How can I block all Hotmail and other such messenger services with our Cisco Router?

We have a couple of people that spend a good portion of the day shooting the breeze with Hotmail (and others probably). We have a Cisco 1700 Router with the Pix(?) firewall card in it. We are a windows 2000 AD domain environment.
dwielgoszAsked:
Who is Participating?
 
lrmooreCommented:
In your primary dns server, create a primary zone for hotmail.com.
Create A records for www.hotmail.com that points to a local private IP address.
Create your own bogus web site at that IP address, else just leave it alone and everyone will get "page not found" errors only..
I would also create an access-list that prevents access to the following IP addresses:
64.4.32.7
64.4.33.7
206.24.190.26
216.74.180.189

access-list 110 deny ip any host 64.4.32.7
access-list 110 deny ip any host 64.4.33.7
access-list 110 deny ip any host 206.24.190.26
access-list 110 deny ip any host 216.74.180.189
access-list 110 permit ip any any

interface Fast 0
 ip access-group 110 in
0
 
lrmooreCommented:
OK, another attempt to use technology to solve personnel behavioral issues....
Couple of things. Since you are AD and obviously have your local clients point to your own dns server, try simply adding a bogus dns entry for *.hotmail.com to one of your own web servers with a special web page that says something like "Get back to work, loafer!"

If you can find the IP addresses of all the hotmail servers, you can create access-lists on the router to block all access to those IP addresses.

If you have an acceptible use policy that prohibits the use of hotmail during work hours, everyone has read, understood and signed it, then reprimand or fire someone for violating their privileges.

If you have ISA /Proxy server, you can monitor which users violate the policy.

Else you can use some other content filtering appliance like the iPrism http://www.stbernard.com/iprism
or WebSense http://www.websense.com  or surfcontrol  http://www.surfcontrol.com

On a technical note, there is no PIX firewall "card" that goes into a 1700 router. There is a firewall "feature set" of the IOS that will run on a 1700 giving it some of the capabilities of a PIX firewall.


0
 
dwielgoszAuthor Commented:
f you have an acceptible use policy that prohibits the use of hotmail during work hours, everyone has read, understood and signed it, then reprimand or fire someone for violating their privileges.

if the upper management had the gumption to go through the bother of finding someone to replace the offending party(s), then this would be the obvious solution.

We paid extra for a pix card add in for that router and I may be mistaken about it being used for a firewall feature, although the IOS definately has firewall software features, our T1 line is plugged directly into the card.

How would I associate the DNS record with a webpage? We don't have web servers although I could set up a new website to specifically do that I guess.
0
On-Demand: Securing Your Wi-Fi for Summer Travel

Traveling this summer?Check out our on-demand webinar to learn about the importance of Wi-Fi security and 3 easy measures you can start taking immediately to protect your private data while using public Wi-Fi. Follow us today to learn more!

 
dwielgoszAuthor Commented:
Excellent!!
Exactly what I was hoping to learn. Thank you much.
0
 
dwielgoszAuthor Commented:
One more thing please. I created a new zone on the DNS server and with it a new host(A) record..forward only. I couldn't create the A record on the same subnet that our AD Domain is on so I created an adjacent (private) subnet and assigned a number from that subnet to the new website that is hosting the suggested webpage. Of course it doesn't work, It spins the iconic microsoft globe for a bit and says that it is unreachable. The webserver that the new website resides on has a dynamic IP that is part of the AD domain subnet, even though the website has this other fictitious IP assigned to it on Port 80. WHEW! Is this workable, or am I doing something half-backwards?
0
 
lrmooreCommented:
Not sure why you can't just use an ip in the local subnet ( I don't have a win server to test with at the moment)..
But, this adjacent subnet must be known as local by whatever you default gateway is..
I assume your local gateway is the 1700 router. You might need to assign it a secondary IP in the same subnet range

  interface fast 0
   ip address 192.168.2.1 255.255.255.0 secondary

0
 
dwielgoszAuthor Commented:
It wouldn't allow the IP on the same subnet during the initial setup, however I was able to edit it later and give it an IP on our subnet afterall.
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.