Questions

LOCKING INTERNET WITH APPROVED SITE ONLY FOR EMPLOYEES

Tags:
+
0 Votes
Locked

LOCKING INTERNET WITH APPROVED SITE ONLY FOR EMPLOYEES

aandecomputers
Well this is my first post and i would like to thank Techrepublic for the awesome information that goes thru here from discussions to answers which i have a question i work for a surgery center and we are tryng to block all internet access to all employees with the exception of managers and supervisor we would like eveyone to be locked out with only approved sites that is required to do there tasks what would be the best way to start and implement what we are tryng to do anyone that can point me to the wright direction would be very much appreciated.... Thank you in advance for everyones help.

Edgar I.T Specialist
  • +
    0 Votes
    dspeacock

    The easiest way to describe this is "that which is not expressly permitted, is prohibited". Thus, if you use static IP addresses, you can block all addresses from internet access at the firewall, except for those who have the need (managers etc.) As for web sites, block all sites unless they're on a "white list" you develop. If someone wants access to a specific site, they have to get that access approved, and then it is added to the white list.

    HTH

    Dave

    +
    0 Votes
    aandecomputers

    Hello and thank you so much for the reply i thought i never get help i totally understand i have all workstations with static ip's and i know this might sound like i dont know what i am doing but i do i just have not had to do this type of config... also i have deployed AD in WIN 2003 ENTERPRISE addition and i would really like to manage everything from AD but it is my first AD/DM setup i did it succesfully but know i would like to take advantage of the technology i am a good reader and follow instructions well if someone can point me to the wright direction you know instructions or web links on how to's. I thank you you dspeacock and pc21geek for the post specially. and everyone that might be able to point me to the wright direction.

    +
    0 Votes
    dspeacock

    A white list is a list of sites, set up in your firewall, that you allow users to access. For example, if you want your people to be able to go to Microsoft, you'd have an entry for that specific site. For any site not on the list, the user would get a message from the firewall saying that access to that site is filtered/not allowed etc. and if they require access for a business purpose, they should contact IT. When you get a request, it should be checked out and access approved by a manager or two.

    Make sure applications like that are submitted on paper so there is an auditable trail of requests and approvals in case something happens.

    +
    0 Votes
    pc21geek

    I would take a look at websense. You can block certain sites, protocols, chat applications, etc. Very good product, highly recommended.

    Kevin

    +
    0 Votes
    f.png

    You can setup a proxy server that ban all sites except those in whitelist. This solution will requires some in-depth IT knowledge.

    If you have the money and wants a simpler way, I will recommend websense enterprise. It is simple and easy to use.

    +
    0 Votes
    aandecomputers

    Well if it is possible we would like to control everything thru the server... Budget as always is either not in the question or is very tight there is only 10 workstations connected to the domain all xp pro in AD..so can someone who has done a similar project maybe point me on how to do it with what we have w3k enterprise and 10 xp pro workstations netgear fvs318 vpn firewall router. thank you for any light in the issue.

    Edgar

    +
    0 Votes
    aandecomputers

    Can someone please shed some light on how and where i can get started with blocking and building a white list on all work stations?Or how to manage web acces thru ACTIVE DIRECTORY? any help and guidens would be really appreciated. i need to get this done i need help my boss is breathing down on me uuggghh.

    +
    0 Votes
    dspeacock

    Send me a peer mail with your e-mail address and I'll see what I can do to assist you.

    Dave

    +
    0 Votes
    CG IT

    building a white list is a time consuming process as there are literally hundreds of thousands of sites that you do not want users to visit. Your firewall will have log files on what sites [IP addresses]they visit. From these log files you create your filters after researching whether you want to users to visit the site or not.

    Active Directory isn't going to filter web sites. It isn't a web proxy or firewall.

    your FVS318 firewall I believe has the capability to filter by domain as well as filter by service [have to look it up].

    To get really good scalable filtering you have to invest in a proxy server.

    Check your FVS318 firewall documentation for how to get it to filter. Note: firewalls operate on the principle that if a lan client requests a web page, it's allowed.

    +
    0 Votes
    aandecomputers

    Thank you so much for your knowledge and shedding of light on the subject. i have no idea how much a web proxy would cost or if is even in our budget.. as for the FVS318 it does filter out domains but like you stated that is very painfully time consuming as im sure i wouldnt be able to get them all...is there any other way i can go about this whith what i have? our sever os is 2003 enterprise edition i was umder the impression that AD would have facilitated me with these type of requirments i guess i was wrong that was one of the main reasons i implemented the domain.. any more light on the subject would be very much appreciated.

    Edgar

  • +
    0 Votes
    dspeacock

    The easiest way to describe this is "that which is not expressly permitted, is prohibited". Thus, if you use static IP addresses, you can block all addresses from internet access at the firewall, except for those who have the need (managers etc.) As for web sites, block all sites unless they're on a "white list" you develop. If someone wants access to a specific site, they have to get that access approved, and then it is added to the white list.

    HTH

    Dave

    +
    0 Votes
    aandecomputers

    Hello and thank you so much for the reply i thought i never get help i totally understand i have all workstations with static ip's and i know this might sound like i dont know what i am doing but i do i just have not had to do this type of config... also i have deployed AD in WIN 2003 ENTERPRISE addition and i would really like to manage everything from AD but it is my first AD/DM setup i did it succesfully but know i would like to take advantage of the technology i am a good reader and follow instructions well if someone can point me to the wright direction you know instructions or web links on how to's. I thank you you dspeacock and pc21geek for the post specially. and everyone that might be able to point me to the wright direction.

    +
    0 Votes
    dspeacock

    A white list is a list of sites, set up in your firewall, that you allow users to access. For example, if you want your people to be able to go to Microsoft, you'd have an entry for that specific site. For any site not on the list, the user would get a message from the firewall saying that access to that site is filtered/not allowed etc. and if they require access for a business purpose, they should contact IT. When you get a request, it should be checked out and access approved by a manager or two.

    Make sure applications like that are submitted on paper so there is an auditable trail of requests and approvals in case something happens.

    +
    0 Votes
    pc21geek

    I would take a look at websense. You can block certain sites, protocols, chat applications, etc. Very good product, highly recommended.

    Kevin

    +
    0 Votes
    f.png

    You can setup a proxy server that ban all sites except those in whitelist. This solution will requires some in-depth IT knowledge.

    If you have the money and wants a simpler way, I will recommend websense enterprise. It is simple and easy to use.

    +
    0 Votes
    aandecomputers

    Well if it is possible we would like to control everything thru the server... Budget as always is either not in the question or is very tight there is only 10 workstations connected to the domain all xp pro in AD..so can someone who has done a similar project maybe point me on how to do it with what we have w3k enterprise and 10 xp pro workstations netgear fvs318 vpn firewall router. thank you for any light in the issue.

    Edgar

    +
    0 Votes
    aandecomputers

    Can someone please shed some light on how and where i can get started with blocking and building a white list on all work stations?Or how to manage web acces thru ACTIVE DIRECTORY? any help and guidens would be really appreciated. i need to get this done i need help my boss is breathing down on me uuggghh.

    +
    0 Votes
    dspeacock

    Send me a peer mail with your e-mail address and I'll see what I can do to assist you.

    Dave

    +
    0 Votes
    CG IT

    building a white list is a time consuming process as there are literally hundreds of thousands of sites that you do not want users to visit. Your firewall will have log files on what sites [IP addresses]they visit. From these log files you create your filters after researching whether you want to users to visit the site or not.

    Active Directory isn't going to filter web sites. It isn't a web proxy or firewall.

    your FVS318 firewall I believe has the capability to filter by domain as well as filter by service [have to look it up].

    To get really good scalable filtering you have to invest in a proxy server.

    Check your FVS318 firewall documentation for how to get it to filter. Note: firewalls operate on the principle that if a lan client requests a web page, it's allowed.

    +
    0 Votes
    aandecomputers

    Thank you so much for your knowledge and shedding of light on the subject. i have no idea how much a web proxy would cost or if is even in our budget.. as for the FVS318 it does filter out domains but like you stated that is very painfully time consuming as im sure i wouldnt be able to get them all...is there any other way i can go about this whith what i have? our sever os is 2003 enterprise edition i was umder the impression that AD would have facilitated me with these type of requirments i guess i was wrong that was one of the main reasons i implemented the domain.. any more light on the subject would be very much appreciated.

    Edgar