Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people, just like you, are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
Solved

Blocking Facebook

Posted on 2014-01-26
12
606 Views
Last Modified: 2014-02-03
hi there
i need help please.
i have to install a firewall for a company with about 50 users.
the director requires me to block certain sites like facebook, twitter etc, but just for certain users....not everyone.
now this is easy when you use pfsense with squid.
my problem is that facebook uses https now so the squid proxy doesnt pick it up.
how can i get this solved as i have tried various things all weekend.
i cant seem to get my head around this or find relevant info on the web that can assist me.

your help will be greatly appreciated

thank you

steven
0
Comment
Question by:stevenvanheerden
12 Comments
 
LVL 6

Assisted Solution

by:Jon Snyderman
Jon Snyderman earned 250 total points
ID: 39810115
Most of the newer UTM appliance type firewalls will do exactly what you are asking.  For your size, I would personally recommend  a Watchguard XTM33 or XTM330 depending on growth needs.  They will do exactly what you are asking, have a great management tool and also great logging and reporting.  Sonicwall, palo alto and fortinet are also good choices that will do what you need.   In any case, let someone with that produvt experience help you with the install so that you look like the hero to your boss.  

Jon
0
 
LVL 6

Expert Comment

by:Jon Snyderman
ID: 39810119
Looks like you might be an it consultant.  I would suggest sub'ing the initial install, just to be sure its right.  They all have their own idiosyncrasies.

Jon
0
 

Author Comment

by:stevenvanheerden
ID: 39810166
hi Jon

thanks for the advice, but i'm the one doing the install.
so i need to know how to do this...i just though pfsense could handle it as i use it for various other applications.
i'm just not getting the https blocked for certain sites and certain users...

if you were in my position and you could not sub the job, what would you use?

regards
0
Efficient way to get backups off site to Azure

This user guide provides instructions on how to deploy and configure both a StoneFly Scale Out NAS Enterprise Cloud Drive virtual machine and Veeam Cloud Connect in the Microsoft Azure Cloud.

 

Author Comment

by:stevenvanheerden
ID: 39810171
oh, and i need opensource please...i have to convert a server that we replaced recently to act as the firewall proxy...
0
 
LVL 6

Expert Comment

by:Jon Snyderman
ID: 39810176
Watchguard.   One thing that most people will say about Watchguard is that the user interface (not the web based one) is the best.  It is the most intuitive and well organized.   Thats one of the things that I like best.   I can generally train a (competent) customer in a matter of a couple hours.   Understanding some of the terminology and how they all interact in the other brands can be a bit confusing.  They are good but take some getting used to.  Watchguard has a good clean top down approach that is pretty easy to understand and get used to.      

Oh, and I know that it will do what you need in a number of different ways.   You do need to make sure (with any of them) that you get the full UTM bundle.   You need webblocker and application control to do what you need to do.

.....  I was typing this as you put your last entry in.   If you are strictly looking for opensource, none of these suggestions will help.   Sorry.
0
 
LVL 51

Expert Comment

by:Netman66
ID: 39810186
Facebook is pissing a lot of IT people off lately with this crap.  They knew it would make it difficult and went out of their way to do so.

You may be able to create a port rule, but you'd need the IP addresses for the ssl sites.
0
 
LVL 6

Expert Comment

by:Jon Snyderman
ID: 39810196
Yep, that's the problem, but the next problem is those IPS change and move based on load balancers, etc.

Do you want opensource to have opensource? Or do you want opensource because you have new hardware and you need to utilize it?  If sp, throw ESXi on the server and then load the watchguard virtual appliance version of their firewall.   I think that they are the only one in my list that has that option.
0
 
LVL 1

Expert Comment

by:Zabo1
ID: 39810588
you can use DNS redirection for those users, and hope your users are not tech savvy
0
 
LVL 3

Expert Comment

by:Paul 1
ID: 39811150
"Zabo1 : you can use DNS redirection for those users, and hope your users are not tech savvy"

When I was requested to block certain users on a budget of zero I created a share to the windows\system32\drivers\etc folder and could then have a shortcut on my PC to all those users folders where I could copy and paste a host file that contained 'whatever.com 127.0.0.1'

The best thing though would be to have a local webserver setup that the host file pointed to and have a "site blocked notice", even better would be to have the attempts to access logged.
0
 

Author Comment

by:stevenvanheerden
ID: 39811225
Thanks for all the input guys.
Paul/Zabo - thanks for the nifty trick, but it wont be practical in my situation.
so far the watchguard sound like the only sound solution or perhaps the commercial version of sonicwall.
is there anyone out there that has achieved this with PFSense?

its such a versatile product that i cant believe this cant be done...

any further ideas?
0
 
LVL 9

Accepted Solution

by:
jfer0x01 earned 250 total points
ID: 39816881
Are they on a Windows domain? Make a hosts.txt file with entries to facebook.com pointing to 1.1.1.1. Use a GPO to push the hosts.txt to all desired groups in the domain into the windows\system32\drivers\etc\hosts.txt

Watchguard, Sonicwall, Fortinet all have afordable UTM's, but is simple traffic blocking is the goal, my suggestion will keep you on budget.

Hope this helps.

Jfer
0
 

Author Closing Comment

by:stevenvanheerden
ID: 39830210
Thanks a lot for the input guys - its greatly appreciated!
0

Featured Post

VMware Disaster Recovery and Data Protection

In this expert guide, you’ll learn about the components of a Modern Data Center. You will use cases for the value-added capabilities of Veeam®, including combining backup and replication for VMware disaster recovery and using replication for data center migration.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Each year, investment in cloud platforms grows more than 20% (https://www.immun.io/hubfs/Immunio_2016/Content/Marketing/Cloud-Security-Report-2016.pdf?submissionGuid=a8d80a00-6fee-4b85-81db-a4e28f681762) as an increasing number of companies begin to…
If you are looking at this article, you have most likely been hit by some version of ransomware and are trying to find out if there is anything you can do, or what way you should react - READ ON!
Email security requires an ever evolving service that stays up to date with counter-evolving threats. The Email Laundry perform Research and Development to ensure their email security service evolves faster than cyber criminals. We apply our Threat…
With Secure Portal Encryption, the recipient is sent a link to their email address directing them to the email laundry delivery page. From there, the recipient will be required to enter a user name and password to enter the page. Once the recipient …

792 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question