How do I block internet at work?

[zaber]

We have an incoming satellite internet signal, followed by a CISCO (Model BEFSR41 4 Port Switch) router. Hereafter the signal is fed to 19 computers on site via a local network. We do not have a server and there is no pc between the router and the network.

I only want to allow 4 senior persons to have full internet access, the rest of the guys most only be able to access their Gmail accounts in order to send and receive e-mails, nothing else.

I have asked around, but can't find a solution. Some guys say if I block Google then Gmail will also be blocked seeing that they are linked somehow.

Any thoughts/ideas on how to solve this problem please, seeing that my knowledge is extremely limited on this subject?

 

[Wyzak]

get a routerboard and do the blocking on there.

 

[Valis]

I use Netlimiter on our LAN at work. Very powerful little freeware program

 

[Tsimo]

get a cheap smoothwall box.
old perntium PC wiht 512 mb ram

 

[dotnerd]

http://www.untangle.com/
or
http://sourceforge.net/apps/trac/ipcop/wiki
or
http://www.smoothwall.org/


Or remotely manipulate the routing table on their pcs, painful but surprisingly effective

The BEFSR41 does not support DD-WRT, would have been perfect

 

[rajharie]

I use a combination of rules on the router that allows on a certain range of IPs out onto the internet. The IPs outside of this range have access but http is blocked. We also use Google Apps and I have configured in the Google Apps Admin Dashboard that only https access to mail is allowed, ie only https://mail.google.com/a/xxxxxx and not http://mail.google.com/a/xxxxxx
If you are not using Google Apps then I think that there is a setting within your users Gmail settings that allows https access which they just need to enable or send them a link to https://www.gmail.com
I also use OpenDNS to restrict access but OpenDNS is not a blocking tool.
Our router is a simple Linksys device.
Hope this helps

 

[repitah]

Probably possible with difficulty. Unfortunately I'm only doing my cisco training in a few weeks.

If the router has the capability, maybe create an ACL to block all (except the people/ip's needed), and another to allow the others to the google subnets on pop/smtp ports. (rule order will probably be something like allow full for X, allow mail for Y, deny all)
Easiest would most likely be to put a small/old machine (old p3/p4?) between them and the router/satellite with a transparent proxy & router.

 

[Zarathustra]

I use and can recommend SQUID (http://www.squid-cache.org/). It is highly configurable and will run on a Linux or Windows platform.

 

[dotnerd]

Probably possible with difficulty. Unfortunately I'm only doing my cisco training in a few weeks.

If the router has the capability, maybe create an ACL to block all (except the people/ip's needed), and another to allow the others to the google subnets on pop/smtp ports. (rule order will probably be something like allow full for X, allow mail for Y, deny all)
Easiest would most likely be to put a small/old machine (old p3/p4?) between them and the router/satellite with a transparent proxy & router.

This is a Linksys device so it doesnt run IOS .... good thing youre going on that course hey.. :-D

 

[keru]

I use Netlimiter on our LAN at work. Very powerful little freeware program

The website says only the monitor is freeware.

 

[Cube3]

Is this a Cisco router or a Linksys router provided by Cisco ? There's a huge difference. I ran the model number and it comes up with Linksys.

If its Linksys, setup the Mac address filtering in the Security tab.

If you want to allow those people to also have Gmail access, that might be a problem because the mac filter will block mostly everything.

You would most likely need some sort of firewall/content filter device/application to meet your needs, as said above.

If this is an actual Cisco device, then it gets a lot more complicated.

 

[syntax]

We have an incoming satellite internet signal, followed by a CISCO (Model BEFSR41 4 Port Switch) router. Hereafter the signal is fed to 19 computers on site via a local network. We do not have a server and there is no pc between the router and the network.

I only want to allow 4 senior persons to have full internet access, the rest of the guys most only be able to access their Gmail accounts in order to send and receive e-mails, nothing else.

I have asked around, but can't find a solution. Some guys say if I block Google then Gmail will also be blocked seeing that they are linked somehow.

Any thoughts/ideas on how to solve this problem please, seeing that my knowledge is extremely limited on this subject?

there are tons and tons of solutions....what is ur budget? Are the machines the drones using belonging to you or their own? How are ip's allocated?
You have options like:
paid for filtering service (something like websense express would work very well)
free firewall distribution with filtering plug in ( as advised by others)
Dns blocking
Client side AV Application control rules ( IE lock AV settings and use Application control to disallow browsers, then allow outlook to be configured to connect to gmail?)
Some routers/modems allow url blocking out of the box
et etc etc

 

[zaber]

Is this a Cisco router or a Linksys router provided by Cisco ? There's a huge difference. I ran the model number and it comes up with Linksys.

If its Linksys, setup the Mac address filtering in the Security tab.

If you want to allow those people to also have Gmail access, that might be a problem because the mac filter will block mostly everything.

You would most likely need some sort of firewall/content filter device/application to meet your needs, as said above.

If this is an actual Cisco device, then it gets a lot more complicated.

I wanted to post some pics of the router,but see that I am not allowed. Well, on the front is shows CISCO and on top it also shows LINKSYS.

 

[Splice]

Squid, Untangle or if you have a lot of money get an ISA server

 

[Cube3]

Cool its Linksys, but it's not going to sort out the issue of blocking people and giving them Gmail specific access.....

It might be worth while getting a router that supports a content filter which will allow you to configure websites permitted etc.

Alternatively get an opensource box..... PFsense provides you with lots of functionality and its free to download.... relatively easy to install and configure.

 

[AstroTurf]

Proxy/firewall. use an old pc and one of the many free ones out there.

 

[syntax]

Squid, Untangle or if you have a lot of money get an ISA server

I would rather be burnt alive

 

[The_Unbeliever]

Squid, Untangle or if you have a lot of money get an ISA server

ISA?

bleugh

I'd rather use Smoothwall/IPCop/pfSense than that overrated M$ product.

 

[Elvis007]

I would rather be burnt alive

Ja, rather leave the MS stuff for the pro's

We just threw out 2 fortigate firewalls after 1 week, useless compared to ISA..., better that ISA 2006, but does not come close to TMG

 

[foulmouth]

dude why not get an IT guy to do it for you ?

I would charge R150 Site evaluation and then R300 to do the whole implementation.