DrayTek UK Users' Community Forum

Help, Advice and Solutions from DrayTek Users

Resticting Use of Facebook using Vigor 2820

More
13 Sep 2009 18:57 #57702 by mreastwood
Replied by mreastwood on topic Resticting Use of Facebook using Vigor 2820
We have a 'non-work related media' policy in place in our offices. This is effectively to ban facebook, youtube etc.

As another poster said, it's not always about the time lost to these sites, it's also about maximising available resources such as bandwidth.

You can put all the policies in place that you like but you won't always catch someone streaming a radio station or playing a youtube video in a spare tab. The problem is that generally people think that one video, one small radio stream etc won't cause any problems.

After realising that the policy alone wouldn't be enough, we started blocking sites on our transparent squid proxy. Eventually we scrapepd that all together for two reasons. 1) The overhead and reliability of Squid VS. the speed benefits of a web cache wasn't worth it and 2) The blocks could be bypassed by adding https:// to the site which bypasses squid. We could have recompiled squid with SSL support but we didn't want to be performing a man-in-the-middle attack.

Since we were already using openDNS, we decided to make use of their blocking which blocks at the DNS level. This means that it will block all ports, whether it be standard web 80 or https 443. Since that point we've started running an internal bind9 caching DNS server (because our DNS lookups take 500-1000ms, bad location). This is an extremely evective and easy way to block sites although won't prevent people who know exact IPs from accessing a site.

I'm cautious to setup any URL filtering and such like in our Draytek router because I assume it means the router will be running some form of internal web proxy to manage that. I'm curious if this will have any speed impact or reliability issues.

Please Log in or Create an account to join the conversation.

More
15 Sep 2009 11:48 #57721 by linker3000
Replied by linker3000 on topic Resticting Use of Facebook using Vigor 2820
Just to add to the mix - here's how we block facebook:

1) Subscribe to the OpenDNS service (free) and register the site IP address with them (assuming its fixed).
2) Set router's DNS server entries to point to the OpenDNS servers.
3) Set router's DHCP DNS address likewise.
4) Set firewall rules to only allow DNS (port 53) queries to OpenDNS server. addresses (in case users try to bypass OpenDNS.
5) Use OpenDNS DNS blocking features to disallow DNS queries to social networking sites.

Not 100% water-tight but good enough for most requirements.

Please Log in or Create an account to join the conversation.

More
15 Sep 2009 13:44 #57727 by mordorf
Replied by mordorf on topic Resticting Use of Facebook using Vigor 2820
OpenDNS is very good but it doesn't stop access if the user enters the ip address rather than the fqdn url.

Please Log in or Create an account to join the conversation.

More
15 Sep 2009 15:49 #57734 by admin
You can tell the Vigor to block browsing by IP address, I think.



Forum Administrator

Please Log in or Create an account to join the conversation.

More
15 Sep 2009 18:04 #57738 by mordorf
Replied by mordorf on topic Resticting Use of Facebook using Vigor 2820



1.) Under Object Settings create a Keyword Object called Facebook with the word as facebook.

2.) Under Object Settings create a new Keyword Group called Facebook and add the Facebook keyword to it.

3.) Under CSM>URL Content Filter Profile create a new profile with the below settings:-
Profile Name - Facebook
Priority - Both : Block
Check Enable URL Access Control
Check Prevent web access from IP address
Click edit and add the Facebook Keyword Group

4.) Under Firewall > Filter Setup create a new rule called Block Facebook with the below settings:-
Direction - LAN>WAN
Source IP - Any
Destination IP - Any
Service Type - Any
Filter - Pass if no further match
URL Content Filter - Facebook

That should block access to facebook even if your users are clever enough to enter the IP address of facebook instead of the URL (http://69.63.184.142/).
I have just tested this and it seems to work, any problems post back and I'll see if I can help.
There will still be ways around this such as using external proxies or tunneling but you can block this also with the 2820 (Object Setting>Misc Object) although I haven't tested this aspect.



My instructions above cover blocking facebook by both fqdn and ip address.
:)

Please Log in or Create an account to join the conversation.

More
16 Sep 2009 12:11 #57747 by linker3000
Replied by linker3000 on topic Resticting Use of Facebook using Vigor 2820

Mordorf wrote: OpenDNS is very good but it doesn't stop access if the user enters the ip address rather than the fqdn url.



Agreed - hence not 'water-tight' but good enough for our level of users.

Please Log in or Create an account to join the conversation.

Moderators: ChrisSami