Solved

Blocking Websites on ASA 5505

Posted on 2010-08-30
11
1,189 Views
Last Modified: 2012-05-10
Hi all!  I would like to block a couple of websites on my network and have been unsuccessful so far in my pursuit.  I have tried blocking via Group Policy using IPSec and also setting up blocked sites on the DC and importing those rules into GP also.  IPSec didn't work at all and the other way blocked every site in the OU and not just the sites i chose.  I have an ASA 5505 and know that i can more than likely block individual ip addresses via ACL.  The problem is i want to block you tube and ebay which have multiple ip address that can be accessed.  I've recently put in a snort server and use ntop also to see who's using up bandwith and what sites are being perused throughout the day. Well it seems that I have a user that hasn't listened still after quite a while of telling him not to stream you tube so he can listen to music and i would like to shut it down completely and maybe he'll get the picture.  I don't mind some use at all because I have a small network I can stay on top of but I need to get my point across.  Any suggestions or solutions that don't require spending any large amounts of cash right now.  I know something can be done with what I have in place I either just haven't done it right or haven't found what I need.
0
Comment
Question by:geleman
11 Comments
 
LVL 22

Expert Comment

by:Matt V
ID: 33562196
Enable the Windows Firewall on that user PC and block YouTube.com etc from GPO to the firewall rules.
0
 

Author Comment

by:geleman
ID: 33562531
I don't want to enable windows firewall.  It causes more problems than it helps in my experience. Plus it's on more than one user.  I was hoping to get more insight on blocking sites through GP via using the blocked sites in the DC's internet options.  I have been able to use that but it blocks more sites than just the ones I choose.
0
 
LVL 57

Assisted Solution

by:Pete Long
Pete Long earned 250 total points
ID: 33565107
Create a Regex on the ASA for the site in question - here's how to block face book for example http://www.petenetlive.com/KB/Article/0000054.htm
0
 

Author Comment

by:geleman
ID: 33566877
PeteLong:
I don't see why that won't work at all.  Thanks for the help, but I would like to add a little more on top of that if I could.  I can put this solution in place for a time, but I don't want to keep everybody blocked permanently because it is only a couple users that abuse the privilege.  Is there any thing you can give as far as guidance on blocking via Group Policy in AD?  I have tried a few solutions that didn't quite work the way I wanted.  
0
 
LVL 7

Expert Comment

by:Boilermaker85
ID: 33568510
YOu can distribute a hosts file (might not be practical for a large # of clients, unless you distribute via login script or AD), or set up a set of names in your internal DNS that all point to 127.0.0.1.

example hosts entry:
127.0.0.0      youtube.com

Example DNS entry under your own domain foward zone:
127.0.0.1    A      youtube.com.yourdomain.com

You can turn this off by removing the entry from hosts file or from DNS
0
How your wiki can always stay up-to-date

Quip doubles as a “living” wiki and a project management tool that evolves with your organization. As you finish projects in Quip, the work remains, easily accessible to all team members, new and old.
- Increase transparency
- Onboard new hires faster
- Access from mobile/offline

 

Author Comment

by:geleman
ID: 33568549
Boilermaker:

Wouldn't that still block the whole domain?  I mainly worried about a certain OU that has the couple of users that I'm trying to block out.
0
 
LVL 7

Expert Comment

by:Boilermaker85
ID: 33569430
copy the hosts file only to the users in that OU. Dns method would be for whole domain, as you mentioned.
0
 

Author Comment

by:geleman
ID: 33577052
Sounds like that is the solution I'm looking for however I don't quite know how to implement it or create the host file like you are talking about.  I've tried a couple different things and I am not quite sure how to do it.
0
 

Author Comment

by:geleman
ID: 33577231
I found the Host files in windows/system32/etc, but it doesn't have individual files it just has a hosts file which is and example file and the sam file which i 'm sure is the one that is used by dns.  It says to add in info to the end of that file but that would then cover the whole domain.  
0
 

Author Comment

by:geleman
ID: 33577274
Sorry it says not advisable to add lmhosts files entries on the end of the sam file.
0
 
LVL 7

Accepted Solution

by:
Boilermaker85 earned 250 total points
ID: 33577671
A hosts file already exists at the location you found. it has one entry by default which is
127.0.0.0   localhost


You can add lines to this file.
127.0.0.1      youtube.com

Then save this file as hosts.blk.  COpy it to your path where your login script executes. Add a section to the login script to check if the user is in the desired OU, and if so,
copy \\serverpath\hosts.blk c:\windows\system32\drivers\etc\hosts.

TO just try it out, map a drive (X:)  to one of these users C$ drive. Either edit his hosts file (NOT LMHOSTS.sam - that is an example of netbios name cache), adding the youtube entry, or replace his file with the hosts.blk you created (copy hosts.blk X:\windows\system32\drivers\etc\hosts.)

That user is now blocked from youtube.com.    you can script this a number of ways. pick your favorite
0

Featured Post

Do You Know the 4 Main Threat Actor Types?

Do you know the main threat actor types? Most attackers fall into one of four categories, each with their own favored tactics, techniques, and procedures.

Join & Write a Comment

Suggested Solutions

Title # Comments Views Activity
Cisco Layer 2 Switches 6 52
Network Config 9 59
ADMT Intra Forest migration questions 7 78
traffic flow without STP 9 21
Ever wondered why Windows 8 and 10 don't seem to accept your GPO-based software deployment while Windows 7 does? Read on.
Our Group Policy work started with Small Business Server in 2000. Microsoft gave us an excellent OU and GPO model in subsequent SBS editions that utilized WMI filters, OU linking, and VBS scripts. These are some of experiences plus our spending a lo…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…

743 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

12 Experts available now in Live!

Get 1:1 Help Now