• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 1555
  • Last Modified:

Internet Filter Software (not a porn filter)

Hello,

I am looking for a VERY SIMPLE internet filtering software.  We need to install it on about 15 machines, so the less expensive/free the better.  

All we need to do is block all access to the internet with the exception of 6 sites which are work related.  Some users will need to be able to surf anywhere they want.  Having them enter a password to access unrestricted internet is fine.  

We can't use a proxy server, since there are three seperate offices, and group policy doesn't seem to do the trick either.  

So does anyone know of a freeware program or very inexpensive program which will block all sites with the exception of a handful of work rewlated sites?  We don't want to pay monthly fees for databases we won't even use.  I will reward 100 more points if a freeware solution is provided!

Thank You
0
ccarmichael7
Asked:
ccarmichael7
  • 3
  • 2
  • 2
  • +2
1 Solution
 
chris_calabreseCommented:
I don't think you'll be able to do this without some kind of proxy, but that doesn't mean it won't work for three offices - you just need three proxies.

Squid is the best known freeware web proxy. You can run it on some old PC's running Linux or *BSD.
0
 
thechandlerCommented:
One way you could do this is to:

Step 1
edit the hosts file.  Search The C: drive for hosts - on xp it is in C:\WINDOWS\system32\drivers\etc.
Add in the web sites you wish to use - IP address, and then domain name.

example -
216.109.117.207  www.yahoo.com

Step 2
Then remove the DNS information from each client. - now, the client will only be able to resolve the listed sites from the host file.

they will then only be able to access sites for which you have listed access to in the hosts file.

for people that are allowed surfing, you could give them dns information.

Out of curiosity, i just tested this on my machine, and IT WORKED!
kind of round about, but no software, and no paying for anything but some time setting up a host file, that you can copy to each client.
0
 
Wojciech DudaCommented:
I don't know how this works for you thechandler and what type your internet connection is, but I can remove all the dns info I want and my machine looks it up automatically... So this depends on the internet connection I guess.
0
Independent Software Vendors: We Want Your Opinion

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

 
thechandlerCommented:
mcwojtekk -

In our network, we have many clients that all are part of a switched network.  Various switches are connected throughout the building - bringing everyone access to both the servers and firewall/gateway out to the internet.  

We run a DNS server such that every client has the following information input on their terminal -
IP
Subnet
Gateway
DNS

Enabling DHCP, using a proxy connection, having DNS resolves cached, or having a direct connection to the internet on the client machine are all ways in which my method will not work - I would guess that you are using one if the methods that I listed.
0
 
Wojciech DudaCommented:
Well I use a proxy at work and a router for my SDSL connection at home. In both cases no go. Let's see what ccarmichael7 has to say about this.
0
 
ccarmichael7Author Commented:
Thanks for the responses guys!

The reason why we don't just use a proxy is that there are four offices connected via VPN over cable modems.  We don't want all the internet traffic to filter through the main site, and putting in proxies at each site seems like overkill.  To add to the confusion, there are some users who should be able to enter browse the internet freely.

So really it would seem to me that there should be some kind of software similar to cyberpatrol or netnanny that don't require us to pay monthly fees for a database we won't use.  

I have tried using group policy, but I can't figure out how to make internet explorer do this using content advisor or the security settings.  If anyone knows how to do this using internet explorer, that would be perfect!  Then I could just push it out using group policy.


I am going to bump up the point value to 400 on this question, since it is fairly complex!

Thank you for all your answers thus far
0
 
chris_calabreseCommented:
I might be able to do this with group policy using the firewall built-into WinXP. The API is referred to in MS docs as IPsec settings, though it's not actually the IPsec part you're interested in.

Otherwise, I'd deploy four proxies, each of which allows people to login and get full access or not login and get restricted access. You can buy four older PC's ebay for ~$1K and load them with free software like Linux or FreeBSD with Squid as the proxy.
0
 
thechandlerCommented:
I found this software in a search - called Browse Control.  According to the product description you can set both time limits, or limit the internet to allow only work related sites.  I downloaded the trial, but do not have time to set it up on the server, but the interface is relatively intuitive, and you can set multiple group access levels for different clients.

Price wise, it is $20 / user, or it drops to $15 per user for 20+ users, and keeps dropping with more users.

http://www.codework.com/bcontrol/product.html
0
 
Rich RumbleSecurity SamuraiCommented:
There could be a few solutions for free, some more complicated than others...

One of the simpler solutions would be using IE to restrict site's that user's shouldn't go to, and list the other's that are allowed.
For some good documentation on the IE security zones have a look at: http://www.nwnetworks.com/iezones.htm
With the 5 zones (four viewable/configurable in IE) in IE you'll be able to permit interal traffic using the IntraNet zone and specifing some IP ranges to allow. Trusted and Restricted are really the ones you'd work with. However, the user's are also not restricted from adding their own to these zones... The content Adviser is a better tool because there is a place for a password that you can specify that the users won't know. It's also very straight forward, you can use ip address's and ranges
Go to IE, tools, internet options, content, enable content advisor, settings...,trusted sites tab, put in an ip range x.x.x.x - x.x.x.x
So if you want to block "nytimes.com", you'd use the following ip range 199.239.136.0 - 199.239.136.255, and then selcet NEVER.
because they own the entire class c subnet (slash 24 subnet) (we'll they don't own it, verio does, but it's assigned to nytimes)
whois 199.239.136.200
New York Times Digital (NETBLK-C111-199-239-136-0) C111-199-239-136-0
                                               199.239.136.0 - 199.239.136.255
The easiest thing to do with the content advisor is to block everything, except what you wish to allow. If you have a 10.x.x.x as your internal subnet, then allow 10.0.0.0 - 10.255.255.255.255 (or what ever ranges you use internally)
Or block google 216.239.32.0 - 216.239.63.255 etc...

That being said... I do not recommend the content advisor using IP address's, it is chatty, espically if a web-site get's it's images from another domain like akamai or another range your not allowing, this will make site's look broken, or not allow them to function at all. Using the DNS names is a better way, but still with the advisor, it's chatty for the same reasons.

I guess i should of listed what I would do first... anyway this is what I would do:

Get a policy written up for the users that are to be restricted. Granted this won't stop them, but it's the first step. If you have a company policy, that states "diciplinary action or termination" in it, that the have read and signed, then you have a little reminder you can bring to them when and if they do go against this policy. Please have a look at the SANS Policy page: http://www.sans.org/resources/policies/ These policies are easily customized, and are very well done, have a look through them.

Next, inform the users of the policy, as nicely as you can, be sure to tell them that your willing to work with them and be flexible- but only to a point. Ask the users for sites that they absolutly need access to, then research those sites to be sure. If they like to read slashdot or cnn, tell them you'll be happy to allow them access to those sites however site's linked off of them may not be accessable.

Then start to lock them down using the advisor and or the security zones in IE. If they are administrators of their machines... then you've got other problems, they can download programs like firefiox, opera, mozilla and get around the restrictions. This is also true if your were running a proxy, unless, you block port 80 outbound for everyone, and the only way out was a proxy.

That being said:
# It is estimated that 3 to 5 million web sites are newly established or renamed each week, making the collection and storage of accurate data virtually impossible. Providers of Site Blocking technology, however, claim a greater than 90% accuracy in database tracking of Internet sites, a claim that is highly improbably based on the shear volume of new and renamed sites.
# Site Blocking can block vast amounts of good data along with the bad.
# Site blocking technology focuses only on HTTP based web traffic, leaving other applications such as instant messaging, e-mail, e-mail attachments, and other desktop applications a continuing security risks.
# Site Blocking conveys to your users that if they find inappropriate sites that are not blocked then its OK to use them.

Personally I'd monitor their history files, and or use Ntop (from openxtra there is nice windows port of it) to police the traffic certain users are using. Ntop monitors all internet traffic, but with multiple sites, you'd need multiple instances of ntop, with a spanned port. http://www.openxtra.co.uk/products/ntop-xtra.htm Armed with the "ammo" that ntop can give you, and the policy they read/signed, you should be able to show the users you mean business, and that you are indeed watching.

Frankly, the easiest solutions would be the ones you subscribe to, or buy once. Even with the subscription ones, you can usually customize or add domains/ip ranges to block or allow.
GL!
-rich







0
 
Rich RumbleSecurity SamuraiCommented:
DOH! I don't know why I didn't think of this earlier...
IPSEC firewall. While I think the policies and Ntop are also essential in any LAN, ipsec can make all of this very easy.

http://www.microsoft.com/windows2000/techinfo/planning/security/ipsecsteps.asp

I can make an example IPSEC file and post it here, however you'd have to ultimately configure it for your environment.
Basically you can set it up to block port 80, 443 or anything else to all destinations, except the few that you want to allow.
Runs on the workstations themselves (win2k,xp or 2003) so even if they do install their own browser, they won't get anywhere.
-rich
0

Featured Post

2017 Webroot Threat Report

MSPs: Get the facts you need to protect your clients.
The 2017 Webroot Threat Report provides a uniquely insightful global view into the analysis and discoveries made by the Webroot® Threat Intelligence Platform to provide insights on key trends and risks as seen by our users.

  • 3
  • 2
  • 2
  • +2
Tackle projects and never again get stuck behind a technical roadblock.
Join Now