current community

your communities

more stack exchange communities

Stack Exchange
tour help
Take the 2-minute tour ×
Network Engineering Stack Exchange is a question and answer site for network engineers. It's 100% free, no registration required.
up vote 6 down vote favorite

Our office network uses the 1921/K9 router along with SG300 L3 switch (and a few other L2 switches) all with base modules. If we wanted to block employees from visiting certain websites, what would be the best way to do it with the current equipment?

share|improve this question
    
@WaxTrax yes. have done that. but updating it is kind of a pain. how does one easily and centrally manage all the hosts file of every computer in the office? –  lamp_scaler Jun 5 '13 at 14:08
2  
build a linux VM image and run a squid proxy... this is the "right" way to filter web traffic for free with your existing kit, but you'll need to be familiar with some flavor of *nix. Add dansguardian and you could even get cool points from your boss for filtering obscene content. –  Mike Pennington Jun 5 '13 at 14:41
    
@MikePennington where does one fit the squid proxy in the network setup? –  lamp_scaler Jun 5 '13 at 14:50
    
On the LAN side, same subnet as your WAN router... check Server Fault for information about configuring squid –  Mike Pennington Jun 5 '13 at 15:04
    
There was no mention of a firewalll in the setup. The new Cisco ASA-X with CX AVC and WSE could be put to task. –  generalnetworkerror Jun 5 '13 at 16:24

4 Answers 4

up vote 6 down vote accepted

A poor man's filter can be implemented by using NBAR to match the URL you want to block and then drop the traffic that matches.

For instance if you wanted to block google you could use the following

class-map match-any BlockGoogle
    match protocol http url *.google.*

policy-map BlockGoogle
   class BlockGoogle
       drop

interface gig 0/1
    description WAN Interface
    ip address 4.2.2.1 255.255.255.252
    service-policy output BlockGoogle

Because this is a match-any class map you can just add more URLs to match in the class.

Note: Matching based on URL will need to be done in the 1921, not the L2/3 switch.

share|improve this answer
    
Does this still work if the user sets up a proxy within their web browser settings? –  lamp_scaler Jun 5 '13 at 14:56
    
If I'm not mistaken it should block proxy traffic as it typically just makes a standard HTTP request to the proxy's IP. This, however, would not block against a tunnel. Also it's important to note that proxy means many different things. There are websites set up that allow you to use a browser within a browser almost. This would not block against that unless you have that site blocked. I formed my answer based on your question, but if you want a more fully featured filter then using NBAR is /not/ the way to go. Using something like Websense, IronPort Web Filter, Barracuda, etc. would be best. –  bigmstone Jun 5 '13 at 15:11
    
I see. Is it possible to tweak this NBAR config so that it only enforces for certain MAC addresses, IPs, or VLANS? –  lamp_scaler Jun 6 '13 at 14:10
    
Yes, but you'd have to build a class-map for each website you want to block. You could create a match-all statement that would match protocol http url and then a statement to match an ACL that's built to match your hosts. If it's based on a VLAN then you could just apply the original service-policy to the sub-interface on the router that the traffic ingresses from. –  bigmstone Jun 6 '13 at 14:16
up vote 4 down vote

Work with your Cisco Partner or Cisco SE on the use for ScanSafe solution integrated in IOS:

http://www.cisco.com/en/US/prod/collateral/vpndevc/ps6525/ps6538/ps6540/data_sheet_c78-655324.html

share|improve this answer
    
That's incredible, I was not aware of the ScanSafe solution from Cisco... this is a great option for Branch Offices. Learn something new every day! –  infinisource Jun 5 '13 at 16:20
up vote 2 down vote

In my experience what I've done is this:

1) Setup a SPAN session on the L3 Switch and send the traffic to a destination port that will do the monitoring. 2) Configure Websense to monitor website traffic by setting up policies for what is and is not allowed.

I know that is probably not exactly what you are looking for, but that is the basics in a nutshell. Just having a Router and L3 switch doesn't allow you to monitor/block website traffic. There are other products out there besides Websense such as Dansguardian that will do the trick but Websense is probably by far the easiest to set up but also one of the most expensive in terms of licensing and hardware requirements.

What you also have to take into consideration when monitoring website traffic is the size of your network. If you are monitoring 200+ clients, I would not recommend anything less than a Quad Core Xeon box with Dual Gigabit Link and 8GB of RAM at the very minimum. Sizing is very important when deciding to monitor traffic as the box that monitors could potentially choke outbound traffic enough to where higher-ups decide to yank the box out of the network for you.

That's been my experience with monitoring website traffic, what are your thoughts?

share|improve this answer
up vote 1 down vote

Another alternative is to block the URLs, similar in concept to the HOSTS file, at the DNS server (assuming you're running your own DNS server).

For example, if IOS is running the DNS server, you can add:

Router(config)# ip host facebook.com 127.0.0.1

Or you could replace 127.0.0.1 with the IP of perhaps a simple web server with a static page listing which sites are forbidden and why.

share|improve this answer
    
can I use this syntax: *.facebook.com to restrict all subdomains? –  lamp_scaler Jun 5 '13 at 14:55

Your Answer

 
discard

By posting your answer, you agree to the privacy policy and terms of service.

Not the answer you're looking for? Browse other questions tagged or ask your own question.