View Single Post

  #7  
Old 09-09-2006, 03:47 PM
psharkauburn Offline
Registered User
 
Join Date: Sep 2006
Posts: 12
Quote:
Originally Posted by moses7
I think the problem with the host file is that it only blocks the homepage of the site and you can still access it through links.

Not really true, but I think I know what you're thinking. The hosts file can route any dns name (eg. www.google.com) to any IP you want. The problematic thing is that the HOSTS file doesn't accept wildcards in the dns name like *.myspace.com. Because of this, you have to have entries for www.myspace.com (main page), browseusers.myspace.com (child page), forum.myspace.com (child page), vids.myspace.com (child page), etc... and essentially blanket all the dns names that the site uses which is really annoying and time consuming but does work. As a tip - when doing this, I always look for the login page dns to reroute as it keeps people from accessing most stuff (eg. login.myspace.com). The better way (in a domain environment) is to use Active Directory Group Policies and IPSEC to deny access to traffic coming from IP Addresses. Step 1 is to identify the IP addresses used by the offending sites (do a whois lookup - www.whois.org). Then create a group policy and under the IPSEC section set the filters to deny network traffic over ports(80) from those IP's. This essentially gives you the wildcard blocking we wanted above (*.myspace.com). While this is extremely efficient, the downside is you cannot block specific child sites, instead all the web traffic. In a downside scenario - i want to allow my users to be able to goto developer.cnet.com for research, but not videos.cnet.com because of bandwidth issues (i made up these sites but bear with the idea). If this was a smaller company with 1 webserver or ip address then the IPSEC blocking strategy blocks all web access to them where the HOSTS file *would* allow us to block videos.cnet.com but leave developer.cnet.com alone. Depending on your position in the company and what you have access to, your perimeter firewall (or the proxy server firewall, or the router's firewall - depending on your network setup) can be set to block traffic from specific IP's achieving the same effect as the IPSEC policy. IPSEC blocks at the end user's computer, perimeter/router firewall's block at your networks internet access point well before the end user computer. No strategy is perfect, good luck with your choices.
__________________
World of Warcraft withdrawl can be as devastating as the flu - seriously, it should be covered by insurance. -PShark

Last edited by The Tool : 09-11-2006 at 06:20 PM.
Reply With Quote