1

I want to block my network users to access most of the external websites. Some users may need access to Facebook (like the users from marketing department), while others may need access to banks websites.

What I want to do is to control the access of these users, allowing them to access only the necessary websites.

To do that, I've been thinking about using a Captive Portal to control authentication (so I'll know 'who' is requesting the website). Also, I'll need a proxy to deny access to the blocked websites.

Doing some research I've not found any single software capable of doing both tasks. I tried PacketFence and Squid. The first handled very well the authentication steps. The other, the URL blocking. But could not make both talk nor do the desired job.

Anyone have ever implemented something like this? Is it possible with any of these softwares?

EDIT:

It is very important that the users are authenticated against an Active Directory server.

Vinícius Gobbo A. de Oliveira
  • 143
  • 1
  • 6
  • 1
    I say this with all kindness, and with the assumption this has been considered; if you're trying to lock down users in your company, they will find ways around it. Yes, there are certainly methods to use to prevent people from accessing sites you want to restrict; why not implement a company policy that flatly says "machines are for professional use, only." If they don't care enough about their job to stay off of facebook, why are you employing them? (also, I agree with ETL as a technical solution.) – Stephan Feb 15 '13 at 00:29
  • 3
    That's really the true sadness of it all - the more you block the more they find way around it :( But some basic blocking I found goes a long way on the casual people as a reminder of company policies. – ETL Feb 15 '13 at 00:34
  • I hear ya; luggage locks keep honest people honest, for example. – Stephan Feb 15 '13 at 00:41
  • The company has already a policy restricting empoyees to access non-work related websites. Still, they access it frequently and the human resources department is not helping. The management is failing miserably to do their jobs. And we, from the IT department are the ones being pointed as not capable. But I agree with you guys, it is impossible. – Vinícius Gobbo A. de Oliveira Feb 15 '13 at 01:16
  • 1
    1. Explicitly state the restrictions and monitoring in the IT policy and 2. Print out access logs as a roster, ranked in descending order of time spent on external sites (you may want to edit out your boss in the first printout). 3. Hang the shame roster on the main notice board. – Deer Hunter Feb 15 '13 at 02:40
  • @DeerHunter Loved it! But I would be fired and probably sued... Brazil laws sucks... – Vinícius Gobbo A. de Oliveira Feb 15 '13 at 10:06

4 Answers4

2

Smoothwall- not a captive portal but will prompt for user name if you configure it that way.

ETL
  • 6,513
  • 1
  • 28
  • 48
  • Very nice piece of software. There is one important feature I've forgotten to mention, is the need to authenticate with Active Directory in order to do the filtering. I was not able to find anything related to that. – Vinícius Gobbo A. de Oliveira Feb 15 '13 at 01:25
  • 2
    According to http://www.smoothwall.org/about/feature-comparison-chart/ the Advanced Firewall & UTM Appliances (i.e. non-free) version supports this. – ETL Feb 15 '13 at 01:39
1

I would do this in three steps.

  1. Find a proxy software that fits your authentication needs, and set it up so that it can talk to the users network(s)

  2. Setup your firewall such that ALL outbound connections from that network are dropped by default (then obviously allow traffic to the internal systems they need)

  3. Set all web browsers to use the proxy

This allows you to prevent most of the steps that users would take to get around your proxy - they can't just un-check that box, and they can't use a tunnel or external proxy on an odd port.

Zypher
  • 37,405
  • 5
  • 53
  • 95
  • 1
    Maybe I had misunderstood your answer, but I could not understand how this will allow access from user A to website X, but will not allow user B to access website X. – Vinícius Gobbo A. de Oliveira Feb 15 '13 at 01:48
  • @ViníciusGobboA.deOliveira most good Proxies will allow you to do policy based ACLs for sites, so UserA in Group "nothing" can't get anywhere, but UserB in Group "Marketing" can get to Twitter, Facebook, etc – Zypher Feb 15 '13 at 01:50
  • I guess I'm reducing the requirements of the setup. The perfect system would display a beautiful web page asking for credentials and filter the sites accessed by this user depending on his access level. Forgetting the "beautiful web page", I believe Squid alone will be able to do the job, am I right? – Vinícius Gobbo A. de Oliveira Feb 15 '13 at 01:55
  • Squid would work, but you will need to make it connect to your AD and work the ACLs from that. – ETL Feb 15 '13 at 14:37
  • Setting up Squid to connect with AD is not a problem using squid_ldap_auth. I'll give it a try. – Vinícius Gobbo A. de Oliveira Feb 15 '13 at 15:33
0

Off hand, I know that software suites similar to net nanny, usually intended to bock adult content, can often be configured to restrict additional web sites. I'd look into a solution like that as likely being a little easier to configure and maintain.

From a best practices perspective, ensuring that all user's screens are visible to other users often cuts down on their willingness to visit 'forbidden' websites, for fear of reprisal.

Stephan
  • 999
  • 7
  • 11
0

Look at Websense. While not an inexpensive solution it is very good at managing access. It can be super flexible and produce excellent reports. Even running it in monitor mode can give you the data to "shame" the serious bandwidth abusers and time wasters.

Dave M
  • 4,514
  • 22
  • 31
  • 30