Allow facebook on a Pix 501 except for a few users

ndidomenico
ndidomenico used Ask the Experts™
on
We are presently blocking Facebook on our network (25 pc's) using the DNS method (creating a zone for facebook.com pointing to 127.0.0.1).  But now we need to allow access to it, except for a few pc's.

Our router is a Pix 501 v6.3. Domain controller and DNS server is a Windows 2003 server Standard.

How would you recommend doing this ?

So far, we thought about the following options:
1) using ACL permit/deny commands on the Pix. Does facebook continuously change IP addresses ?
2) use openDNS as our Forwarder in our DNS server: wouldn't  that be a allow or deny all option ? Not good for us if it's the case.
3) use 3rd party software. ex: Websense. Does Websense work with a Pix 501
4) remove the facebook.com zone in our DNS server. This would allow access to the site, but then how do we block it on these specific pc's ?

Thanks.
Comment
Watch Question

Do more with

Expert Office
EXPERT OFFICE® is a registered trademark of EXPERTS EXCHANGE®
re point 4

you could do it by adding an entry to facebook.com 127.0.0.1 to the local hosts file.

Author

Commented:
Does the hosts file have precedence on the DNS server when name lookups are done in Windows ?
Angular Fundamentals

Learn the fundamentals of Angular 2, a JavaScript framework for developing dynamic single page applications.

Author

Commented:
In case the user finds out about removing the entry in the hosts file, what other method would you recommend ? I am very tempted in the ACL Pix method, but not sure if it would work - haven't tried it yet.
1) Remove the facebook.com zone in your DNS.  

2) Create a Group Policy to block access from *.facebook.com (see http://www.windowsecurity.com/articles/Restricting-Specific-Web-Sites-Internet-Explorer-Using-Group-Policy.html)

3) Place users you want to block in an OU

4) Apply the Group Policy to the OU

Author

Commented:
Tried the hosts file and it does have precedence over the DNS server, so www.facebook.com can be blocked using this method. Can we use wild cards in a hosts file (ex: *.facebook.com  to cover subdomains like blog.facebook.com, etc.
ndidomenico's hosts file method will also work.   Administrator privileges are required to edit the hosts file, so it is secure.
No, wildcards aren't allowed in the hosts file.  Here is a list of the domains you will need to block.
MSP452719cgh8d4hha54bgh00003e00e.gif

Author

Commented:
Thanks Daves. Interesting the GPO method... if the user has local administrative rights, can he remove or disable the entry done by the GPO in the Contents tab of IE ?
I'm not sure, I don't believe that's how Group Policy works but would be worth testing.  However if the user has local administrative rights he can download and install Firefox web browser which would bypass the policy anyway.

A local admin could also edit the hosts file.

If your users are local admins you are pretty much back to looking for a solution on the firewall.
he could, but the settings would be put back on again once the GPO refreshed, normally at a random time within 90 minutes of the last refresh.

Author

Commented:
Looks like the hosts file might be more appropriate and simple. Users might have Firefox, Google Chrome, etc, so the Contents method would only work with IE while HOSTS would apply to all browsers. And the users are not local admin, so they can not alter the hosts file.

What about using ACL's on the Pix. Would that work better, or would I constantly be chasing IP addresses for the facebook sites to put in the Pix ACL's ?
A quick search returned this, and I don't know how comprehensive it is

Like many popular Web sites, Facebook utilizes multiple Internet servers to handle incoming requests to its Web site www.facebook.com. The following IP address ranges belong to Facebook:
•66.220.144.0 - 66.220.159.255
•69.63.176.0 - 69.63.191.255
•204.15.20.0 - 204.15.23.255

so, if you are able to find a comprehensive list of IP addresses for facebook then utilising ACLs might be the way to go, but then there will always be the doubt that might be one other out there :)
Also you will need to ensure the client computers that you want to block have static IP addresses.

Author

Commented:
So we decided to go with the hosts file method, since we don't have too many computers to configure.

Thanks for your input.

Do more with

Expert Office
Submit tech questions to Ask the Experts™ at any time to receive solutions, advice, and new ideas from leading industry professionals.

Start 7-Day Free Trial