Re: Blocking Access to web-based email

From: Leythos (void_at_nowhere.lan)
Date: 08/17/05 

Date: Wed, 17 Aug 2005 11:52:45 GMT

In article <iIudnUq98OtucJ_eRVn-ig@comcast.com>, charlesnewman1
@comcast.do.not.spam.me.net says...
> X-No-Archive: Yes
>
> "Leythos" <void@nowhere.lan> wrote in message
> news:MPG.1d6c71fb5b2b2cba989c14@news-server.columbus.rr.com...
> > In article <Hs-dnTsmHr_uOZ_eRVn-sg@comcast.com>, charlesnewman1
> > @comcast.do.not.spam.me.net says...
> > > "Leythos" <void@nowhere.lan> wrote in message
> > > news:MPG.1d65761f7bcfb447989b6c@news-server.columbus.rr.com...
> > >
> > > sites (their
> > > > business partners). They also setup two sets of rules, one for generic
> > > > users - no access, and then one for managers - full access.
> > >
> > > They only way you could do that would be with
> > > two different proxy servers, one filtered, and one
> > > non-filtered. That is how my network is set up.
> >
> > Funny, the way I do it is with one Firewall appliance and different HTTP
> > rules. Seems to me that it works well and without a problem for me. I
> > don't have ANY proxy servers in our network, but, if you must know, the
> > firewall has many proxy type services for use - and HTTP is one of them.
> >
> > I can also setup users without the proxy and limit what they can access
> > based on their IP, Subnet, authentication, all the same without the
> > proxy service of the firewall - the proxy service allows me to use a Web
> > Blocker tool and content filters that remove malicious content from the
> > http sessions.
>
> I dont see how you can authenticate users
> authorized for full access, without using a
> program like ProxyPro. To me, it would
> seem easier to use ProxyPro, add the
> users authorized for full access, and be
> done with it.

The firewall appliance allows me to create Users and groups and assign
users to groups. I have the option of having MANY HTTP rules that can
either be Proxy or non-Proxy type HTTP rules and I can have BOTH at the
same time in the same firewall. In this case, if I want a User to have
specific access from ANY location in the company, I setup a User in the
firewall and put them in the unrestricted HTTP rule group and then, whey
at any workstation in the company, they can browse to the firewall
authentication page, authenticate, and then get full HTTP access without
any restrictions - when they close the HTTP authentication page it kicks
them out of being authenticated as User X and they no longer have
unrestricted access - they have what ever access any other user at that
system would have.

> Since AllegroSurf and ICS both
> assign dynamic internal addresses to
> PCs on the network, doing it by IP
> does not work, and a lot of business
> networks assign IP addresses
> dynamically. That is the way that

You seem to have missed DHCP Reservations - if you want to provide a
group of systems (like Managers or Developers) with specific access by
IP rules, you setup DHCP with reservations for their MAC and their IP is
still DHCP assigned. I do this in most companies - especially for people
that VPN in and then RD to their own desktop - this means I can create a
rule that only allows them access by IP/Port to their specific
workstation and I always know where it's going to be.

> HTTP works. If you are using
> static IPs in your network, then yes
> you can block by IP. But for those networks
> that are using dynamically assigned IPs
> within the network, like mine, then my
> solution is the only way you can do this.

Wrong, see what I typed above. Reservations have long been a part of
DHCP and it works perfectly for what it was designed for - to
dynamically reassign the same IP to the same device. This works great
since you can pass all your other settings via DHCP to the device and
not have to manually change the devices settings.

> If you are using DHCP, or any NAT
> device that assigned IPs dynamically, then
> you need a program like ProxyPro, that
> supports authentication, if you want to
> allow some users unfiltered internet access.
> Virtually any NAT device, hardware or
> software, is going to use DHCP and assign
> addresses dynamically. The solution I refer
> to is for the majority of networks that do this.

But you don't want the NAT device assigning the IP, you want the
domain's DHCP server doing it and only using the NAT device as the
gateway router. In our case, we always disable DHCP on NAT devices (and
our firewall appliances have NAT with DHCP also). If you don't disable
DHCP on the NAT device you may not be properly setup when you provide
the domain/networks DHCP information - most OS based DHCP services
provide far more information than you can setup on those simple NAT
devices to be passed to the devices via DHCP.

> If you really serious about controlling
> content, especially porn, you need a
> software-based solution, as it can download
> updates daily. CyBlock, CyberSitter, and
> SurfControl are all good at this. They
> can all be programmed to download updates
> automatically. All you have to do in the
> morning is just re-boot the machine the
> software is running on for the changes to
> take effect. ProxyPro will even support

I control porn at the firewall, and I don't have to reboot anything for
updates to work. In fact, I can select to enable/disable 14 categories
of content at the firewall itself and I can pick which rules use which
categories without impacting the users during the day. I can also use
ALLOW only type lists where they can only access approved sites without
using a content blocker.

> authentication through an NT domain,
> if any of your servers are running
> server versions of NT, 2000, XP,
> or Vista, so they dont have to run
> the gkaccess authentication program
> that would otherwise be used to
> access the system.

I think you are confusing "Firewall" with NAT for some reason. Those NAT
devices you can buy at Best Buy, CompUSA stores, Circuit City, and
places that don't sell Commercial Grade systems, are almost always just
cheap NAT routers. I purchase Sonic, WatchGuard, PIX, Netscreen, etc..
When I have a choice I pick WatchGuard for all of the reasons I've
listed above and more.
  

-- 
spam999free@rrohio.com
remove 999 in order to email me

Relevant Pages

  • Re: Blocking Suspicious Outbound Traffic
    ... DHCP IP range as being external to the rest of the library ... since the firewall products I've tried so far are very limited ... >> network for high speed internet access. ... >> started bringing in infected notebooks. ...
    (comp.security.firewalls)
  • Re: activesync and exchange http
    ... Http users experience slow performance. ... On the SBS 2003 Server open the Server Management console. ... For the configuration of Cisco firewall, since that's third party product, ... Microsoft CSS Online Newsgroup Support ...
    (microsoft.public.windows.server.sbs)
  • Re: What are FSMO roles?
    ... Hardware firewall as DHCP ... ... SBS2000 is the DNS server, and of course, the DC. ...
    (microsoft.public.windows.server.sbs)
  • Re: ISA 2000 Firewall Log
    ... > application requires internet access for whatever reason on a port other ... The firewall log entries appears because the traffic from the snat clients ... rejected by HTTP redirector filter should appear in firewall logs and how do ... MS ISA Server 2000 Firewall and Web Proxy log fields: ...
    (microsoft.public.isa)
  • Re: H.D. content visible on web
    ... > And this seems to be happening even with AV and software firewall on ... > come to my Website. ... You sent an HTTP request and received ...
    (comp.security.firewalls)