?
Solved

best way to filter internet traffic?

Posted on 2009-02-11
17
Medium Priority
?
733 Views
Last Modified: 2013-11-16
Evening!

Having a bit of a problem with my employees wasting time browsing the internet, and going to sites they're not supposed to and so forth. What's the best way to essentially block all internet traffic except for certain sites?

Basically I want to just block everything except for an "allowed" list but I can't just block port 80 because I still use things like logmein, slacker, the company website, etc.

Thanks!
0
Comment
Question by:jmoriarty
  • 7
  • 2
  • 2
  • +3
17 Comments
 
LVL 11

Expert Comment

by:manav08
ID: 23618832
What sort of router do you use??
Do you use SBS server, windows server 2003 ??
0
 

Author Comment

by:jmoriarty
ID: 23618847
Sorry, I should've specified -- standard Windows XP on 4 machines, fairly small scale, and the router is just a basic linksys router. wrt54gl I believe.  can think of it more as a small home network, but used in a business/small office environment with little supervision.

Thanks!
0
 
LVL 5

Accepted Solution

by:
Jaymz_R earned 800 total points
ID: 23618856
best way if you want ... get a list of domains you want blocked.

eg - facebook.com / myspace.com

and edit the hosts file

c:\windows\system32\drivers\etc\hosts

now open this with notepad.  and follow the instructions and example for local host on that machine.

make all the blocked domains 0.0.0.0 as the ip address and those domains will not resolve.

if you set this up as a batch file on your machine to copy the blocked and unblocked version of that hosts file you could block and unblock traffic when wanted to, (by using admin share if your on a domain)

eg \\computer1\c$\windows\system32\drivers\etc\hosts

i have it setup as a scheduled task on the server, like the following

Block - 9am / 9:15am / 9:25am /2pm / 2:20pm / 2:25pm - multiple blocks in case computer is off
unblock - 12pm / 5pm.

that gives them 2 hrs during lunch time to at least have a look and keep them moderately happy.


0
Technology Partners: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

 
LVL 11

Assisted Solution

by:manav08
manav08 earned 800 total points
ID: 23619185
Jaymy this is what the author is asking -

"Basically I want to just block everything except for an "allowed" list but I can't just block port 80 because I still use things like logmein, slacker, the company website, etc."

He doesn't want a block list but he only wants to open a certain no. of websites for all users. So hosts file is not an option. Secondly, he doesn't have a server either (by the looks of it).

-------------------------
Solution:

What you can do instead is use the principle of HOSTS file to resolve hostnames to IP ADDRESSES instead of  using DNS server.

1. Give each PC a static IP address with a FAKE DNS address like 0.0.0.0
2. Now as mentioned above by JAYMZ, open up c:\windows\system32\drivers\etc\hosts in notepad on each PC.
3. Get your list of websites that you would like them have access to and ping them to get the IP address, put the following in the hosts file corresponding to the IP address
64.156.132.140     experts-exchange.com
216.239.122.102   news.com

That's it. Job done you have your allowed list and no one can browse anything else.

If any more questions let us know.
0
 
LVL 8

Expert Comment

by:MrJemson
ID: 23619190
Look at Squid Proxy.
A proxy is really the only fool proof way.

The above can easily be bypassed.
0
 
LVL 11

Expert Comment

by:manav08
ID: 23619191
Remember to activate the hosts file you will need to do an "ipconfig /flushdns" command
0
 
LVL 11

Expert Comment

by:manav08
ID: 23619203
Mr Jemson, nothing is fool proof mate. We are talking about NON IT SAVVY people here anyway
0
 
LVL 8

Expert Comment

by:MrJemson
ID: 23619206
A bit of googling and they will be able to get around the hosts file within 10 minutes.
A proxy is AS fool proof as it gets.
0
 
LVL 5

Expert Comment

by:Jaymz_R
ID: 23619726
hosts file ... lol ... my office hasn't ... why try if you know its been blocked for a reason ... you bring bad attention to yourself if you waste more work time getting around it you'll most probably get fired ... sorry turning into a forum now...

a Proxy would of been my next suggestion.  Mr Jemson is on the ball.
0
 
LVL 11

Expert Comment

by:manav08
ID: 23619776
Only an idiot would put a proxy for a network of a few XP computers.
0
 
LVL 11

Expert Comment

by:manav08
ID: 23619786
Everyone is not like you Mr. Jemson ;-). Most people would not even know about its existence. If you are too paranoid, I suggest putting deny permissions for all users on the hosts file.
But this is going to extreme level as next you will say that people working as receptionists know how to crack permissions too.
0
 
LVL 10

Expert Comment

by:kyleb84
ID: 23627603
manav08,

A proxy is a single point of administration - and eliminates the local PC as being the blocking device for the websites - so it's irrelevant if the user finds out how to bypass the hosts file or not. It can also provide some acceleration via caching. No need to configure new workstations because everything is going through the proxy.

So...

"Only an idiot would put a proxy for a network of a few XP computers."

....doesn't sound like Mr Jemson's the idiot for suggesting a logically sound idea.
0
 
LVL 11

Expert Comment

by:manav08
ID: 23629835
I think you missed the question. How feasible it is to put a proxy for a network of 4 computers.
Proxy is obviously the best solution but you have to take into account the size of the network and the IT budget in place.
0
 
LVL 10

Expert Comment

by:kyleb84
ID: 23629845
$200 - $300 old second hand P4 with 1GB of ram, 1 - 2 hours configuration.
0
 
LVL 3

Assisted Solution

by:SirTKC
SirTKC earned 400 total points
ID: 23629882
I don't know what is the scale of your lost due to waste of time on the internet by your employees.
But If you have a certain budget to regain control over your network, then I suggest that you take a close look at SpectorSoft.
http://www.spectorsoft.com/
Specially Spector 360.

Bit expensive for small businesses, but still - priceless !

I am using this (and previous stone age versions) for the last 8 years or so. Nothing come close to it.

You know what was done when how and by who anytime with stats fully detailed and you can even pin point to one very specific user to "investigate" deeper.

And... It's fully stealth...

Client monitoring tool is currently running on Win XP Pro on a PIII 1000Mhz with 756M RAM butterbox (yeah!) - No slow down...

All the rest is cheap sh... asking for mountain of time to configure and figure the output results OR is hell way too expensive.

That's my best call for you.

Good luck !
0
 
LVL 3

Expert Comment

by:SirTKC
ID: 23629895
Wow... I should have read myself before posting...

I am french and my english tonight simply suck... But I think you can still understand !

My apologies to you all.
0
 

Author Comment

by:jmoriarty
ID: 23643701
The only reason I'm against a proxy is I remote admin these machines primarily, so adding an extra hardware layer isn't really ideal. The host file option should work well, the people I have manning those machines are extremely rudimentary level PC skills, and, as mentioned, if they're purposely trying to circumvent that measure even after warnings/policy adjustments and so forth, they don't value their employment status very much.

The Spector 360 program looks very nice as well, but the price point is a bit high at the moment. It's definitely something that'd solve my entire problem in one fell swoop, so it's something to look into when finances permit.

As a side/final note, something else I found that looks interesting is Internet Access Controller, by Gearbox software, it's only $15.00 and looks like it may do similar to what I'm after as well.

Thank you for all the comments, and the help!

0

Featured Post

What Security Threats Are We Predicting for 2018?

Cryptocurrency, IoT botnets, MFA, and more! Hackers are already planning their next big attacks for 2018. Learn what you might face, and how to defend against it with our 2018 security predictions.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

OVERVIEW This guide provides information on the process performed when the Symantec Endpoint Protection (SEP) client checks in with the Symantec Endpoint Protection Manager (SEPM). AUDIENCE Information Technology personnel responsible for suppo…
I recently had to create a utility which aim is to update McAfee's Virusscan and that had to be launched from a command line. I thought I’d share my experience with you. Why is it useful to be able to update an Antivirus from the command line?…
Established in 1997, Technology Architects has become one of the most reputable technology solutions companies in the country. TA have been providing businesses with cost effective state-of-the-art solutions and unparalleled service that is designed…
Email security requires an ever evolving service that stays up to date with counter-evolving threats. The Email Laundry perform Research and Development to ensure their email security service evolves faster than cyber criminals. We apply our Threat…
Suggested Courses

839 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question