[2 days left] What’s wrong with your cloud strategy? Learn why multicloud solutions matter with Nimble Storage.Register Now

x
?
Solved

Temporarily block internet access for a group of PCs

Posted on 2007-04-02
15
Medium Priority
?
1,480 Views
Last Modified: 2013-11-15
I was wondering if anybody has a clever way of temporarily blocking internet access on a group of PCs.

I'm hoping that somebody has been in my situation before and knows a pretty solution. What I have is a school network with 3 computer rooms, and I'm getting requests from the computer teachers for them to
have control over whether the PCs can get internet access or not. What they are looking for is really just an on/off switch for each room.

Is there a neat way of doing this? (Totally disconnecting the rooms not being an option, as they still need access to other stuff on the network)
0
Comment
Question by:kearnejm
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 4
  • 2
  • 2
  • +3
15 Comments
 
LVL 4

Accepted Solution

by:
bikvi_sibro earned 500 total points
ID: 18838856
A quick method that comes to mind is when in IE on the specific machine, go to Tools> Internet Options, select the "Connections" tab, and choose "LAN Settings".  Check "Use a proxy for your LAN" and put in some bogus settings.  This way, no one can get to webpages easily.  Also, if you can, set up a local or group policy so no one can change the settings.
0
 
LVL 2

Expert Comment

by:flscott
ID: 18839690
Is this a simple p2p network, or do you have a Server and AD?
0
 

Author Comment

by:kearnejm
ID: 18839881
This is a fairly large network, with some servers and a Active Directory setup. I also have a shorewall/squid server as the gateway between the network and the internet.

Setting the proxy server to a junk value is of no use to me, as firstly it is easily possible to get around, and secondly it is not an easy on/off switch for a teacher. Even doing this via active directory group policy is a no-no as first it's not easy to switch on/off and secondly the update speed is too slow.

What I think is needed is a web control panel of some sort, but I'm not sure...
0
2017 Webroot Threat Report

MSPs: Get the facts you need to protect your clients.
The 2017 Webroot Threat Report provides a uniquely insightful global view into the analysis and discoveries made by the Webroot® Threat Intelligence Platform to provide insights on key trends and risks as seen by our users.

 
LVL 2

Assisted Solution

by:flscott
flscott earned 500 total points
ID: 18840492
You could put the three classrooms on 3 routers and give each teacher access to the rooms router config. Give them explicit directions on how to disable just internet access using router's GUI. This could be done with just a couple hundred bucks in switches/simple routers
0
 

Author Comment

by:kearnejm
ID: 18840551
fiscott, thanks for the answer, but I think that having to access router configuration pages is too far beyond the technical ability of most teachers. Even with explicit instructions in place, I think that there is far, far too much to go wrong...
0
 
LVL 4

Expert Comment

by:tree_d
ID: 18841687
Just to clarify, do the teachers want the computers to still be connected to the network when they cannot access the Internet, or is it OK for the computers to be completely disconnected from the network?
0
 

Author Comment

by:kearnejm
ID: 18841920
tree_d, yea, as per the original post " (Totally disconnecting the rooms not being an option, as they still need access to other stuff on the network)" they cannot be disconnected from the network.
0
 
LVL 7

Expert Comment

by:tymes
ID: 18845648
For multiple rooms, I'd a common router like a DLINK DI-604 (example only, I might find another), I would bookmark directly to the filters page http://support.dlink.com/emulators/di604_reve/adv_filters.html and I would click on the preconfigured range of a particular room and either enable it or disable it.  5 clicks (from clicking on the book mark to OK) allow you to toggle any of a number of different rooms/configurations all on one webpage.  IP addresses/DHCP would be have to meticulously configured so each room was grouped by ipaddress.

I might even have two routers so the servers other important machines would route through the 2nd, while teachers could play with the cheapo second router that students/unknown would use.  The 2nd router would be restricted by mac addresses so only servers and a few workstations had access via that route.

You squid server sorta screws things up.  Because of the local proxy server, neither DNS nor the default route matter as Squid takes care of all that... as machines don't need routes or DNS if they use the proxy server.  Otherwise, I might want to restrict DNS access to control internet access, but that would break local area stuff.

Now what I would actually would be to configure the default route to one server configured as with RAS and NAT that acts as a router and the gateway.  I would configure a bunch of IPsec policies for each group that I wanted to control based on IP ranges which DHCP would have to carefully give out, then I would have a webpage that would execute a script to activate or deactivate an IPsec policy blocking access to the server and therefor the gateway.  This would be a good option if the squid was on a windows box and not on linux as this would fix the problem with squid.

To waste a budget, I'd get M$ ISAserver and replace the squid and use policies there.  IP addresses wouldn't matter so much and people and machines and windows groups could all be controlled.  This is hardly a simple way.
0
 
LVL 17

Expert Comment

by:kadadi_v
ID: 18850573
Yes using hardware firewall easy for you to configure like connect the ISp connection to WAN port of router ( if already using that's good .If not then purchase the internet router ( DLink,netgear ..etc) from router ethernet port connect the cable to switch ( 24 port ) or as per your requirement of connected pc's to switch and in router filter /firewall featured option are there and as per tymes said D-link DI-604 router you can configure the Ip addresses to block the internet access and also block the non standard sites in router configuration.
Means using Router configuration in IE like -http://192.168.0.1

Regards,

V.K.
0
 

Author Comment

by:kearnejm
ID: 18850728
Thanks for the hardware ideas, but as the computer rooms aren't all that near each other, it would require 3 new routers to do this, and wouldn't be terribly pretty. Beside it means having to give teachers admin access to routers which I'm not overly wild about.

tymes, how exactly would an IPSec solution work. i have active directory and such, but almost no experience with IPSec. Do you know of any website that would explain how to do it?
0
 
LVL 17

Assisted Solution

by:kadadi_v
kadadi_v earned 500 total points
ID: 18851463
0
 
LVL 7

Assisted Solution

by:tymes
tymes earned 500 total points
ID: 18854652
Well, I can't find any of my own examples, but to just quickly tell you want to do...

run secpol.msc on the server in question that handles the routing.  You would want to create a new IPSEC policy where the default is allow then a series of IPSEC FILTER LISTS containing IP FILTERS of subnets or IP addresses of individual computers that you want to allow or deny.  You would do this all using the gui and develop the policy... ultimately, you might have 3 IP FILTER LISTS with the subnets (recommended).  In the GUI you would select the IP FILTER LIST and either Permit or BLOCK.

Actually, let's just do it and list the instructions... run secpol.msc. go down to "IP Sec Pol on Local Comp".  Create new IPSEC Pol to enter wizard..  Name it "NETTOGGLE_POL", next till we can add some rules...
so add a rule that will control access for one group of computers: add rule next next to get to IP Filter Lists... create a new filter list, add mirrored rules from My IP address to the Subnets or IP addresses of individual computers (one subnet should be good if you planned DHCP properly).  Call this List "ROOM1".
Back at the IP Filter list, select the new ROOM, then next to the Filter Action, and add a new FilterAction called "ROOM1_ACTION" and configure it to block then select it. OK, we're done room1
Back at the Rules page, add "ROOM2" configure the IP Filter List with the subnet and add a new Action ROOM2_ACTION.  Select BLOCK.  Repeat for ROOM3.  I just noticed this will be the easiest way to script later if each room list had it's own action.

You can create a new Exemptions IP Filter list with server and teacher IP addresses and Permit those all the time.

The GUI aspect is configured, apply the Policy and all the rooms should be blocked.  You can edit any of the rules and change the Filter Action from Permit to Block to use the GUI to toggle rooms.

At this point we can now start scripting this... so a webpage with a bunch of buttons that toggle this is needed.  

For a command line
we can just use the commands...
netsh ipsec static set filteraction ROOM1_ACTION action=BLOCK
netsh ipsec static set filteraction ROOM1_ACTION action=PERMIT
netsh ipsec static set filteraction ROOM3_ACTION action=BLOCK
etc to easily and very logically just change the filter actions... (easier than changing RULES as rules can't be referenced by name and need to be referenced by # or GUID)

netsh ipsec static show filteraction ROOM1_ACTION
netsh ipsec static show filteraction ROOM2_ACTION
netsh ipsec static show filteraction ROOM3_ACTION

displays the current status.

A webpage could now be created that will manage the toggling on or off of this stuff.

For information on this look at technect or otherwise google some of they keywords you may have noticed like netsh and secpol.msc.  I don't have any references on hand, I fly by the seat of my pants.

0

Featured Post

Free Tool: ZipGrep

ZipGrep is a utility that can list and search zip (.war, .ear, .jar, etc) archives for text patterns, without the need to extract the archive's contents.

One of a set of tools we're offering as a way to say thank you for being a part of the community.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

If you’re involved with your company’s wide area network (WAN), you’ve probably heard about SD-WANs. They’re the “boy wonder” of networking, ostensibly allowing companies to replace expensive MPLS lines with low-cost Internet access. But, are they …
Are you an Exchange administrator employed with an organization? And, have you encountered a corrupt Exchange database due to which you are not able to open its EDB file. This article will explain all the steps to repair corrupt Exchange database.
There's a multitude of different network monitoring solutions out there, and you're probably wondering what makes NetCrunch so special. It's completely agentless, but does let you create an agent, if you desire. It offers powerful scalability …
Please read the paragraph below before following the instructions in the video — there are important caveats in the paragraph that I did not mention in the video. If your PaperPort 12 or PaperPort 14 is failing to start, or crashing, or hanging, …

649 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question