Set up a caching proxy (like squid), set all the computers to connect to internet through the proxy. Have the firewall block access to internet except via the proxy. Configure the proxy server to allow/deny what you want.
Another possibility is the security software (antivirus, automatic encryption, etc) you run might have options to allow/deny certain sites.
Comment has been collapsed.
at this moment,my company's got about 20,30 PC's,laptops included in there.
An option where i would mess with each of those PC's individually is not that great for me,especially in case of some corrections later on.
A internet is set up in such way that main router sends singal into switch,which then divides signal across the company.
By the looks of it,cleanest solution would be controling the traffic right there at the main router point.
Comment has been collapsed.
This would be the easiest way, in that you wouldn't have to leave your chair.
For 5 of out 30 PCs where I work I set up the people's Internet Explorer to run through a false proxy. I then removed the Connections Tab from the Internet Options menu using the registry so they can't remove the proxy. Has worked like a charm and even if the computer receives a new IP address for whatever reason it still blocks it. The only way for them to get around it would be to download chrome or something from home, put it on a USB, and hook it up and install.
Comment has been collapsed.
Remove internet explorer shortcut from desktop/taskbar
Comment has been collapsed.
Get a Linux firewall as router. I've used IPCop a bit before. It's nice and pretty easy.
The important thing is that you filter outgoing connection to allow only standard ports like TCP 21, 80, 443.
You can just set iptables (firewall application) in your linux firewall for that.
squid proxy with something like privoxy will help filtering HTTP content too if you want.
Also squid can be setup as transparent proxy so it auto intercept port 80 traffic to proxy which mean no need to setup proxy on each computer. Note that this won't work with HTTPS. (there's a one-checkbox-and-done in IPCop web interface)
If you go more advance, you might want to go for Application firewall (the one that don't only block port but also analyse protocol upto layer 7). Haven't done that. I just know it exist.
Comment has been collapsed.
I see.
So,i would need another PC with linux,which would have the internal and external network card (to pass the signal onto switch/main router).
Can do that.
Will have to look into how that IPCop behaves,ill be testing it during next week to see if i can come up with something good.
Cheers to you and all the other's for usefull info on this question.
Comment has been collapsed.
You can have it as your virtual machine, assuming if you already have Hyper-V or ESX or whatever. It use very cheap resource. The two (or more) network card can be hooked up as 1 real card and use VLAN tagging.
If you don't run on VM, from what I know (which is a few years back), VLAN tagging is not possible on fresh install.
Comment has been collapsed.
I used to use Vyatta ( mostly for security and load balance rather than filtering but security and censorship always go hand in hand ), it might be worthwile to test it as well as an alternative to IPcop.
Comment has been collapsed.
You can also use Active Directory, if you are on a MS environment,
Comment has been collapsed.
Untangle. I put it in place, worked fine. Some ways around it, but shaddup and dont tell em.
Comment has been collapsed.
Porn,torrents,facebook.
Will track youtube stats.
Its not about being productive,workers can have fun and buzz whenever they want if they did what they were supp to do.
Reason behind this is more of a technical nature,lots of torrents,youtube,internet radios or whatever are slowing down the network,thus preventing workers to access some data from our local server.
Cant really pin down a reason behind,so i'll eliminate 1 at the time,the big usage of a bandwitch being first in lina.
Comment has been collapsed.
For a start, block everything but ports 80 and 443. That will take care of most of your problems. YouTube shouldn't be a big deal; people mostly use it for music in the background, and that doesn't take a lot of bandwidth, unless they specifically go 720p or higher.
Comment has been collapsed.
well,i'll be rolling with untangle for now,when i've got this far already.
Cant tell what they were using for and how much,just know the firm's networks been unreliable lately.
Gotta start checking things.
First it was limited connection issue,with unreachable DNS adresses(which i guess was due to DHCP),now this.
Comment has been collapsed.
remove the gateway or simply cut those wires, but that means no pr0n for you too!
Comment has been collapsed.
If you block the known TOR nodes and the places where you can download TOR, and if you set up rules to alert you if there are any suspicious connections, you have done enough imho as far as a casual company needs are going ( i wouln't expect serious needs to be discussed here ).
If your employees are motivated enough to use TOR say on a usb key ( if you haven't disabled USB ), or to go around ( by sending it to themselves by mail for example ) and install it despite the fact that they are locked in a very limited environment where you shouldn't be able to install nor run tor ( tell me you are using something like SElinux instead of having every employee be a superadmin )...
then you have grounds for replacing your employee or learn yourself how to motivate them to work.
Comment has been collapsed.
Quick update:
Went ahead and tried Untangle first,looked most user friendly.
Installed it onto PC,but run into the issue of not detecting network cards.
Read about it,looks like a PC i took for gateway is too old.
Will see to use another PC/buy network card/try installing drivers tomorrow.
Comment has been collapsed.
1,247 Comments - Last post 9 minutes ago by WaxWorm
4 Comments - Last post 58 minutes ago by ArtemB1988
82 Comments - Last post 1 hour ago by GarlicToast
71 Comments - Last post 2 hours ago by LighteningOne
149 Comments - Last post 4 hours ago by mikotomaki
145 Comments - Last post 5 hours ago by seaman
253 Comments - Last post 6 hours ago by Bum8ara5h
55 Comments - Last post 9 minutes ago by SilentGuy
28,636 Comments - Last post 11 minutes ago by ha14
760 Comments - Last post 27 minutes ago by Outmind
213 Comments - Last post 31 minutes ago by Kyrrelin
2,433 Comments - Last post 34 minutes ago by kurtoff883
642 Comments - Last post 37 minutes ago by lav29
150 Comments - Last post 37 minutes ago by lav29
Anyone experienced this at work?
Care to tell how they did it?
I want to implement such feature too,i'm aware of IP/Domain filtering via router,but i seek alternative options before i opt for one.
Update 1:
Allrighty,i'll be checking some things u guys recommended and will post results.
Thanks to all
update 2:
Quick update:
Went ahead and tried Untangle first,looked most user friendly.
Installed it onto PC,but run into the issue of not detecting network cards.
Read about it,looks like a PC i took for gateway is too old.
Will see to use another PC/buy network card/try installing drivers tomorrow.
Comment has been collapsed.