Re: Internet access control queston?

If you have a list of websites that your users "require" access to, any
mid-level router can handle blocking everything else with ease:

access-list 101 permit ip <your network address & mask> <address of allowed
site> [eq http] (or https or whatever protocol my be required)
access-list 101 permit ip <your net addr & mask> <other sites> [optional
protocol]
! permit access to sites you want to allow
!
!
access-list 101 deny ip any any eq http
access-list 101 deny ip any any eq https
access-list 101 deny ip any any eq ftp
! deny access to all other ftp, http and https sites
!
!
access-list 101 permit ip any any
! permit other traffic (mail, etc)

By applying access lists in this manner you can allow your users to visit
the sites they require for their jobs. If you segregate departments into ip
blocks that would correspond to subnets, you can allow access to different
content for different departments. If people find a way through it, you can
lock it down as required or open up access to new sites as it becomes
necessary.

Another way if you're running your own internal DNS, is to set up a separate
server with an AD integrated zone for local resolution and dynamic
registration, and a "." zone. Then create zones for sites your user require
access to and point yo users to that as their only DNS server. They'll
technically still have Internet access, but won't know it because they won't
be able to resolve any names.

....kurt

"Bob" <bdufour@xxxxxxxxxx> wrote in message
news:%233$E7z7wGHA.5064@xxxxxxxxxxxxxxxxxxxxxxx
Well, more and more programs are being used that require Internet access,
for instance at my customer site he has three locations, at all three they
do data entry to a sql database at home office with a package that is
really just a collection of asp pages on a web site on a server at the
home office. The company that sold them the package told them it was a
great thing because they could access just one copy of the program from
anywhere in any of their locations, including working from home! No
concerns at all about security would you believe!
Anyways, I think that giving Internet access is often a real requirement.
I know that at this site it is. They are a car dealership and the
manufacturer requires them to use a web site for some things with respect
to sales.

Thanks Phillip
Bob

"Phillip Windell" <@.> wrote in message
news:uBAvkwWwGHA.3996@xxxxxxxxxxxxxxxxxxxxxxx
"Bob" <bdufour@xxxxxxxxxx> wrote in message
news:uadAjMVwGHA.1808@xxxxxxxxxxxxxxxxxxxxxxx
Good idea but unfortunately not so easy in reality.

Unfortuneately it *is* the reality.
IMO - It is often a mistake to even give employees internet access to
start with. Many jobs don't *really* require it. There is a difference
between wanting it and needing it. Employees that use SMTP EMail with an
outside mail server can have the email without having web access,...you
just give them permssion to use SMTP and POP3, but not HTTP & HTTPS.

Computers are not babysitters. If a company's management cannot control
the behavior of their own employees, a computer sure isn't going to do
it,...and in such cases the company will usually "fold".
There is no such product that is going to do exactly what you are asking.
Some can come close,..but be prepared to spend some $$$$.
A product like MS ISA Server will come close.
MS ISA Server combined with filtering products like SurfControl will come
even closer,...but products like SurfControl interferre with some of the
ISA's functionality. It is an imperfect world.


--
Phillip Windell [MCP, MVP, CCNA]
www.wandtv.com
-----------------------------------------------------
Understanding the ISA 2004 Access Rule Processing
http://www.isaserver.org/articles/ISA2004_AccessRules.html

Troubleshooting Client Authentication on Access Rules in ISA Server 2004
http://download.microsoft.com/download/9/1/8/918ed2d3-71d0-40ed-8e6d-fd6eeb6cfa07/ts_rules.doc

Microsoft Internet Security & Acceleration Server: Guidance
http://www.microsoft.com/isaserver/techinfo/Guidance/2004.asp
http://www.microsoft.com/isaserver/techinfo/Guidance/2000.asp

Microsoft Internet Security & Acceleration Server: Partners
http://www.microsoft.com/isaserver/partners/default.asp

Deployment Guidelines for ISA Server 2004 Enterprise Edition
http://www.microsoft.com/technet/prodtechnol/isa/2004/deploy/dgisaserver.mspx
-----------------------------------------------------







.

Relevant Pages

  • RE: Outlook RPC over HTTp deosnt work
    ... try to use RPC over HTTP to connect the Exchange Server. ... What SBS is running on the problematic Server? ...
    (microsoft.public.windows.server.sbs)
  • Re: RPC over HTTP
    ... I will help you with the PRC over Http issue in this thread. ... and go through the Internet option. ... On the Web Server Certificate page shows. ... Microsoft CSS Online Newsgroup Support ...
    (microsoft.public.windows.server.sbs)
  • Re: RPC over HTTP
    ... Are there any other ways of configuring the RPC over HTTP? ... Outlook Web Access, Business Website and so on. ... On the Web Server Certificate page shows. ...
    (microsoft.public.windows.server.sbs)
  • Re: How can we redirect http requests to http?
    ... our admin has set up an ISA server in front of our Exchange and Web Server. ... web server is no longer able to determine if requests are being sent as HTTPS or just HTTP. ... Is there any way to configure ISA to take an http request and simply change it to an https request? ...
    (microsoft.public.isa.enterprise)
  • Re: MSAS Licensing Part II
    ... wish to use http access then you must have Enterprise Edition. ... PTS looks at the server name. ... You will note that all of this is totally transparent to the client. ...
    (microsoft.public.sqlserver.olap)