Security ideas needed

[Menno Hershberger]

This is a bit off topic, but excess spyware brought it on.
The boss of this outfit wants to restrict all but two of his computers
from web access. However, all user must be able to access email and other
internet services and to access an outside VPN network. His Linksys VPN
router can be programmed to block ALL internet service from a certain
range of local IP's, but not just port 80. A D-Link router is capable of
doing it, but his is an expensive Linksys (BEFVP41) that is all set up
for his VPN and no one wants to mess with it. Whoever set it up has flown
the coop. So, barring that idea, what other way could we set up those
computers to block port 80? None of his users are real computer savvy so
if we could do it on a computer by computer basis, none of them would
probably figure a way around it. Ideally, it would be something that
required administrative privileges to set up. Most all the computers are
XP. Hell, we'd even consider parental controls, if that's what it took.
Any ideas?

 

[plun]

Hi Menno

Is it any server within this network ?

Nevertheless maybe this little article can give you some ideas using
Sygate software firewall and also a cheap solution.

http://www.internetaccessmonitor.co...s/A_Method_to_Block_Users_via_MAC_Address.php

It must be possible to make this "Block John" rule so its possible to
read mail etc but no web access.

--
plun



Menno Hershberger presented the following explanation :

 

[Bill Sanderson]

I'm a little worried about "other needed internet services."

I'm looking at an HTML version of the PDF manual for that device, and under
Figure 6-30 (which I can't see) it specifies:

IP filters block specific internal users from accessing the Internet and
enable VPN tunnels. You can set up filters by using IP addresses or network
port numbers (or a range of ports).

I've used that port range specification method to block my 17 year-old son's
Internet access during certain hours (actually, I should probably turn that
off--our relationship doesn't need the aggravation!)

Anyway--blocking by port range seems like it should do the job.

I don't know what the VPN tunnel filters would look like--my bet is that if
you look at this area of the router, you'll find nothing set up there at
all.

Set the 2 machines which want Internet access to manually configured IP's
outside the range given out by the Linksys's DHCP feature--remember to put
in IP address, Gateway address, DNS server, and Subnet mask--where typically
Gateway and DNS would both the the Linksys router.

create ranges of blocked ports which exclude pop3, smtp, and whatever else
is needed--if you can clarify what's needed we can probably tell you what
ports need to be left open--the fewer the better.

So much goes over 80 these days that I'm a bit worried about your "other
needed services" spec.

 

[Bill Sanderson]

chief issue will be whether you know the password to get into the VPN router
box.

If you don't, you can't just reset it to defaults, 'cause you'd have to then
redo the configuration, and you don't know how it is set.

Time to educate the business owner about passwords and consultants.

--

 

[Menno Hershberger]

I'm a little worried about "other needed internet services."

I'm looking at an HTML version of the PDF manual for that device, and
under Figure 6-30 (which I can't see) it specifies:

IP filters block specific internal users from accessing the Internet
and enable VPN tunnels. You can set up filters by using IP addresses
or network port numbers (or a range of ports).

I've used that port range specification method to block my 17 year-old
son's Internet access during certain hours (actually, I should
probably turn that off--our relationship doesn't need the
aggravation!)

Anyway--blocking by port range seems like it should do the job.

Problem there is if I block port 80, then it'll block it on ALL the
computers, including the ones we want access on.
If I block 192.168.1.100-254 and give the two computers we want to have
access static IP's under that, then the blocked ones will be blocked from
*everything*.
Or that's the way it looks to me anyway.
I have a Linksys router here I was playing with... it's not the VPN
model, but the filters are the same. It was either block port 80 on all of
them, or block all access on some of them.
I downloaded that pdf file... the Figure 6-30 was all blurred, but here
is a screen shot of it off my router. It's the same screen.

http://www.mewnlite.com/filter.gif

The D-Link router that I'm actually using has the ability to block
certain ports on certain ranges, which works perfect. Too bad that's not
what he has.

I don't know what the VPN tunnel filters would look like--my bet is
that if you look at this area of the router, you'll find nothing set
up there at all.

They have a program called "Point" by CALYX that involves getting into
another network somewhere. All the users need to be able to use that. This
guy is a mortgage broker. Same one that sent me that machine with the
spyware problem the other day. His "users" are loan officers. You don't
even want to hear about what we found in their IE history. Dating services
for one, looks like another one is trying to find a job....

 

[Menno Hershberger]

chief issue will be whether you know the password to get into the VPN
router box.

If you don't, you can't just reset it to defaults, 'cause you'd have
to then redo the configuration, and you don't know how it is set.

Time to educate the business owner about passwords and consultants.

I've been playing around with Norton Internet Security's Parental
Controls. Created a limited user account on my own computer. You can do
just about anything you want with that. I wonder what they'd think when
they see that "Loading Parental Controls..." screen coming up...