Restricting web access

Orion · 17-09-2006 11:19am #1

The training centre my other half works in has 10 pcs with internet access. Unfortunately the kids are using it to browse pron - who'd have thought?

Anyway the boss now wants to implement some sort of filtering/proxy etc to restrict access to dodgy sites. I'd like to set this up for him in such a way that I'd never have to maintain it - iow I want him to be able to set up new restrictions as required or for it to be done centrally. There isn't a huge amount of money available to cheaper solutions preferred. I've thought of NetNanny or ClarkConnect for this. Could people recommend anything else?

The set up (I think is) just a standard bb connection with all the pcs connected through a switch. I'm heading up there today to see.

Orion · 17-09-2006 8:28pm

The set up is as described. Except the pcs are actually on a domain with a 2k3 server as DC. So I can use GPO to force a proxy connection. But what should I use to restrict sites on that box. Also, can anyone recommend a decent cheap proxy server? I don't think his budget will stretch to the MS offering.

ednwireland · 18-09-2006 8:28am

http://www.acmeconsulting.it/SquidNT/

try this squid for windows more people seem to recommend paying for isa for the windows integration

ednwireland · 18-09-2006 8:30am

sorry another option is winroute

http://www.kerio.com/kwf_price.html

Orion · 18-09-2006 9:11am

Squid is a proxy server which may come in useful. But WinRoute is not what I'm looking for - that blocks traffic based on type of traffic not destination. I'm looking for something like NetNanny or Websense that works at a server level preferably.

frodo_dcu · 18-09-2006 9:48am

http://www.censornet.com/

shanethemofo · 18-09-2006 9:57am

dansguardian works well too

RangeR · 18-09-2006 10:48am

I use Endian Firewall. It has a built in squid proxy. It's very easy to setup and use. I normally have the proxy / content filtering turned off but when the kids come around, I just flick a couple of switches in it's config and I have a locked down internet connection.

To do this, you do have to have a spare PC. An old P2 or P3 with 128MB RAM will suffice. You should be able to pick up one of these babies for less than €100. The software is free.

Only takes about an hour or two to install and fully config. Great piece of kit.

rogue-entity · 18-09-2006 10:42pm

You have two easy options.
One, convert your W2K Server box to a Linux box instead, it can do the same job that your currant server is doing for 0$, and you can sell your W2K3 licence and associated CALs to someone else.

Two, setup a Linux proxy to route between your internet connection and the switch making sure that all machines go through the proxy regardless of proxy settings in your browsers.

Now, I doubt you want to get rid of that shiney expensive server software, so you could go the ClarkConnect/Squid+Dansguardian route (Censornet is good too, but downloads from their site have been like tar lately).

If you dont have a spare PC with two NICs to use, not so much of a problem, you can install the lovely free VirtualPC to run a Linux server on top of your W2K server software. For ease of administration and maintainance I would suggest ClarkConnect (it uses DansGuardian and Squid anyway), you just download the disc image, and if you are using VPC, you just boot the virtual machine from the disc image and it installs just fine. If you have a spare PC with a pair of NICs (or you want to convert your server) then you just burn the image to a disc and install away.

With VirtualPC, your virtualPC will get its own IP automatically so you just use GPOs to force the 10 clients to use the VPC as a proxy, it works just fine.
Not two sure if a VPC can be setup as a router though..
With a spare PC you can put the internet and your network on different subnets so that the router works like a firewall, you can set it to force all port 80 requests to loop back through the filter running on a different port so your filter is transparent to the users. ClarkConnect or DansGuardian will also block bypass proxy sites too quite nicely (lets hope WIT techs dont realise that

).

Orion · 18-09-2006 11:02pm

Thanks rogue - you summed pretty much where I'm going so far. These boxes aren't mine so I can't make the decision to ditch the Windoze server. So I'm looking at a couple of options now:
1. The existing 2K3 box only. Use GPO to force the proxy on the clients and use Squid and Censornet on it. (Can't find a Win ver of DansGuardian).
2. A separate linux box with proxy (again probably Squid) and DansGuardian on it and again use GPO to force the clients through the proxy.

I hadn't considered VPC but I don't think it's an option anyway tbh - There's a beaurocracy involved. But there's no reason I can't add a new pc to the network with whatever os I want on it - who'll know

I have a spare box here I can play with - currently Ubuntu is on it but I'll have to put Win 2K3 on it to play with the Windows option and use the Ubuntu Live CD to test the other option.

I'll also try out the VPC with ClarkConnect as well so I'm fully armed before giving my proposal.

Restricting web access

Comments