Restricting Internet access

Hi.  I run IT for a Windows domain-based network with about 80 workstations and multiple Windows servers.  A routerOS firewall allows me to permit/prohibit Internet access by workstation IP address; I can turn it on or shut it off, no shades of gray. I would like to allow access ONLY to two specific web sites (mapquest and CHP traffic conditions) to specific workstations but prevent their users from going anywhere else on the net.  I would like to keep this system within the network edge, transparent to our ISP.

How may I do this?

Thanks...
michaelheffernanAsked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

simsjrgCommented:
If you have a space PC or Server laying around with 2 NICs in it you can throw Untangle on it and put it in Bridge mode.

http://www.untangle.com/

You can then install the Web Filter app (free) and create all kinds of policies and lists.

This device will sit behind your firewall but in front of your switch. No changes are needed on the workstations for traffic to pass.
0
michaelheffernanAuthor Commented:
"Untangle"? Oookay, I will eyeball it.  Plenty o' space, plenty o' machines...
0
MaurizioSchmidtCommented:
If you wanna do it the correct way, install Microsoft ISA Server 2006.

http://www.microsoft.com/germany/ISAServer/default.mspx

with this app, you can define anything you can imagine, beside source based routing :)
0
Get Certified for a Job in Cybersecurity

Want an exciting career in an emerging field? Earn your MS in Cybersecurity and get certified in ethical hacking or computer forensic investigation. WGU’s MSCSIA degree program was designed to meet the most recent U.S. Department of Homeland Security (DHS) and NSA guidelines.  

simsjrgCommented:
It's a great open source project. It's pretty robust and mostly free though you can buy paid features should you want to add some additional functionality.
0
michaelheffernanAuthor Commented:
Will having multiple switches (3) be an issue, tho?  Can either product support multiple NICs, and should I expect to see much throughput degradation?
0
michaelheffernanAuthor Commented:
Sounds like a fun project; as always I have time issues, tho.
0
michaelheffernanAuthor Commented:
I want to be clear, tho.  Right now I am not looking to "block" sites, only to "allow" specific sites and the various sources of elements on those sites.  I would think that this would require some intelligence on the part of the web filter...
0
simsjrgCommented:
>> Will having multiple switches (3) be an issue, tho?

No as long as the device sits between the workstations and your internet connection

>> Can either product support multiple NICs

Both require multiple NICs

>> should I expect to see much throughput degradation?

Really depends on how much traffic shaping it's doing and how beefy a box you have doing the job.
0
simsjrgCommented:
>> I want to be clear, tho.  Right now I am not looking to "block" sites,only to "allow" specific sites and the various sources of elements onthose sites.  I would think that this would require some intelligenceon the part of the web filter...

What you want is a "white list" this will only pass traffic destined for site you specifically allow.
0
michaelheffernanAuthor Commented:
Ah, looks like I can accomplish this using IE's content advisor on the quick and cheap.  Thanks for the suggestions, tho.
 
0
simsjrgCommented:
>> Ah, looks like I can accomplish this using IE's content advisor on the quick and cheap.  Thanks for the suggestions, tho.

Yea it gets dirty and hard to maintain. We moved away from that and GPO's because it took to much time trying to figure out why 1/2 the people got the restrictions and others didn't. Even forcing a gpupdate never worked. In my opinion it's great for your home computers but not suitable for a small business or enterprise. JMHO though...
0
Johneil1Commented:
you should try websense, it is easy to setup and AD interoperable.  
0
michaelheffernanAuthor Commented:
I did look at Websense and (with the current economic morass) choked on its pricing.  Currently have Spector360 running, but, like most products, it excludes instead of allowing.  I don't like resorting to content advisor, but time and money are in short supply and this needed doing immediately.
0
Johneil1Commented:
you may want to look at the openDNS solution as well.

http://www.opendns.com/solutions/enterprise/
0
michaelheffernanAuthor Commented:
Thank you, I will.  How, it appears to work in a similiar fashion as Spector360 which we have-blocking by content.  For this application, I want only to *permit* a couple of specific website to a few specific machines.  Content Advisor, properly locked down, seems to work.
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Network Management

From novice to tech pro — start learning today.