• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 1214
  • Last Modified:

Blocking Websites on ASA 5505

Hi all!  I would like to block a couple of websites on my network and have been unsuccessful so far in my pursuit.  I have tried blocking via Group Policy using IPSec and also setting up blocked sites on the DC and importing those rules into GP also.  IPSec didn't work at all and the other way blocked every site in the OU and not just the sites i chose.  I have an ASA 5505 and know that i can more than likely block individual ip addresses via ACL.  The problem is i want to block you tube and ebay which have multiple ip address that can be accessed.  I've recently put in a snort server and use ntop also to see who's using up bandwith and what sites are being perused throughout the day. Well it seems that I have a user that hasn't listened still after quite a while of telling him not to stream you tube so he can listen to music and i would like to shut it down completely and maybe he'll get the picture.  I don't mind some use at all because I have a small network I can stay on top of but I need to get my point across.  Any suggestions or solutions that don't require spending any large amounts of cash right now.  I know something can be done with what I have in place I either just haven't done it right or haven't found what I need.
0
geleman
Asked:
geleman
2 Solutions
 
Matt VCommented:
Enable the Windows Firewall on that user PC and block YouTube.com etc from GPO to the firewall rules.
0
 
gelemanAuthor Commented:
I don't want to enable windows firewall.  It causes more problems than it helps in my experience. Plus it's on more than one user.  I was hoping to get more insight on blocking sites through GP via using the blocked sites in the DC's internet options.  I have been able to use that but it blocks more sites than just the ones I choose.
0
 
Pete LongTechnical ConsultantCommented:
Create a Regex on the ASA for the site in question - here's how to block face book for example http://www.petenetlive.com/KB/Article/0000054.htm
0
Become a Leader in Data Analytics

Gain the power to turn raw data into better business decisions and outcomes in your industry. Transform your career future by earning your MS in Data Analytics. WGU’s MSDA program curriculum features IT certifications from Oracle and SAS.  

 
gelemanAuthor Commented:
PeteLong:
I don't see why that won't work at all.  Thanks for the help, but I would like to add a little more on top of that if I could.  I can put this solution in place for a time, but I don't want to keep everybody blocked permanently because it is only a couple users that abuse the privilege.  Is there any thing you can give as far as guidance on blocking via Group Policy in AD?  I have tried a few solutions that didn't quite work the way I wanted.  
0
 
Boilermaker85Commented:
YOu can distribute a hosts file (might not be practical for a large # of clients, unless you distribute via login script or AD), or set up a set of names in your internal DNS that all point to 127.0.0.1.

example hosts entry:
127.0.0.0      youtube.com

Example DNS entry under your own domain foward zone:
127.0.0.1    A      youtube.com.yourdomain.com

You can turn this off by removing the entry from hosts file or from DNS
0
 
gelemanAuthor Commented:
Boilermaker:

Wouldn't that still block the whole domain?  I mainly worried about a certain OU that has the couple of users that I'm trying to block out.
0
 
Boilermaker85Commented:
copy the hosts file only to the users in that OU. Dns method would be for whole domain, as you mentioned.
0
 
gelemanAuthor Commented:
Sounds like that is the solution I'm looking for however I don't quite know how to implement it or create the host file like you are talking about.  I've tried a couple different things and I am not quite sure how to do it.
0
 
gelemanAuthor Commented:
I found the Host files in windows/system32/etc, but it doesn't have individual files it just has a hosts file which is and example file and the sam file which i 'm sure is the one that is used by dns.  It says to add in info to the end of that file but that would then cover the whole domain.  
0
 
gelemanAuthor Commented:
Sorry it says not advisable to add lmhosts files entries on the end of the sam file.
0
 
Boilermaker85Commented:
A hosts file already exists at the location you found. it has one entry by default which is
127.0.0.0   localhost


You can add lines to this file.
127.0.0.1      youtube.com

Then save this file as hosts.blk.  COpy it to your path where your login script executes. Add a section to the login script to check if the user is in the desired OU, and if so,
copy \\serverpath\hosts.blk c:\windows\system32\drivers\etc\hosts.

TO just try it out, map a drive (X:)  to one of these users C$ drive. Either edit his hosts file (NOT LMHOSTS.sam - that is an example of netbios name cache), adding the youtube entry, or replace his file with the hosts.blk you created (copy hosts.blk X:\windows\system32\drivers\etc\hosts.)

That user is now blocked from youtube.com.    you can script this a number of ways. pick your favorite
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

Join & Write a Comment

Featured Post

Protect Your Employees from Wi-Fi Threats

As Wi-Fi growth and popularity continues to climb, not everyone understands the risks that come with connecting to public Wi-Fi or even offering Wi-Fi to employees, visitors and guests. Download the resource kit to make sure your safe wherever business takes you!

Tackle projects and never again get stuck behind a technical roadblock.
Join Now