[gptalk] Re: Website

  • From: "Omar Droubi" <omar@xxxxxxxxxxxxxxxxxxxxx>
  • To: <gptalk@xxxxxxxxxxxxx>
  • Date: Wed, 12 Sep 2007 11:16:17 -0700

In order to get their product sold and deployed in networks such as
yours- many proxy vendors can completely disable monitoring- and would
require the reinstallation of the product enable that functionality. So
with that said- you can restrict the traffic without compromising
security or having people feel that big brother is watching. Food for
thought.

 

Talk to you later,

 

omar

 

From: gptalk-bounce@xxxxxxxxxxxxx [mailto:gptalk-bounce@xxxxxxxxxxxxx]
On Behalf Of Michael Pietrzak
Sent: Wednesday, September 12, 2007 11:06 AM
To: gptalk@xxxxxxxxxxxxx
Subject: RE: [gptalk] Re: Website

 

Omar,

 

I completely agree with you. A web proxy (ISA 2006) would be an optimal
solution. In my case, I work for a public university in CA and believe
it or not, we cannot implement any kind of web monitoring due to UNION
rules. It's quite frustrating. I was all set to bring in WebSense last
year when our union rep gave it the stop order and sent it up the
political chain for review. 

 

Sometimes it's not just budgetary restrictions but policitcal as well.
Oh well, I said, I just block the traffic instead. Crazy as it sounds,
that was acceptable.

 

Michael

 

All of these suggestions are good ones but- as the IT administrator you
should present to your manager, and he or she should present to the
execs that to effectively manage web access including restrictions,
monitoring and reporting, a web proxy server should be deployed and all
outgoing web requests should be forwarded through the proxy via network
routing or browser proxy settings with tight outgoing port restrictions
controlled at the network gateway.

 

Using the IE restricted sites, HOSTS files or creating a IPsec policy or
a placeholder bogus DNS zone to solve this political issue is a
workaround and not really a good one. 

 

Restricting web traffic is a political issue and as the IT admin or IT
manager- hand off the responsibility of creating the policy or owning
the approved site list if you can and make the company pay.

 

Now of course if you are administering public institution or school that
is limited in funding and administrative staff- and you can't get an
educational discount of a functional feature rich proxy solution- any of
the suggested work-arounds will work.

 

I have to go and get off my soap box now..

 

Omar

 

From: gptalk-bounce@xxxxxxxxxxxxx [mailto:gptalk-bounce@xxxxxxxxxxxxx]
On Behalf Of Michael Pietrzak
Sent: Wednesday, September 12, 2007 9:21 AM
To: gptalk@xxxxxxxxxxxxx
Subject: RE: [gptalk] Website

 

Craig,

 

You can use the IPSec techniques outlined in this walkthrough...

 

http://www.petri.co.il/block_internet_but_allow_intranet_with_ipsec.htm

 

to enable you to block certain websites via a group policy. It's VERY
easy to do. We had a problem with users visiting naughty sites and with
this technique, I can effectively block all web access, allow local
intranet browsing, allow only specific sites to be allowed, or finally,
what you are looking for, block individual sites.

 

Read through it. Again, it's very easy to alter the IPSec rules to block
a single web site.

 

Alternately, in your DNS servers, I use MS DNS so I can't say this could
apply to you, but you could create a new domain, say myspace.com, and
make a bogus DNS entry for it. That way, when any machine tries to go to
myspace.com, it will not resolve.

 

Either of those techniques should work great for you.

 

Michael

SDSU

 

 

Hi guys
 
Can i block a website through a GPO?

Craig Meyer 

"He had no servants - yet they called Him Master, no degrees - yet they
called Him Teacher, no medicine - yet they called Him Healer, no army
yet the Kings feared Him. He won no military battles yet He conquered
the world. he commited no crime yet they crucified Him. He was burried
in a tomb yet He lives 2day...."

 

________________________________

Download the latest version of Windows Live Messenger NOW! Click here!
<http://get.live.com/en-za/messenger/overview> 

Other related posts: