We help IT Professionals succeed at work.

Internet Control / Notification

Medium Priority
146 Views
Last Modified: 2019-08-30
Hi All,

We are looking at a way to control and monitor our internet usage. What we require is a way to block certain sites, such as porn, but also to notify when other site categories are accessed. We use a WatchGuard firewall with web blocker which is applied to a http proxy. We can setup a https proxy and apply the web blocker, however this will require a certificate to be installed at the client to work. No real biggie for our domain users. However we have a number of third party users that bring their own devices at a different physical location, that it will be very difficult to install the certificate / manage these devices as there is a high turnover of people / devices.

What is the best way to manage this? If via the firewall, how best to manage the third party devices/ certificate install. Internet proxy? if so any recommendations? For the third party devices, the access point is Meraki, can the above be achieved via the AP?

Thanks for your help
Paul
Comment
Watch Question

AlexA lack of information provides a lack of a decent solution.
CERTIFIED EXPERT

Commented:
Well,

If you have third party users they should be using a guest network, not your corporate one, if they are doing work for you, give them access to a laptop or virtual desktop.

Regards
Alex
Fractional CTO
CERTIFIED EXPERT
Distinguished Expert 2019
Commented:
You asked, "We are looking at a way to control and monitor our internet usage."

No way to do this 100%. Anyone can get around this by various VPN related tricks or just tethering to their cellphone.

I've seen many a large company try controlling external site access + give up.

Better to just hire diligent staff who work, rather than surf.

A simple way to do this is to block all outgoing port 80 + 443 traffic, then provide a SOCKS server or some other proxy server people must connect through to access the Internet.

And this will never block VPNs, simple tunnels through other ports (unless you have all ports blocked) or cellphone tethering.

If you use a standard SOCKS or even Squid config, you'll require no certs installed, as all traffic should pass through between internal users + external sites.
Jeremy WeisingerSenior Network Consultant / Engineer
CERTIFIED EXPERT
Commented:
Webblocker doesn't require DPI to work so deploying a root certificate isn't required to control HTTPS traffic with Webblocker.

As David said, there's no 100% effective solution but you should consider enabling Application Control on all policies and blocking VPNs and proxies. This will help lock it down tight and only home grown, unknown protocols will be able to get through (unless you block all by known traffic).

So for the internal network, deploy the cert and do DPI on your HTTPS traffic. For the guest network, still configure the HTTPS proxy but omit the DPI. In this configuration it won't actually proxy the traffic but it will block based on categories since the domain of the URL is not encrypted.

@David Watchguard uses transparent proxies so there's no need to configure a SOCKS server since this functionality is built-in. (hence the need to deploy a cert like the author was talking about)