suggestion needed

[Guest]

Archived from groups: comp.security.firewalls (More info?)

Hi,

A more sophisticated firewall is needed for my friend's company (10-20
computers with T1 connection). Their router/firewall is good, but it
cannot stop clients from reaching specific web addresses. They can
consider adding another firewall or replacing the existing
router/firewall with the one that has the ability of filtering the
access by domain name, IP, port range etc per client. For example,
hotmail.com will be forbidden for client1 while msn will be forbidden
for all the clients etc. Too many chatting and online gaming is going
on I guess

I appreciate if you can give me a specific product name & model or a
resource where I can compare similar products with these features.

Thank you,

~D

 

[Guest]

Archived from groups: comp.security.firewalls (More info?)

DenoxiS wrote:

> Hi,
>
> A more sophisticated firewall is needed for my friend's company (10-20
> computers with T1 connection). Their router/firewall is good, but it
> cannot stop clients from reaching specific web addresses. They can
> consider adding another firewall or replacing the existing
> router/firewall with the one that has the ability of filtering the
> access by domain name, IP, port range etc per client. For example,
> hotmail.com will be forbidden for client1 while msn will be forbidden
> for all the clients etc. Too many chatting and online gaming is going
> on I guess

Here's my suggestion. Tell them they have the "three strikes" rule. Then
use Smoothwall 2.0 Linux or a Linux IPTables-based firewall. Then poke
through the logs and everyone whose caught surfing or accessing those sites
gets a strike per day they accessed them.
I think it's sorta sad that modern admins are afraid to tell people "do not
access this site" and afraid to back it up. Businesses are afraid to tell
their employees not to do something. Bosses and personnellists are afraid
to come across as not "cool". Either that, or the military is getting to
me lol.
Anyways, that's my rant. If you want something with automatic site
blocking, you should think about using something with content blocking. I
suggest you subscribe to PC Magazine -- they just ran a great article on
the current products out there, and the strengths and weaknesses of them
all.

>
> I appreciate if you can give me a specific product name & model or a
> resource where I can compare similar products with these features.
>
> Thank you,
>
> ~D

--
One seldom sees a monument to a committee.

 

[Guest]

Archived from groups: comp.security.firewalls (More info?)

DenoxiS wrote:


> A more sophisticated firewall is needed for my friend's company (10-20
> computers with T1 connection). Their router/firewall is good, but it
> cannot stop clients from reaching specific web addresses. They can
> consider adding another firewall or replacing the existing
> router/firewall with the one that has the ability of filtering the
> access by domain name, IP, port range etc per client. For example,
> hotmail.com will be forbidden for client1 while msn will be forbidden
> for all the clients etc. Too many chatting and online gaming is going
> on I guess


The Squid proxy (opensource *nix product) ACL's allow precisely that,
and much more, on a global or per user basis using MAC addresses.

If you're blocking entire domains, it's probably more efficient to
do that by running a local DNS server on the same box running
Squid, creating a dummy zone that points to a local webserver
sporting a single "blocked in DNS" page, and then declaring your
local DNS server as the "master" for all blocked domains.

If you need to block IPs or or entire netblocks ranges for all
users, IPTables is probably best. The latest incarnations of
IPtables can do matching on MAC addresses, so you can do per-user
filtering that way, too.

What I've done is use Squid for the per-user stuff, and BIND or
IPtables for the 'nobody-needs-to-go-there' stuff.

One caution about logging: warn everybody first, so nobody
gets caught in the logs without LOTS of prior warning.

IT admins have lost THEIR job, because they implemented the
filtering and logging their boss asked for, and then
inadvertently caught their boss's boss surfing porn or whatnot.

Even then, it's probably safer to use the approach of
silently instituting global blocks of bad sites (porn,
gambling, games, proxies, anonymizers, etc.) that show up
in the logs. After all, the boss's boss isn't going to
publicly complain, or even inquire, when he/she can no
longer access giantXXXboobs.com or hotf-ingstories.com.
Unless it's YOUR company, you really don't want to log a
lot of higher-ups misbehaving.

 

[Guest]

Archived from groups: comp.security.firewalls (More info?)

You could try a gateway router using Linksys FW router in front of an IPCop
firewall machine and IP blocking using Linksys broadband routers using IP
blocking outbound.

The gateway router would keep the main firewall hidden, the IPCop would keep
everything but outbound and reply blocked and the broadband routers could do
the outbound filtering based on preferences... at least it should work,
havent tried it.





On 6 Apr 2004 12:27:05 -0700, google@deniznet.com (DenoxiS) wrote:

--->Hi,
--->
--->A more sophisticated firewall is needed for my friend's company (10-20
--->computers with T1 connection). Their router/firewall is good, but it
--->cannot stop clients from reaching specific web addresses. They can
--->consider adding another firewall or replacing the existing
--->router/firewall with the one that has the ability of filtering the
--->access by domain name, IP, port range etc per client. For example,
--->hotmail.com will be forbidden for client1 while msn will be forbidden
--->for all the clients etc. Too many chatting and online gaming is going
--->on I guess
--->
--->I appreciate if you can give me a specific product name & model or a
--->resource where I can compare similar products with these features.
--->
--->Thank you,
--->
--->~D

Progressives are mere Socialists who plan on being
"In Charge" after they make everyone else "equal".

Yaketyak

 

[Guest]

Archived from groups: comp.security.firewalls (More info?)

"DenoxiS" <google@deniznet.com> wrote in message
news:d2478899.0404061127.13cddb52@posting.google.com...
> Hi,
>
> A more sophisticated firewall is needed for my friend's company (10-20
> computers with T1 connection). Their router/firewall is good, but it
> cannot stop clients from reaching specific web addresses. They can
> consider adding another firewall or replacing the existing
> router/firewall with the one that has the ability of filtering the
> access by domain name, IP, port range etc per client. For example,
> hotmail.com will be forbidden for client1 while msn will be forbidden
> for all the clients etc. Too many chatting and online gaming is going
> on I guess
>
> I appreciate if you can give me a specific product name & model or a
> resource where I can compare similar products with these features.

You may have to goto a FW appliance that has URL management. You'll have to
investigate how sophisticated the URL management is on the appliances.

http://www.cdw.com/shop/search/Results.aspx?key=WatchGuard&platform=all&x=15&y=8
http://www.cyberguard.com/snapgear/

There are others like Cisco.

Duane





>
> Thank you,
>
> ~D