Blocking Most Internet Sites

[Fish4Fun]

I have a small business that employees some younger folks who simply cannot help but play on the internet constantly. Firing them is a last resort solution. They have access to two general purpose cash register PCs that need to use the internet for two websites, I would like to block access to ALL other internet sites from these two PCs. I would like to achieve this via a router rather than using windows. The work stations have static IPs, so they are fairly easy to single out (I do NOT want to restrict internet access to other PCs on the network). I currently have a buffalo Air Station I am using for a DHCP/router, best I can tell it does not have the capability to do what I want. The question is, what router would, and is what I want fairly easy to achieve?

Fish

 

[summit]

I would assume it has some sort of built in firewall, perhaps the easiest way to go about it is to block port 80 on the firewall for the internal network. If port 80 is blocked no web traffic will be allowed through the router, you can then apply 2 rules to your firewall to allow port 80 to be used only for those 2 particular websites, therfore your firewall rules will be to disallow all web traffic except to those specific 2 sites. I don't know if your router has this ability, but thats where I would start, but its only a good guess. Does your router have a content filter on it?

 

[Fish4Fun]

Summit,

Thanks for the reply. I would assume if I block port 80 that no PCs will have access to sites other than the defined exceptions; unfortuneatly I need other PCs on the network to have unrestricted access.

For the short-term I have simply removed shortcuts to iexplorer on the two PCs and put links to the two sites the employees need to use that open IE in "kiosk mode". Obviously an ambitious employee could navigate directly to C:\Program Files\Internet Explorer\iexplorer.exe and launch it from there, or simply type an address into an explorer address bar, but an "old fashion" firewall ("If I catch any of you playing on the computer again, you're fired") in combination with the lowered accessibility will likely solve the issue for now.

As a side note, I really hated to have to take these extreme measures. In the past I have allowed employees the lattitude to check their email and "surf" a bit while working when things were slow, but it got to the point where they were ignoring customers and duties and warnings did not help.

Thanks for the response,

Fish

 

[summit]

Ahh I see the problem, that being said then, I wonder if you can use windows firewall on the actual computer you want the web traffic restricted to block port 80 then, rather than doing it at the router level, do it at the PC level through windows firewall or another third party firewall program, that will not affect the rest of the PC's on your network.

Its of particular interest for me as I too have the same problems, and have had to let staff go because of absolute abuse of internet privilages, its unfortunate and frustrating, I hear your pain!

 

[thiggins]

What you want to do should be easy, but isn't with most consumer routers.

Many can block services for specific IP addresses or address ranges. But that blocks all access to the service.

Even if you have a router that lets you define firewall filters and set their execution order, it's not common to have port-based rules be restricted to specific sites.

You also have to watch the use of proxies, which allow smarties to work around port 80 blocks.

Best approach is to use web filtering with general deny and whitelist for approved sites.

You might look into OpenDNS' Deluxe service. Simple to implement and works with any router. To lock down all machines behind your router, you'd enter the OpenDNS IPs in the router DNS. To lock down specific machines, you change the TCP/IP DNS IPs to OpenDNS servers. But unless you lock users from changing TCP/IP settings, they could change them back. But then you can use OpenDNS' stats to see if users are still going to "bad" sites.

 

[claykin]

But unless you lock users from changing TCP/IP settings, they could change them back.

There's discussions on how to stop users from using their own DNS servers on OPENDNS forums. See here for two threads.

http://forums.opendns.com/comments.php?DiscussionID=6901&page=1#Item_0
http://forums.opendns.com/comments.php?DiscussionID=879

 

[thiggins]

Thanks, claykin. Some good pointers there, but not for newbies!

 

[claykin]

Thanks, claykin. Some good pointers there, but not for newbies!

This is SmallNetBuilder.com. Not TinyNetBuilder.com.

Tim, can you get some animating emoticons on this forum???? I'd like a rolling laugh on this one even though its not that funny.

 

[Fish4Fun]

Thiggins/Claykin,

Thanks for the replies. Part of the problem was fixed by upgrading the work stations to modern OSs and employing "Content Advisor" in Win 7. The rest of the problem was solved by an employee meeting. Sometimes "low tech" solutions can work better than "high-tech". I have no doubt that given time, any technical solution could be subverted, but the simple threat of unemployment for attempting to subvert the simple measures I have taken seems to have been enough.

As always, Thank You for the help.

Fish

 

[thiggins]

Thanks for reporting back, Fish.

Remember, though, to follow through with monitoring. OpenDNS can be helpful for that.