Solved

Temporarily block internet access for a group of PCs

Posted on 2007-04-02
15
1,469 Views
Last Modified: 2013-11-15
I was wondering if anybody has a clever way of temporarily blocking internet access on a group of PCs.

I'm hoping that somebody has been in my situation before and knows a pretty solution. What I have is a school network with 3 computer rooms, and I'm getting requests from the computer teachers for them to
have control over whether the PCs can get internet access or not. What they are looking for is really just an on/off switch for each room.

Is there a neat way of doing this? (Totally disconnecting the rooms not being an option, as they still need access to other stuff on the network)
0
Comment
Question by:kearnejm
  • 4
  • 2
  • 2
  • +3
15 Comments
 
LVL 4

Accepted Solution

by:
bikvi_sibro earned 125 total points
Comment Utility
A quick method that comes to mind is when in IE on the specific machine, go to Tools> Internet Options, select the "Connections" tab, and choose "LAN Settings".  Check "Use a proxy for your LAN" and put in some bogus settings.  This way, no one can get to webpages easily.  Also, if you can, set up a local or group policy so no one can change the settings.
0
 
LVL 2

Expert Comment

by:flscott
Comment Utility
Is this a simple p2p network, or do you have a Server and AD?
0
 

Author Comment

by:kearnejm
Comment Utility
This is a fairly large network, with some servers and a Active Directory setup. I also have a shorewall/squid server as the gateway between the network and the internet.

Setting the proxy server to a junk value is of no use to me, as firstly it is easily possible to get around, and secondly it is not an easy on/off switch for a teacher. Even doing this via active directory group policy is a no-no as first it's not easy to switch on/off and secondly the update speed is too slow.

What I think is needed is a web control panel of some sort, but I'm not sure...
0
 
LVL 2

Assisted Solution

by:flscott
flscott earned 125 total points
Comment Utility
You could put the three classrooms on 3 routers and give each teacher access to the rooms router config. Give them explicit directions on how to disable just internet access using router's GUI. This could be done with just a couple hundred bucks in switches/simple routers
0
 

Author Comment

by:kearnejm
Comment Utility
fiscott, thanks for the answer, but I think that having to access router configuration pages is too far beyond the technical ability of most teachers. Even with explicit instructions in place, I think that there is far, far too much to go wrong...
0
 
LVL 4

Expert Comment

by:tree_d
Comment Utility
Just to clarify, do the teachers want the computers to still be connected to the network when they cannot access the Internet, or is it OK for the computers to be completely disconnected from the network?
0
How to run any project with ease

Manage projects of all sizes how you want. Great for personal to-do lists, project milestones, team priorities and launch plans.
- Combine task lists, docs, spreadsheets, and chat in one
- View and edit from mobile/offline
- Cut down on emails

 

Author Comment

by:kearnejm
Comment Utility
tree_d, yea, as per the original post " (Totally disconnecting the rooms not being an option, as they still need access to other stuff on the network)" they cannot be disconnected from the network.
0
 
LVL 7

Expert Comment

by:tymes
Comment Utility
For multiple rooms, I'd a common router like a DLINK DI-604 (example only, I might find another), I would bookmark directly to the filters page http://support.dlink.com/emulators/di604_reve/adv_filters.html and I would click on the preconfigured range of a particular room and either enable it or disable it.  5 clicks (from clicking on the book mark to OK) allow you to toggle any of a number of different rooms/configurations all on one webpage.  IP addresses/DHCP would be have to meticulously configured so each room was grouped by ipaddress.

I might even have two routers so the servers other important machines would route through the 2nd, while teachers could play with the cheapo second router that students/unknown would use.  The 2nd router would be restricted by mac addresses so only servers and a few workstations had access via that route.

You squid server sorta screws things up.  Because of the local proxy server, neither DNS nor the default route matter as Squid takes care of all that... as machines don't need routes or DNS if they use the proxy server.  Otherwise, I might want to restrict DNS access to control internet access, but that would break local area stuff.

Now what I would actually would be to configure the default route to one server configured as with RAS and NAT that acts as a router and the gateway.  I would configure a bunch of IPsec policies for each group that I wanted to control based on IP ranges which DHCP would have to carefully give out, then I would have a webpage that would execute a script to activate or deactivate an IPsec policy blocking access to the server and therefor the gateway.  This would be a good option if the squid was on a windows box and not on linux as this would fix the problem with squid.

To waste a budget, I'd get M$ ISAserver and replace the squid and use policies there.  IP addresses wouldn't matter so much and people and machines and windows groups could all be controlled.  This is hardly a simple way.
0
 
LVL 17

Expert Comment

by:kadadi_v
Comment Utility
Yes using hardware firewall easy for you to configure like connect the ISp connection to WAN port of router ( if already using that's good .If not then purchase the internet router ( DLink,netgear ..etc) from router ethernet port connect the cable to switch ( 24 port ) or as per your requirement of connected pc's to switch and in router filter /firewall featured option are there and as per tymes said D-link DI-604 router you can configure the Ip addresses to block the internet access and also block the non standard sites in router configuration.
Means using Router configuration in IE like -http://192.168.0.1

Regards,

V.K.
0
 

Author Comment

by:kearnejm
Comment Utility
Thanks for the hardware ideas, but as the computer rooms aren't all that near each other, it would require 3 new routers to do this, and wouldn't be terribly pretty. Beside it means having to give teachers admin access to routers which I'm not overly wild about.

tymes, how exactly would an IPSec solution work. i have active directory and such, but almost no experience with IPSec. Do you know of any website that would explain how to do it?
0
 
LVL 17

Assisted Solution

by:kadadi_v
kadadi_v earned 125 total points
Comment Utility
0
 
LVL 7

Assisted Solution

by:tymes
tymes earned 125 total points
Comment Utility
Well, I can't find any of my own examples, but to just quickly tell you want to do...

run secpol.msc on the server in question that handles the routing.  You would want to create a new IPSEC policy where the default is allow then a series of IPSEC FILTER LISTS containing IP FILTERS of subnets or IP addresses of individual computers that you want to allow or deny.  You would do this all using the gui and develop the policy... ultimately, you might have 3 IP FILTER LISTS with the subnets (recommended).  In the GUI you would select the IP FILTER LIST and either Permit or BLOCK.

Actually, let's just do it and list the instructions... run secpol.msc. go down to "IP Sec Pol on Local Comp".  Create new IPSEC Pol to enter wizard..  Name it "NETTOGGLE_POL", next till we can add some rules...
so add a rule that will control access for one group of computers: add rule next next to get to IP Filter Lists... create a new filter list, add mirrored rules from My IP address to the Subnets or IP addresses of individual computers (one subnet should be good if you planned DHCP properly).  Call this List "ROOM1".
Back at the IP Filter list, select the new ROOM, then next to the Filter Action, and add a new FilterAction called "ROOM1_ACTION" and configure it to block then select it. OK, we're done room1
Back at the Rules page, add "ROOM2" configure the IP Filter List with the subnet and add a new Action ROOM2_ACTION.  Select BLOCK.  Repeat for ROOM3.  I just noticed this will be the easiest way to script later if each room list had it's own action.

You can create a new Exemptions IP Filter list with server and teacher IP addresses and Permit those all the time.

The GUI aspect is configured, apply the Policy and all the rooms should be blocked.  You can edit any of the rules and change the Filter Action from Permit to Block to use the GUI to toggle rooms.

At this point we can now start scripting this... so a webpage with a bunch of buttons that toggle this is needed.  

For a command line
we can just use the commands...
netsh ipsec static set filteraction ROOM1_ACTION action=BLOCK
netsh ipsec static set filteraction ROOM1_ACTION action=PERMIT
netsh ipsec static set filteraction ROOM3_ACTION action=BLOCK
etc to easily and very logically just change the filter actions... (easier than changing RULES as rules can't be referenced by name and need to be referenced by # or GUID)

netsh ipsec static show filteraction ROOM1_ACTION
netsh ipsec static show filteraction ROOM2_ACTION
netsh ipsec static show filteraction ROOM3_ACTION

displays the current status.

A webpage could now be created that will manage the toggling on or off of this stuff.

For information on this look at technect or otherwise google some of they keywords you may have noticed like netsh and secpol.msc.  I don't have any references on hand, I fly by the seat of my pants.

0

Featured Post

Free Trending Threat Insights Every Day

Enhance your security with threat intelligence from the web. Get trending threat insights on hackers, exploits, and suspicious IP addresses delivered to your inbox with our free Cyber Daily.

Join & Write a Comment

Today, still in the boom of Apple, PC's and products, nearly 50% of the computer users use Windows as graphical operating systems. If you are among those users who love windows, but are grappling to keep the system's hard drive optimized, then you s…
If your business is like most, chances are you still need to maintain a fax infrastructure for your staff. It’s hard to believe that a communication technology that was thriving in the mid-80s could still be an essential part of your team’s modern I…
The viewer will learn how to successfully download and install the SARDU utility on Windows 8, without downloading adware.
In this tutorial you'll learn about bandwidth monitoring with flows and packet sniffing with our network monitoring solution PRTG Network Monitor (https://www.paessler.com/prtg). If you're interested in additional methods for monitoring bandwidt…

728 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

14 Experts available now in Live!

Get 1:1 Help Now