Blocking Internet Access

[Nik Alleyne]

Hi All,
I have a medium sized LAN running in a pure Win2K. I would like to prevent
some of my users from accessing the internet can u all tell me the best way
to go around this.
Thanks in advance
Nik

 

[Erdem_Y@MCSE]

hi
the best way using isa server

 

[Nik Alleyne]

Would ISA Server run from the server taking into consideration the server is
not acting as the gateway. I have a cisco router at my gateway.
Nik

 

[Leythos]

Hi All,
I have a medium sized LAN running in a pure Win2K. I would like to prevent
some of my users from accessing the internet can u all tell me the best way
to go around this.

What firewall are you using?

If you don't have a firewall, then you need one, even a simple NAT
router at the least.

Just block outbound port 80.

 

[charleh]

There is a NG called comp.security.firewalls that might be able to offer
some unbiased advice on a decent proxy/firewall.

Not to rock the boat or anything

 

[Leythos]

Would ISA Server run from the server taking into consideration the server is
not acting as the gateway. I have a cisco router at my gateway.
Nik

Get a cheap NAT box and block port 80 outbound.

 

[Nik Alleyne]

Yeah, but isn't that going to block traffic for the entire subnet. Note: My
network is not subnetted. So wouldn't this option prevent all users from
going out to the internet. Also it is just a couple of users I want to
block.
Nik

 

[Steven L Umbach]

If these users always use the same computer and blocking access to the
computer would work, you can configure an ipsec filtering policy to block
their computer's from accessing the internet by creating first a mirrored
block all rule and then adding a mirrored permit rule for your subnet. Ipsec
policy can be applied via Group Policy to make it easier to manage more then
a few computers and ipsec policy can be exported/imported. The link below
shows more detail.

http://www.securityfocus.com/infocus/1559

If the users are not local administrators on their computers you can simply
assign a bogus default gateway to the computer. Another possibility is to
configure your firewall to block outbound access for these users computers
in which case they would need static IP addresses to make the rules work
consistently, otherwise when they get a new IP address via DHCP they may
then be allowed access..

Some have used Group Policy to enable a "bogus" proxy server IP address to
"users" but that method only will restrict access to Internet Explorer. ISA
server is the best solution to "user" internet restrictions using web proxy
[limited restriction] or firewall client [total restrictions] for user
rules, but it is not cheap, has a learning curve, and the ISA server will be
the gateway for all the computers. Another consideration is a personal
firewall that can have different settings per logged on user if multiple
users need to use the same computer. Portslock makes such a product and they
have a free trial download. --- Steve

http://www.portslock.com/ -- Portslock.

 

[Leythos]

Yeah, but isn't that going to block traffic for the entire subnet. Note: My
network is not subnetted. So wouldn't this option prevent all users from
going out to the internet. Also it is just a couple of users I want to
block.

Sort of - A typical SOHO NAT box can specify that some IP are private -
this means that they can't get OUT of the network, which would also
block them (if using fixed IP) from getting to the net, but it would
impact ANY user of that specific IP.

If you want to have filtering based upon user name, then you need to get
a firewall that lets you setup users, block everyone from the web, and
get users to login/auth with the firewall which will have a rule
allowing authenticated users to have full web access.

If you use fixed IP internally, and your people have their own
computers, then a simple Linksys NAT box would work - if you blocked by
IP.

 

[Nik Alleyne]

Taking into consideration that we are using DHCP. I will have to prevent
access by username. So do you have any vendors that you would recommend.
Nik

 

[Leythos]

Taking into consideration that we are using DHCP. I will have to prevent
access by username. So do you have any vendors that you would recommend.

Well, there is nothing that forces you to use Dynamic IP's inside your
network, but it is nice.

I have a firewall in my home, to block access to questionable sites for
my kids protection - the WatchGuard Firebox has a web-blocker ability,
it has 14 categories of restriction groups. I have two HTTP Proxy
services setup, one for authenticated users (me and my wife) and
unauthenticated users - anyone else. I have also entered IP exceptions
into the unrestricted HTTP rule that allow my workstation and 12 servers
complete HTTP access. With this method, when I'm at one of the kids
machines, and I want unrestricted access to the web, I open a browser
page to the firewall, enter my user name and password, minimize the
window, and then open a new browser window and browser from that -
completely unrestricted.

I have the same setup in most clients offices - entire company accesses
web through filters web-blocker service, select managers get full access
based on their IP, and users with firewall accounts can get full access
from anywhere using a firewall user/password.

I don't know how many users you have, but the fixed IP method and then
simple blocking at a NAT box, would seem to be an easy solution.

You can also setup the Firewall to recognize the user if you setup
Radius on the network.

 

[Ed Horley]

Since you are running a Cisco router you can block with ACL's on the router.
Is the router doing the NAT/PAT function for you? Also, you can reserve IP
addresses for host machines in DHCP so if the limited group of people always
log into the same machine you can then build an ACL with those IP addresses
and you are done. If you are looking for something that will work with AD
and authenticate the user first you can do that also with TACACS+ and a PIX
firewall. Are you just trying to prevent folks from getting to particular
sites or out to the Internet period? You can also run a proxy server
internally and only allow the proxy to go outbound and block everyone else.
There are lots of options to work with, it really depends on what you want
to do.

Regards,
Ed Horley
Microsoft MVP Server-Networking

 

[Tomasz Plebañski]

Yeah, but isn't that going to block traffic for the entire subnet. Note: My
network is not subnetted. So wouldn't this option prevent all users from
going out to the internet. Also it is just a couple of users I want to
block.
Nik

Can't do this on cisco ?