Blocking web sites

[steve wilson]

Hi,
We are a small business with 6 office workers in total and I want to block some web sites being accessed. I have a draytek vigor 2820 Router and have managed to block web sites using the URL filter. But it will not block secure web sites, like personal banking web sites. Https:// sites will just by pass the router URL blocking list.

What is the best way for me to block web sites?

We are running SBS 2003 and all machines have Windows XP SP3 on them.

Regards
Steve

 

[stlcardinals]

Lot's of places use OpenDNS as a free solution to this problem. Your results with it may be varied.

Other places go with something like pfsense and dansguardian.

In my opinion, the easiest is to have a written Acceptable Computer Use policy and enforce it. Someone does something to break it, write them up or fire them.

 

[steve wilson]

Thanks for the info and advice.

 

[drebo]

If you're running SBS 2003, and you have a fairly limited list of sites you want to block, just create a zone in your local DNS server for that site and leave it empty.

* NOTE: anyone with a little bit of knowledge can get around this kind of block (as well as OpenDNS).

The reason HTTPS connections are bypassing your filter is because the URL is also encrypted and your router doesn't participate in that connection so it isn't privy to the keys being used. Some routers can do this (Palo Alto) but they're fairly expensive.

 

[serpretetsky]

can't you block the ipv4 and ipv6 addresses directly instead of the domain?

 

[steve wilson]

If you're running SBS 2003, and you have a fairly limited list of sites you want to block, just create a zone in your local DNS server for that site and leave it empty.

* NOTE: anyone with a little bit of knowledge can get around this kind of block (as well as OpenDNS).

The reason HTTPS connections are bypassing your filter is because the URL is also encrypted and your router doesn't participate in that connection so it isn't privy to the keys being used. Some routers can do this (Palo Alto) but they're fairly expensive.

I'm not sure how create a zone in my local DNS server and leave it empty. Please can you give me a few tips?

 

[steve wilson]

can't you block the ipv4 and ipv6 addresses directly instead of the domain?

Is it possible to get the IP adresses of HTTPS sites?

 

[serpretetsky]

well https is the protocol. As far as I know, the ip is still the same.

In other words:
the domain is NOT https://bofa.com
the domain IS bofa.com
http and https are protols to the same domain.

so it doesn't matter if its http or https, the ip is the same.

 

[QuietDad]

You could also push a HOSTS file on all the PC's. Simple list of the IP/Domain you don't want them to get to, a space followed by 127.0.0.1 and saved as HOSTS. It's in system32/drivers.ect and maybe hidden.

 

[re_young]

Rather than trying to figure out how to block those specifically, there are some cheap hardware solutions available. It's as simple as adding the domain to the block-list. One of those is iboss. They mostly provide enterprise level rack-mountable appliances but they also have a pro model for 150 HW and 250 per year. I sell them so let me know if you're interested. ross.young@iboss.com . Good luck.