General discussion

Locked

want to block sites, can't from firewall

By mustafafafa ·
We have around 50 W2K/XP workstations (5 W2K servers) behind a SonicWall firewall. We do not have content filtering on the firewall and since we do not have any company policy on internet usage I am unable to get our subscription ugraded to include this.

However, one thing I would really like to do is to block file sharing sites like LimeWire, BearShare etc. I thought one idea might be to somehow use a script or Group Policy to deploy a Hosts file to each machine on the network with the following entries:

127.0.0.1 www.limewire.com
127.0.0.1 www.bearshare.com
etc...

Whether this would have been a good idea or not, the boss says no because the HOSTS file on a lot of machines are actually used by their quote vendors like Bloomberg, Reuters etc and these cannot be altered/replaced.

So basically my question is, are there any ideas for blocking certain websites on all machines when this cannot be done either at the firewall or by using a blanket HOSTS file?

Any suggestions most welcome

This conversation is currently closed to new comments.

9 total posts (Page 1 of 1)  
| Thread display: Collapse - | Expand +

All Comments

Collapse -

on a network like that, HOSTS files are the way to go. grab the HOSTS files off of the machines, and make sure all of the entries that they use are also in the HOSTS file you deploy.

there is no reason you can't have something like

x.x.x.x blahblah.reuters.com
127.0.0.1 bearshare.com
x.x.x.x bjkdlajke.bloomberg.com
127.0.0.1 limeware.com

and on and on and on

Collapse -

by G... In reply to want to block sites, can' ...

Setup a blacklist

Collapse -

by Jim_MacLachlan In reply to want to block sites, can' ...

I agree with 'allthegoodnames...'. Only addition would be that you can easily merge text files with a copy append through a batch or script file. Off the top of my head, I'd write a batch to do:
cd\
cd\%systemroot%\system32\devices\etc
copy (hosts.new from network drive to current directory)
ren hosts hosts.org
copy hosts.org hosts.new hosts

Something like that should do it, where hosts.new is the one that has the bearshare & other settings in it. It would put that information after their original information & leave you the original in case there is a problem. Then you'd just manually rename the files & be fixed. Great idea, BTW.

Collapse -

by mshavrov In reply to want to block sites, can' ...

Instead of modifying the HOSTS files on each PC, you could install your own DNS server, point all workstations to your own DNS server, and do all "DNS cheating" in one location. Since you already have W2K/W2K3 servers, just install the DNS service on one of them.

Good luck,

Michael Shavrov
MCSE W2K, CCNP, CCDP, CCSP, Security+, CheckPoint CCSP, etc.
http://www.ciscoheadsetadapter.com

Collapse -

by lowlands In reply to want to block sites, can' ...

Even though you don't have content filtering, you should still be able to block the websites on your firewall by IP address.

Collapse -

by Greybeard770 In reply to want to block sites, can' ...

Set your clients to use an internal DNS server - probably an Active Directory domain controller that does forward lookups for domains it doesn't know. Then, YOU become the Start Of Authority for domains you dont want people going to. Create SOA records for those domains with no hosts in them. That way it they go to www.limewire.com or sharing.limewire.com or whatever.limewire.com your SOA server will respond that the host isn't found. Since you are the SOA (as far as they know) there is no reason to forward that request to the real SOA. This has worked real well for us with several similar domains and it's a lot simpler than the HOSTS file plan.

Collapse -

by B_Pope In reply to want to block sites, can' ...

I'm not sure why you would waste time blocking those sites anyway, wouldn't it be better to block porn sites instead?
Then again you'd need one heck of a hosts file to do that! Content filtering does a far better job with porn.

What is the actual concern here anyway?

That people will visit these sites, since there's no Internet policy who cares anyway!

If your boss wants them blocked, I think he needs to ask himself why, when it appears the rest of the Internet is fair game. Perhaps the boss needs a reality check regarding the Internet & maybe it's time to revisit why his Internet policy is non-existant.

I'm not trying to be a ****, but I think since they don't want to upgrade to some type of content filtering all their doing is wasting your valuable time. I'm sure you have better things to do than worry about 3 or 4 harmless websites that employees may or may not visit, when there's tens of thousands of other sites that are far worst, that your not going to block.

Heck I have 807,862,346 IP's blocked on my home PC's via PeerGuardian & your boss is worried about 3 or 4 IP's.

Collapse -

by jj2000 In reply to want to block sites, can' ...

Hi Mustafa,
A subscription to Sonicwall Content Filtering is only about $200-$1000 depending what unit you have (and that's LIST price).

A previous poster questioned why there is no 'acceptable use' policy and I do have to agree with that. To have security, you have to have a plan and you can't enforce something that doesn't exist.

HOWEVER there are some legal issues regarding peer-to-peer that operate independently of standard corp acceptable use policies. Even if your company doesn't yet have policies in place (I say YET b/c I hope you'll soon create one) I think you're on the right path blocking peer-to-peer if nothing else.

jj

Collapse -

by sgt_shultz In reply to want to block sites, can' ...

you want to maintain hosts file on 50 pc's huh? well don't forget to include em in the backups.
i agree with the setup your own dns server idea. what os your servers? you probably already have one, time to find it maybe (you can use dns testing tools free from downloads.microsoft.com)
if they are giving you budget for sonicwall solution and only thing stopping you is policy doc you could write one this weekend. one page is enought. boiler plate here at tech republic, pretty sure and at other places like cert.org
easiest solution maybe and what a feather to put in the resume cap...

Back to Networks Forum
9 total posts (Page 1 of 1)  

Related Discussions

Related Forums