?
Solved

Blocking Websites on ASA 5505

Posted on 2010-08-30
11
Medium Priority
?
1,197 Views
Last Modified: 2012-05-10
Hi all!  I would like to block a couple of websites on my network and have been unsuccessful so far in my pursuit.  I have tried blocking via Group Policy using IPSec and also setting up blocked sites on the DC and importing those rules into GP also.  IPSec didn't work at all and the other way blocked every site in the OU and not just the sites i chose.  I have an ASA 5505 and know that i can more than likely block individual ip addresses via ACL.  The problem is i want to block you tube and ebay which have multiple ip address that can be accessed.  I've recently put in a snort server and use ntop also to see who's using up bandwith and what sites are being perused throughout the day. Well it seems that I have a user that hasn't listened still after quite a while of telling him not to stream you tube so he can listen to music and i would like to shut it down completely and maybe he'll get the picture.  I don't mind some use at all because I have a small network I can stay on top of but I need to get my point across.  Any suggestions or solutions that don't require spending any large amounts of cash right now.  I know something can be done with what I have in place I either just haven't done it right or haven't found what I need.
0
Comment
Question by:geleman
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
11 Comments
 
LVL 22

Expert Comment

by:Matt V
ID: 33562196
Enable the Windows Firewall on that user PC and block YouTube.com etc from GPO to the firewall rules.
0
 

Author Comment

by:geleman
ID: 33562531
I don't want to enable windows firewall.  It causes more problems than it helps in my experience. Plus it's on more than one user.  I was hoping to get more insight on blocking sites through GP via using the blocked sites in the DC's internet options.  I have been able to use that but it blocks more sites than just the ones I choose.
0
 
LVL 57

Assisted Solution

by:Pete Long
Pete Long earned 1000 total points
ID: 33565107
Create a Regex on the ASA for the site in question - here's how to block face book for example http://www.petenetlive.com/KB/Article/0000054.htm
0
Percona Live Europe 2017 | Sep 25 - 27, 2017

The Percona Live Open Source Database Conference Europe 2017 is the premier event for the diverse and active European open source database community, as well as businesses that develop and use open source database software.

 

Author Comment

by:geleman
ID: 33566877
PeteLong:
I don't see why that won't work at all.  Thanks for the help, but I would like to add a little more on top of that if I could.  I can put this solution in place for a time, but I don't want to keep everybody blocked permanently because it is only a couple users that abuse the privilege.  Is there any thing you can give as far as guidance on blocking via Group Policy in AD?  I have tried a few solutions that didn't quite work the way I wanted.  
0
 
LVL 7

Expert Comment

by:Boilermaker85
ID: 33568510
YOu can distribute a hosts file (might not be practical for a large # of clients, unless you distribute via login script or AD), or set up a set of names in your internal DNS that all point to 127.0.0.1.

example hosts entry:
127.0.0.0      youtube.com

Example DNS entry under your own domain foward zone:
127.0.0.1    A      youtube.com.yourdomain.com

You can turn this off by removing the entry from hosts file or from DNS
0
 

Author Comment

by:geleman
ID: 33568549
Boilermaker:

Wouldn't that still block the whole domain?  I mainly worried about a certain OU that has the couple of users that I'm trying to block out.
0
 
LVL 7

Expert Comment

by:Boilermaker85
ID: 33569430
copy the hosts file only to the users in that OU. Dns method would be for whole domain, as you mentioned.
0
 

Author Comment

by:geleman
ID: 33577052
Sounds like that is the solution I'm looking for however I don't quite know how to implement it or create the host file like you are talking about.  I've tried a couple different things and I am not quite sure how to do it.
0
 

Author Comment

by:geleman
ID: 33577231
I found the Host files in windows/system32/etc, but it doesn't have individual files it just has a hosts file which is and example file and the sam file which i 'm sure is the one that is used by dns.  It says to add in info to the end of that file but that would then cover the whole domain.  
0
 

Author Comment

by:geleman
ID: 33577274
Sorry it says not advisable to add lmhosts files entries on the end of the sam file.
0
 
LVL 7

Accepted Solution

by:
Boilermaker85 earned 1000 total points
ID: 33577671
A hosts file already exists at the location you found. it has one entry by default which is
127.0.0.0   localhost


You can add lines to this file.
127.0.0.1      youtube.com

Then save this file as hosts.blk.  COpy it to your path where your login script executes. Add a section to the login script to check if the user is in the desired OU, and if so,
copy \\serverpath\hosts.blk c:\windows\system32\drivers\etc\hosts.

TO just try it out, map a drive (X:)  to one of these users C$ drive. Either edit his hosts file (NOT LMHOSTS.sam - that is an example of netbios name cache), adding the youtube entry, or replace his file with the hosts.blk you created (copy hosts.blk X:\windows\system32\drivers\etc\hosts.)

That user is now blocked from youtube.com.    you can script this a number of ways. pick your favorite
0

Featured Post

New benefit for Premium Members - Upgrade now!

Ready to get started with anonymous questions today? It's easy! Learn more.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

You deserve ‘straight talk’ from your cloud provider about your risk, your costs, security, uptime and the processes that are in place to protect your mission-critical applications.
In this blog, we’ll look at how improvements to Percona XtraDB Cluster improved IST performance.
Both in life and business – not all partnerships are created equal. As the demand for cloud services increases, so do the number of self-proclaimed cloud partners. Asking the right questions up front in the partnership, will enable both parties …
As a trusted technology advisor to your customers you are likely getting the daily question of, ‘should I put this in the cloud?’ As customer demands for cloud services increases, companies will see a shift from traditional buying patterns to new…
Suggested Courses

762 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question