11

I'm having some trouble making a Cisco ASA device block certain social networking sites which have become time sinks in our office. This question is really in two parts:

  1. Is there a reliable way to retrieve all of the IP addresses for these sites?
    • It seems that Facebook's DNS servers respond with random IP addresses. A dig followed by an nslookup yield two different IP addresses for www.facebook.com.
  2. Is there a trick to letting me add host names to Cisco ASA through Adaptive Security Device Manager (ASDM).
    • I have found the URL filter, but that requires a third-party piece of software that I doubt I'll get funding for just to block these sites.

We're looking for a temporary solution until I can get Squid up and running, which may be as far out as six months (we need a network administrator, bad).

Peter Mortensen
  • 2,319
  • 5
  • 23
  • 24
Jack M.
  • 793
  • 3
  • 12
  • 21

8 Answers8

21

Who do you use as your DNS provider? If you can switch to someone like OpenDNS (it's free) they provide automatic (& very configurable) blocking of social networking sites, webmail, adult content etc.

EDIT: You don't have to change anything with your ISP either.

Marko Carter
  • 4,092
  • 1
  • 29
  • 38
  • 1
    Pointed my router's DNS entries to OpenDNS and blocked it there (workstations are GPO configured to use the Router's DNS). Works great and blocks the ENTIRE social networking bunch. Facebook, MySpace, etc, plus chat programs, and so on – SpaceManSpiff Aug 05 '09 at 16:23
  • What about the speed of OpenDNS? Is it OK? – blank3 Nov 27 '09 at 08:37
  • @blank3: They run a bunch of servers distributed around the 'net using anycast routing, so it's usually pretty good. – Nicholas Knight Nov 27 '09 at 09:13
  • Just to add onto this answer: you might want to block outgoing DNS queries from your users so that your more sophisticated users can't just change their DNS servers to get around this. – zippy Jul 21 '11 at 20:09
  • that's great unless someone using the computer knows how to do "nslookup facebook.com 8.8.8.8" and insert the returned IP into the computer's hosts file. – Olipro Jul 21 '11 at 20:17
9

On your Cisco asa you can do the following:

regex facebook1 "facebook\.com"

class-map type inspect http match-any block-url-class
  match request uri regex facebook1


policy-map type inspect http block-url-policy
  parameters
class block-url-class
  drop-connection log
policy-map global_policy
  class inspection_default
  inspect http block-url-policy

service-policy global_policy global

I would highly suggest you read the full details on Cisco's website.

Jeremy Rossi
  • 742
  • 3
  • 4
8
  1. Gather logs of the user's web activity.
  2. Go over to the user's desk.
  3. Show them the logs, and tell them if they don't stop screwing around on company time, they'll be fired.
  4. Log the event.

You might even get promoted to management if you keep this up. ;)

Ernie
  • 5,324
  • 6
  • 30
  • 37
  • Ooooh, tactful... hehehe. The question though wasn't really 'how do I stop my users from accessing social-networking sites', I read it more like: 'How do I disable user web access to sites by domain' which could be talking about staff, or guests accessing these sort of sites. You have a point though, so no - from me ;) – l0c0b0x Aug 05 '09 at 17:52
  • Then perhaps step 0 should be "Ask if it's the end result or the means that matters." Also, in step 3, I didn't say you had to have no tact. You could say that Management has told you to prevent them from accessing the sites they've been browsing, and leave them to figure out what that means. – Ernie Aug 05 '09 at 21:19
5

A client of mine had this exact problem. Here's how we tackled the solution:

  1. Installed an IPCop box with a built-in Squid proxy and also installed the URLFilter add on. All traffic now flows through the IPCop box.

  2. Hard coded everyone's IP address to their telephone extension for the simple fact that it made it WAY easier to identify the offenders. We also changed all of the DNS server settings to point to OpenDNS. (Further filtering options are possible with OpenDNS but it turned out they were not required after all.)

  3. Removed (and banned) the use of all public IM clients such as Yahoo Messenger, MSN, AOL, ICQ, etc., etc. Instead we installed a secure company-only XMPP server called SecuredIM so that all IM traffic would be logged and would be guaranteed to be company-to-company communications only.

  4. SecuredIM also has the unique ability to take screenshots of desktops every XX minutes. If an employee was suspected of goofing off (based on IPCop logs) a picture was worth 1,000 words. Select screenshots could be archived and emailed for later review (or diciplinary action).

  5. We blocked Facebook, Myspace, Hulu, and two or three other major abuses via the URLFilter on the IPCop box.

  6. Manual review (and more sites blocked if necessary) for about a week.

  7. Opened up "free/unblocked" surfing during the lunch hour (12:00 pm-1:00 pm).

By the end of the week the company was a total transformation. Productivity increased dramatically and nobody so much as complained.

As with any company, there's always the 1-2 rebels out there who think it's a "game".

When nytimes.com was blocked they went to another news site. When that was blocked they picked yet another. Others stopped surfing and took up hobbies such as Solitaire and Minesweeper, but the SecuredIM screenshots caught that (IPCop could not obviously).

Within two weeks (and a couple of employer/employee discussions including disciplinary action for stubborn individuals) everything was running smoothly and has been running smoothly for almost two years.


URLS:

http://www.ipcop.com

http://www.securedim.com

http://www.opendns.org


SIDE NOTE:

As a funny side story. About a year later, an electrical problem in the building caused the power supply on the IPCop box to go out and it was 2-3 days before a new IPCop box could be put in place.

We found that it took less than 48 hours for the employees to go back to their old/original surfing habits and productivity to drop.

It was quite the social experiment. :-)

Peter Mortensen
  • 2,319
  • 5
  • 23
  • 24
KPWINC
  • 11,274
  • 3
  • 36
  • 44
  • 2
    +1 for the awesome explanation. Unfortunately, the proxy was something we were avoiding because of the time involved. It is the best solution in the long run, but my time is probably better spent programming (that is my job, after all... Don't ask). – Jack M. Aug 05 '09 at 19:31
  • 7
    Oh my, sounds like a horrible place to be working at. – Karolis T. Sep 16 '09 at 14:11
  • As with any company, there's always the 1-2 rebels out there who think its a "game". --- You call them rebels, I call them freedom fighters. My goodness, there are more effective ways than censorship and surveillance to keep employees reasonable. Like, you know, hiring decent employees. – Luke has no name Jul 28 '10 at 20:19
4

The DNS solution sounds like the best answer to me, but be aware that of course they most likely will still be able to access the sites via IP address (you probably are aware from the level of your question, but others who find this on Google might not be).

Secondly, look at Evan's response to Discretely restrict users from running certain programs on Windows computers about stopping users from running certain programs. I think you are trying to solve a management problem with IT. Really they should probably be hiring people who are responsible enough to obey whatever rules are made clear, and they should probably worry about them getting their tasks done well and on time instead of what websites they visit in their downtime. Blocking this stuff is probably just going to spread resentment throughout the company. You do of course, have to do whatever you have to do, and it's probably not even up to you -- but I think this should always be considered before taking this sort of step if it wasn't already.

Kyle Brandt
  • 82,107
  • 71
  • 302
  • 444
  • Yeah, I was about to say. The question "get back to us with your results" comes to mind, because the first thing that people are going to do is they're going to access Facebook on their cell phones instead. – Ernie Aug 05 '09 at 17:21
  • 1
    I would absolutely agree, Kyle. We are solving a management problem with IT. Unfortunately, the problem is not being reconciled by management, and the company is suffering as a result. This is my way of managing from beneath, because of the limitations in management from above. – Jack M. Aug 05 '09 at 19:27
2

I took a different approach to solving this issue.

Instead of having the ASA decipher traffic I created a forward lookup zone on my local DNS server for "facebook.com" and left all the DNS entries blank. If you would like, you can always point the site to an internal web page telling the user they are trying to access a site that is forbidden by company policy.

I hope this helps.

Peter Mortensen
  • 2,319
  • 5
  • 23
  • 24
l8nite4me
  • 51
  • 1
0

If you don't have the time or staff to build your own solution, you might consider a turn-key product.

We use eSoft's Threatwall, which does a great job of controlling access (via IP or URL). Pretty easy to configure with check boxes for all the common types of sites, plus the ability to add your own and have a whitelist. They have different packages available (ours also filters spam, for instance).

Not affiliated with eSoft, other than as a customer, Dave

-2

Maybe instead of blocking the IP addresses, you could direct the host names to localhost, that is, edit your host file so it looks something like:

www.facebook.com     127.0.0.1

This would stop the true IP address of Facebook, etc. ever being looked up.

Peter Mortensen
  • 2,319
  • 5
  • 23
  • 24
Kip
  • 897
  • 1
  • 12
  • 22