jan 27 '12 at 13:53