Anyone have any thoughts on the following regarding blocking sites?

By SmartAceW0LF ·
I have a client whose employees claim to have found porn on one or more computers within the company network. My client also feels that much time is being wasted on also.

Does anyone have any thoughts on ways to block these sites without having to go the route of a proxy?
While the router in use at the site does provide a way to block specific sites there are 2 problems with using that feature.
1.) The feature only allows one exception (using the private IP of host to be allowed) to each host listed and for facebook in particular there are 2 nodes on the LAN that must have access to the site.
2.) From the best of my recollection, the blocked sites requires specific domain or dns to effect that feature.

My client also mentioned perhaps allowing only the sites necessary for the employees to access in their jobs as a solution also.

Any thoughts on the best way to implement these changes throughout the LAN in the most cost-effective way?

We are running 2 Windows Server 2003 units with primarily Windows 7 nodes.

This conversation is currently closed to new comments.

Thread display: Collapse - | Expand +

All Answers

Collapse -


by Rob Kuhn In reply to Anyone have any thoughts ...

What firewall do you have? Some firewalls have the ability to filter whether it's built in or added as an addin module (which can either be hardware or software).

At a previous employer (who at first didn't see the value in monitoring traffic other than watching the bandwidth) I used a log analyzer to at least see what sites were being hit the most and then I'd take that data and make a simple set of charts in Excel to show to management (management likes pictures :) ).

I gathered data over a 60 day period and, at that time, World of Warcraft was the most popular site next to MySpace and Facebook. I also showed Bit torrent traffic which I had to tell management that this could be anything from streaming media to possible illegal downloading of copyright media.

That was enough for management to give me the approval to seek out a content filtering solution. It needed to be non-intrusive to the endusers and not have a negative impact on the Infrastructure.

My firewalls were Juniper Netscreen's which I was able to add content filtering that included virus scanning.

Then to further secure the infrastructure a dedicated SPAM/Virus filtering appliance was added along with a dedicated proxy type apppliance. Both were behind the firewall.

By spreading the load (so to speak) it helped reduce the load on the firewall.

I'm also a bit weird in that I really don't like to do much tweaking on the firewall. In other words once I have the firewall set I really don't like to tweak with it unless I'm adding a new route, NAT, etc.

For something like filtering where you will be monitoring it a lot and even doing a lot of tweaking, I'd rather break that appliance than the firewall. :)

All that said, I did enlist upper management to make the annoucement that tighter controls were going to be implemented and what the reasons were. Management also reminded the users about the acceptable useage pollicy that everyone had signed upon the first day of eimployment.

Sorry for the long response.

What I would do in your case is to try and generate some sort of reports from your firewall, router or even switch which shows the outbound traffic.

Then analyze where most of the traffic is going including how many inappropriate sites are being visited and how often. Remember, sometimes people are redirected to a porn site on accident either by a mistyped URL or by a page redirection so you need to trend that activitiy.

Once you're got enough data present that to managment to make them aware and ask how do they want you to address it. It may be as simple as them sending a mass e-mail to the company to asking you to put in a solution to help better control this activity; and by controlling you are also protecting your company so be sure they are aware of that too.


Collapse -

A whitelist is not supportable

by robo_dev In reply to Anyone have any thoughts ...

You need a proxy server like WebSense Express, Untangle, Baracuda, etc..

Doing a whitelist (only allow certain sites) is a royal PITA to support.

Even the most simple site needs TONS more other sites to work....for example, if you give a a PC "Google only"...check all done!

But wait, now Windows wants to update...add Microsoft
But wait, the HP printer driver wants to update..add HP
But wait, the site needs flash....add Adobe
Oh yeah, Java..add Oracle
Oops, the Anti-virus app needs to update...add that
Oh wait, Gmail attachments won't work because that's a different domain

And that was just google!

Not only that, but some sites will not load at all, since some content comes from other sites like Amazon cloud services which has something like 50 different subdomains....

Yes, you will cause things like banner ads to stop working (yay), but you will also break things like your ADP payroll site, your insurance company login, your bank login, etc, etc.

Bottom line, unless you're paid by the hour, whitelists are a complete total waste of time and will cause you more frustration than a teenage daughter with your car keys and credit cards....

Collapse -

Simpler Solutions?

by info In reply to Anyone have any thoughts ...

You could always replace the router with one that supports a 'list' of sites, and allows access to your two exception clients. Take care of the worst offenders, anyway. This mostly depends on the client's wishes, but you could limit the scope of who it affects, enact a 'Time of Day' methodology for some personal sites, etc... There's a number of cheap options as well, like PfSense...

If you only have a small number of computers, there's a number of pre-compiled 'blacklists' on the Web. You just need to copy these into the HOSTS file of each Windows PC, and you're set, so long as the user doesn't have the tech savvy to check or change this.

Collapse -


by 88Fan In reply to Anyone have any thoughts ... is where I wound up, they have home and enterprise solutions which both offer flexibility in configuration.

Added benefit was faster name resolution on virtually all websites with far less malware activity showing up as OpenDNS actively blocks known malware sites and scans for new ones to block.

Exception to the rule... with the near universal use of the Facebook "like" button on websites some sites will take longer to load if you block Facebook; is a great example of this as virtually every link goes to Facebook before it actually goes to the linked article.

Collapse -

Absolutely OpenDNS

by cbci In reply to Anyone have any thoughts ...

Breakdown your network into two segments: those who need filtered internet and those who prefer unfettered internet access, warts and all. Allow dns requests only to OpenDNS for the former and allow dns calls to your ISP, or a more liberal local dns, for the latter. (Note: Because the distributed OpenDNS network never breaks, it is a good idea to use their '222' server as the secondary dns for the latter group, for when the ISP's dns does go down.) There; you have taken care of the 80 percent part of the "80/20" rule.

As for the other 20%, you have a variety of choices depending on your firewall and available time. One nice feature about this service is that when a user needs access to a blocked site, they simply fill out the info on the 'blocked-site' page and you, or someone in authority, are emailed the request.

Also, if you are dealing with the whole BYOD frenzy, you may have a simple answer in the fact that most of it is wireless.

Collapse -

The Hornet Nest You Are About to Step in

by a.portman In reply to Anyone have any thoughts ...

Some things to address before looking at a hardware solution:

Does your client have an Internet Access Policy? He/She/They should write one. TR has a nice one to start from: If they are not or can not fire someone for surfing p0rn all day, everything else is just a waste of money. Unless you are a lawyer, you should, in no way write this policy. That is not the technical skill they are paying you for, but it can bite you hard.

A content filter is going to be the easiest way to go. Manual router configurations will be your 24/7 job trying manual whitelist/blacklists. Barracuda and Smoothwall both offer good solutions for small companies. Sonicwall is now a Dell company and looks good although I have no experience with it recent enough to matter. Depending on your Linux skills you can take a look at There website has not been updated in a year, so it may be a dead project.

I did work someplace where "Inappropriate Internet use was an HR matter. " Then all I needed was IEHistoryview. You would be surprised what seeing me pull an Internet history from a now empty cubicle can do for productivity.

Collapse -

Thanks to all who took the time to reply...

by SmartAceW0LF In reply to Anyone have any thoughts ...

your input regarding my question is very much appreciated. For the money, scalability and ease of implementation, my client chose the OpenDNS solution.

Again, I thank each of you for taking time out of your day to reply. You're all a significant part of what sets TR apart from the rest.

Collapse -

DNS Redirector

by JPElectron In reply to Anyone have any thoughts ... - Available 3 years prior to OpenDNS, no community voting problems, truly a security solution because you can block ads as a major source of adware/malware, no subscription fees, ability to block all and white-list some without limits. Runs inside your network on Windows server (on an active directory domain controller is fine). Allows for some users to bypass the block using AD policy, AD login, or unique password - and allows admins to see which clients (internal IPs) are visiting what sites.

Related Discussions

Related Forums