Tech Talk Discuss PC Hardware, Software, Internet and Other Technology

Restricting Web Access to Local Intranet

Old 06-12-03, 02:00 PM
  #1  
Member
Thread Starter
 
Join Date: Oct 1999
Location: A van down by the river
Posts: 192
Restricting Web Access to Local Intranet

I have a network with about 10 workstations (Win2k) and 5 of them are allowed full internet access. The other 5 need to have access ONLY to our intranet, not the internet AT ALL. Our internet connection goes through a Linksys router rather than any server, and all 10 workstations use this router for access to the file server. ISA server isn't an option, because of budget. I realize that I'll have to restrict this usage at the workstation level, however I want to know if there is some way of accomplishing this through group policy. Or is there some sort of freeware/shareware program that will block ALL sites except for any that I specifically allow?
wahoojeff is offline  
Old 06-12-03, 03:21 PM
  #2  
X
Administrator
 
X's Avatar
 
Join Date: Oct 1987
Location: AA-
Posts: 10,704
I suppose you could use GPOs to set IE's Connections/LAN Settings' Proxy properties to only allow local addresses to be accessed and then lock those settings down.

You could probably enter some parameters in the HOSTS file or maybe change the gateway/DNS settings in networking too.
X is offline  
Old 06-12-03, 06:48 PM
  #3  
DVD Talk Gold Edition
 
Join Date: Aug 1999
Location: Chicago, IL
Posts: 2,515
Couldn't you just not give them the gateway address in the network adapter settings? Unless you are using DHCP, then you would just have to adjust all the settings on those 5 pcs. Not too much work actually for just 5 workstations.
Neitzl is offline  
Old 06-12-03, 08:07 PM
  #4  
DVD Talk Hero
 
jfoobar's Avatar
 
Join Date: Jun 2000
Posts: 37,659
I had a D-Link router (614+) that I thought would allow you to do this, but since I never actually played with those features I'm not sure how granular they would get. I know it would allow the admin to set certain sites as being off limits for certain IPs, but would it easily allow the admin to shut off completely the Internet access for a specific IP? I dunno. Probably not.

Alas, with the DLink/Linksys/SMC/NetGear appliances, you tend to be fairly locked down to whatever features and parameters the firmware developers decided to build into the management GUIs.

Fortunately, if you don't mind being a little more adventurous, there are dozens of solutions that would work for you. Any full-fledged firewall, such as a Linux Smoothwall implementation or one of the IPTables derivatives, between you and your ISP would have that level of granularity and then some.

Also, look into the Cisco 831 SOHO router. Less than $500, a GUI management interface for ease of setup but it also supports a full IOS implementation which would let you be as granular as your heart's content.
jfoobar is offline  
Old 06-12-03, 09:00 PM
  #5  
DVD Talk Ultimate Edition
 
Join Date: Jan 2001
Location: Seattle
Posts: 4,454
Can't you just put the PCs that need internet access into a DMZ and the rest you could just block.
palebluedot is offline  
Old 06-12-03, 11:52 PM
  #6  
DVD Talk Hero
 
jfoobar's Avatar
 
Join Date: Jun 2000
Posts: 37,659
Originally posted by palebluedot
Can't you just put the PCs that need internet access into a DMZ and the rest you could just block.
Not with just a Linksys.

Besides, end user workstations + DMZ = bad things happening.
jfoobar is offline  
Old 06-13-03, 12:00 AM
  #7  
DVD Talk Gold Edition
 
Join Date: Feb 1999
Location: HB, CA
Posts: 2,601
I've only worked with a Linksys once, but I thought it had some IP filtering features. That is, it could block a list or range of internal IP's from accessing the internet.
belboz is offline  
Old 06-13-03, 12:53 AM
  #8  
DVD Talk Ultimate Edition
 
Join Date: Jan 2001
Location: Seattle
Posts: 4,454
Originally posted by JustinS
Besides, end user workstations + DMZ = bad things happening.
I didn't know that...what can happen?
palebluedot is offline  
Old 06-13-03, 02:46 AM
  #9  
toq
Senior Member
 
Join Date: Mar 2003
Posts: 522
Putting a machine in the DMZ is effectively removing any type of protection that is integrated into the router—i.e. it will move the machine into an unprotected portion of your network. Of course, you could work around that issue by installing personal firewalls on each machine which is obviously a bit more cumbersome.
toq is offline  
Old 06-13-03, 03:59 AM
  #10  
DVD Talk Hero
 
jfoobar's Avatar
 
Join Date: Jun 2000
Posts: 37,659
Originally posted by palebluedot
I didn't know that...what can happen?
They can be far more exposed to compromise than if they were properly placed inside a protected network behind a stateful firewall.

Unless a system is both hardened and necessary to provide services to external entities (e.g., web server), it doesn't belong in a DMZ.
jfoobar is offline  
Old 06-13-03, 07:43 AM
  #11  
Member
Thread Starter
 
Join Date: Oct 1999
Location: A van down by the river
Posts: 192
Thanks for the replies. I think I am going to assign a bogus default gateway, and also requite a proxy on the 5 restrictred machines, which will also be a bogus address. That should keep them guessing.
wahoojeff is offline  
Old 06-13-03, 10:08 AM
  #12  
DVD Talk Ultimate Edition
 
Join Date: Jan 2001
Location: Seattle
Posts: 4,454
Originally posted by JustinS
They can be far more exposed to compromise than if they were properly placed inside a protected network behind a stateful firewall.

Unless a system is both hardened and necessary to provide services to external entities (e.g., web server), it doesn't belong in a DMZ.
[carson]I did not know that[/carson] Thanks for the info....I have been runnig in a DMZ for a while now. Didn't know it was no good.
palebluedot is offline  
Old 06-13-03, 10:32 AM
  #13  
DVD Talk Limited Edition
 
Join Date: Feb 2000
Location: Sunny Hawaii
Posts: 6,622
Originally posted by wahoojeff
Thanks for the replies. I think I am going to assign a bogus default gateway, and also requite a proxy on the 5 restrictred machines, which will also be a bogus address. That should keep them guessing.
Although this isn't exactly the kind of security issues that I deal with, a favorite mantra of mine may apply here:

"Security through obscurity is no security at all."
TheBang is offline  
Old 06-13-03, 12:10 PM
  #14  
X
Administrator
 
X's Avatar
 
Join Date: Oct 1987
Location: AA-
Posts: 10,704
If you lock down the networking with GPOs the user won't be able to change what you did even if they know how you did it.
X is offline  
Old 06-13-03, 01:02 PM
  #15  
DVD Talk Limited Edition
 
Join Date: Feb 2001
Location: Austin, Texas
Posts: 6,515
I don't know which linksys router you have, but the one my mother had, and the one I hacked (wireless lan) both had features to deny internal computers external access. You could even deny the access for just part of the day.
einTier is offline  
Old 06-13-03, 03:16 PM
  #16  
DVD Talk Gold Edition
 
Join Date: Aug 1999
Location: Chicago, IL
Posts: 2,515
Originally posted by Todd B.
Although this isn't exactly the kind of security issues that I deal with, a favorite mantra of mine may apply here:

"Security through obscurity is no security at all."
I agree with your mantra, but with only 5 PCs that need this, I it's a fine solution. Now if I had to do it for all the PCs, or in a bigger work place, I would go a different route.
Neitzl is offline  
Old 06-13-03, 03:49 PM
  #17  
Member
 
Join Date: May 1999
Posts: 232
We use a Sonicwall SOHO3 in my office to handle this. I set up some rules in the SOHO3, (each PC has a static internal IP) and I made an individual rule for each PC that I want blocked out. So whenever it's necessary to get online to do some updates, all I have to do is log in to the SOHO3 (via any PC on the network) and temporarily disable the rule that blocks web access to a certain IP. Do the update and then enable the rule.

In fact just today, I need to download Adobe Acrobat onto a non-internet user's PC. I go straight to that PC and I'm done in 5 minutes.
Lenny is offline  
Old 06-13-03, 04:07 PM
  #18  
DVD Talk Limited Edition
 
Join Date: Feb 2001
Location: Austin, Texas
Posts: 6,515
Originally posted by Neitzl
I agree with your mantra, but with only 5 PCs that need this, I it's a fine solution. Now if I had to do it for all the PCs, or in a bigger work place, I would go a different route.
I still don't think it's a good solution for three reasons.

One, it places security in the hands of the end user -- the worst possible place it can possibly reside.

Two, it's a hack. The Linksys router has built-in software to allow you to solve this exact problem, but you'd rather go with a network hack than figure out how to properly solve the problem. If it was a monetary issue (buying new hardware), I might see the wisdom in this solution, but as it sits, you have increased the complexity (and possible problems) without appreciable gain.

Three, there's no remote access. If you want to change access levels, you've got to personally visit each machine.
einTier is offline  
Old 06-13-03, 09:48 PM
  #19  
Member
Thread Starter
 
Join Date: Oct 1999
Location: A van down by the river
Posts: 192
Originally posted by einTier
I still don't think it's a good solution for three reasons.

One, it places security in the hands of the end user -- the worst possible place it can possibly reside.
Yes and no. If I apply these settings to a workstation, then through group policy, remove the ability to change proxy or any network settings, there's not much an end user can accomplish.

Two, it's a hack. The Linksys router has built-in software to allow you to solve this exact problem, but you'd rather go with a network hack than figure out how to properly solve the problem. If it was a monetary issue (buying new hardware), I might see the wisdom in this solution, but as it sits, you have increased the complexity (and possible problems) without appreciable gain.
I was (am) under the impression that by restricting access via the router, I must restrict all web-like access. The users must have access to a local intranet, and the server sits on the same subnet as the workstations, so they can still access it if I make the changes I mentioned earlier. Will the linksys still allow browsing of local sites?

Three, there's no remote access. If you want to change access levels, you've got to personally visit each machine.
This isn't going to be an issue, the prior machines sat and did their job for 6 years without ever changing any sort of configuration, other than adding a wireless network card to each about a year ago. It's a plant environment, so the machines have only 2-3 functions each (tracking time, email, intranet).

If you know something about configuring the Linksys router (model BEFW11S4) to allow local access but restrict web access, I'd be interested, because that would make the whole thing easier.
wahoojeff is offline  
Old 06-13-03, 09:57 PM
  #20  
DVD Talk Gold Edition
 
Join Date: Aug 1999
Location: Chicago, IL
Posts: 2,515
Originally posted by einTier
I still don't think it's a good solution for three reasons.

One, it places security in the hands of the end user -- the worst possible place it can possibly reside.

Two, it's a hack. The Linksys router has built-in software to allow you to solve this exact problem, but you'd rather go with a network hack than figure out how to properly solve the problem. If it was a monetary issue (buying new hardware), I might see the wisdom in this solution, but as it sits, you have increased the complexity (and possible problems) without appreciable gain.

Three, there's no remote access. If you want to change access levels, you've got to personally visit each machine.

1: How can the user change those settings if they are just normal users, and not admins, or domain admins? They can't. Also, you give the end user too much credit. 95% of the time, they don't even know how to get to the TCP/IP Settings.

2. It's a hack? Everything related to GPO's is a hack, it's a push down hack, that's done from a centralized location, but it's all still a hack. It hacks the registry when the user logs on.

3. I agree, on this, but since it's such a small company, there really isn't a problem. Where I work, it's done differently since we do have more than just 10 workstations. If the machines were all within 20 feet of my desk, as it was in my last job, I don't mind about it at all.

I know what wahoojeff wants can be done with GPO's, or with the router, or a real firewall, which he doesn't mention that they have. wahoojeff, it might be time to visit some FAQs for that router of yours.
Neitzl is offline  
Old 06-14-03, 12:27 AM
  #21  
DVD Talk Limited Edition
 
Join Date: Feb 2001
Location: Austin, Texas
Posts: 6,515
wahoojeff, if your linksys router is like every other linksys router I've played with, there is a setting to disallow external access to certain ip blocks during certain times (or all the time). It should be under "filters" under the advanced tab. Just put in the IP addresses, or better, MAC addresses, you wish to block from internet access (they will still be able to access the lan).

Neitzl, I'm usually used to users being root on their own boxes, probably because I come from a software development background, and to do proper enterprise level development, you'll likely need root access (even if you don't wear the root hat all the time) from time to time. Even so, I still think that placing all security directly in the hands of the end user is a bad idea, even if you think you've locked them out of it. I give the end user a lot of credit, because you never know when you'll hit that 5% guy -- or when he'll call in his computer literate brother to 'hack' his box to allow him to surf espn.com from work. I've been that user, I've been that brother, and I've seen it done more times than I can count.

I also think that 'breaking' the TCP/IP settings is much more of a hack than pushing down revised registry settings from a central server. I just see future problems arising from setting down this road. It may be fine with 10 machines, but it will become a headache if the department grows, or if a new network administrator is hired. When things can so easily be done right, right here, right now, with no extra cost, I don't see the benefit of doing it wrong just because "well, you could do it this way."
einTier is offline  
Old 06-14-03, 09:25 AM
  #22  
DVD Talk Hero
 
jfoobar's Avatar
 
Join Date: Jun 2000
Posts: 37,659
I'm with einTier. It is far more secure (and efficient) to control Internet access for networked machines from the bastion host (or proxy server or whatever) than from the desktops themselves.
jfoobar is offline  
Old 06-14-03, 12:20 PM
  #23  
X
Administrator
 
X's Avatar
 
Join Date: Oct 1987
Location: AA-
Posts: 10,704
You guys are making this sound like it's some kind of national security issue that those computers don't get to the internet. It's probably just some dumb users surfing instead of getting work done.

Static IPs and a firewall blocking port 80 or all external traffic for those machines would be my preferred solution but I really don't see why changing their networking and locking it down with GPOs isn't acceptable in this case.

If they are informed they are not allowed to get to the internet and they still try to hack around that, then whether you want them as employees should be considered.
X is offline  
Old 06-14-03, 12:48 PM
  #24  
DVD Talk Gold Edition
 
Join Date: Aug 1999
Location: Chicago, IL
Posts: 2,515
Originally posted by X
You guys are making this sound like it's some kind of national security issue that those computers don't get to the internet. It's probably just some dumb users surfing instead of getting work done.

__________
No, we're not making it sound bigger than it is. We're just throwing out ideas for a solution. Security is always an issue, especially if you're a network admin. Security is always a great concern of miine, and I really don't know other net admins who don't take it seriously. No it may not be on a "national security" level, because we aren't on that level, but in our own context, it might as well be.



Static IPs and a firewall blocking port 80 or all external traffic for those machines would be my preferred solution but I really don't see why changing their networking and locking it down with GPOs isn't acceptable in this case.

_______
That's a good one too, but hey, I wasn't giving any type of solution for his router, since I don't use a router, but rather a firewall at work, where control is much more granular at that level than on these DLS routers.


If they are informed they are not allowed to get to the internet and they still try to hack around that, then whether you want them as employees should be considered.

____________
Completely agree with this.

Neitzl is offline  
Old 06-14-03, 12:57 PM
  #25  
X
Administrator
 
X's Avatar
 
Join Date: Oct 1987
Location: AA-
Posts: 10,704
Originally posted by Neitzl
No, we're not making it sound bigger than it is. We're just throwing out ideas for a solution. Security is always an issue, especially if you're a network admin. Security is always a great concern of miine, and I really don't know other net admins who don't take it seriously. No it may not be on a "national security" level, because we aren't on that level, but in our own context, it might as well be.
The thing is, I don't see this as "security" unless these users have a history of going to kiddie porn sites, or making the company look bad, or visiting sites that download viruses or whatever that would compromise the entire network. I see it as making casual usage of the internet difficult.

If those were the problem then I would do it "right", but I didn't get that feeling from wahoojeff. It would be nice if he told us exactly what the problem is.
X is offline  

Thread Tools
Search this Thread

Archive Advertising Cookie Policy Privacy Statement Terms of Service

Copyright © 2018 MH Sub I, LLC dba Internet Brands. All rights reserved. Use of this site indicates your consent to the Terms of Use.