Limit outbound access to a subset of PC's

By tlc357 ·
I have a network with 51 PC's and a 506E Pix as the firewall. I have been requested to setup 6 machines to only outbound Web access to 2 domains. The machines are in the same subnet as the other 45 and are running Windows XP. Any ideas on how is the best way to accomplish this? I am not real familiar with ACL's so I am not sure if they will work for this or not.

This conversation is currently closed to new comments.

Thread display: Collapse - | Expand +

All Answers

Collapse -


by SYNner In reply to Limit outbound access to ...

Just to be safe, create an ACL with six /32 entries for those six PCs.

Collapse -

Are these PCs in a Domain?

by robo_dev In reply to Limit outbound access to ...

Lock down the proxy settings in the browser for these PCs.

Make the proxy a device that does not exist, then make your two allowed domains the proxy exceptions. Group policy can apply the restriction to prevent users from changing proxy settings.

ACLs can be problematic since many sites have multiple IP addresses.

Personally I would implement a content-filtering proxy server. My favorite is RhinoSoft AllegroSurf. A PC running XP with two NICs could run AllegroSurf. With it you can create a whitelist with just the two sites. You can make these restriction be by PC, by user, by time-of-day, etc.

It also allows password bypass of proxy restrictions (great for having to load a browser add-in such as flash). This proxy works with Active Directory and logs everything. AllegroSurf also does cacheing, and blocks ads, so it reduces network load.

I have installed this for several clients who are very pleased with it. And it's dirt cheap (like $40 a seat or less). In my testing, AllegroSurf does most of the things that WebSense can do, but it costs around 1/1000 the price.

Collapse -

Proxies can be bypassed

by SYNner In reply to Are these PCs in a Domain ...

If the objective of this is to block all off-net traffic except for 6 machines, then deny all traffic except for those six machines at the firewall is better. If you are only proxying web traffic, then someone can still bypass the proxies using things like ssh encrypted tunnels.

Collapse -

Not to argue, but...

by robo_dev In reply to Proxies can be bypassed

A SSH tunnel still has to have a destination address, so if it's not on the whitelist, it's not going to work.

The OP needs only two domains to work for six users. Blocking the correct PCs means making sure they are using static IPs or DHCP reservations, and also making sure that the websites of the two target domains only use a limited range of IP addresses. Most proxies can filter by PC IP address or Active Directory user name which eliminates the issue of getting the correct PC filtered.

My experience with trying to filter content at the router is that many web sites are so complex and are pulling elements from other IP ranges.

For example, a site like (199.81.*.*) has part of it's content at (198.105.*.*) and even a couple of other parts of the content come from various other domains. So if you want the whole site to work, then you need to build some really ugly ACLs.

Related Discussions

Related Forums