Jump to content

Website blocking on office network

the pokemon kid
By the pokemon kid
in Networking
 Share
Posted

Hey guys,

 

This is a work related question. I am looking for some information on ways of blocking websites on an office network.

 

We have a very powerful commercial router in the office but it has got one downside to it which we have found. It cannot block HTTPS websites. This is an issue with a lot of routers I understand. I can block HTTPS as a whole but some of the websites which our business uses are HTTPS websites. This unfortunately opens the gates for our staff to use HTTPS://www.facebook.com and HTTPS://www.youtube.com... Which they aren't allowed to get too. Also this is now got a knock on effect which is that our online systems are struggling because of the broadband hits we are taking because of people loading Youtube videos and being on Facebook.

 

Current router: Linksys RV082

Firmware Version: 1.3.6-q50

 

What ways are there for my to stop people from accessing them?

 

I have seen that changing the Host file allows me to block sites however there is about 30 staff and another 10 staff in Scotland. So this isn't ideal for us.
I have also seen OpenDNS but they are wanting nearly £1500 a year for their service for the number of staff we have which is a pretty big rip off in my opinion.

I have also seen that you ca block it via GPO which also isn't ideal because they will be accessing these websites via Google chrome and GPO's only work on Internet explorer from what I have read...

 

I am currently upgrading the spare router we have (Identical to the main router) to the latest firmware in the hopes that this issue has been resolved, but if not... I need a backup plan...

 

So what other options do I have?

Leviathan - CaseLabs Mercury S8 Build Log 

Betsy - NCase M1 Media/ LAN Build Log

Bertha - 12TB  NAS Build Log

Link to comment
https://linustechtips.com/topic/294657-website-blocking-on-office-network/
Share on other sites
Link to post
Share on other sites
Posted

Hey guys,

 

This is a work related question. I am looking for some information on ways of blocking websites on an office network.

 

We have a very powerful commercial router in the office but it has got one downside to it which we have found. It cannot block HTTPS websites. This is an issue with a lot of routers I understand. I can block HTTPS as a whole but some of the websites which our business uses are HTTPS websites. This unfortunately opens the gates for our staff to use HTTPS://www.facebook.com and HTTPS://www.youtube.com... Which they aren't allowed to get too. Also this is now got a knock on effect which is that our online systems are struggling because of the broadband hits we are taking because of people loading Youtube videos and being on Facebook.

 

What ways are there for my to stop people from accessing them?

 

I have seen that changing the Host file allows me to block sites however there is about 30 staff and another 10 staff in Scotland. So this isn't ideal for us.

I have also seen OpenDNS but they are wanting nearly £1500 a year for their service for the number of staff we have which is a pretty big rip off in my opinion.

I have also seen that you ca block it via GPO which also isn't ideal because they will be accessing these websites via Google chrome and GPO's only work on Internet explorer from what I have read...

 

I am currently upgrading the spare router we have (Identical to the main router) to the latest firmware in the hopes that this issue has been resolved, but if not... I need a backup plan...

 

So what other options do I have?

In most routers you can block certain websites by adding them to a black list.

You also can look into a pfsense firewall it's not that hard to setup yourself and it's opensource.





 
Link to post
Share on other sites
Posted

You could change the dns in the router to redirect the pages to a "PagedBlocked" site

i am not a native speaker of the english language

[spoiler=My Rig: ]CPU: i7-3770k@Stock | Ram: 3x4GB@1600Mhz | Graka: 660TI@Stock | Storage: 250GB 840Evo, 1x1TB,2x2TB,2x640GB,1x500GB (JBOD) + NAS: DLINK DNS-320 2x3TB Raid1

 
Link to post
Share on other sites
Posted
  • Author

In most routers you can block certain websites by adding them to a black list.

You also can look into a pfsense firewall it's not that hard to setup yourself and it's opensource.

We have got a blacklist however it just doesnt do HTTPS. You can add HTTPS sites to it but it will not block them...

PFsense might be a good shout. I was trying to make one a little while ago. I might be able to set it up on one of the spare servers and have it running as an almost, secondary firewall...

Leviathan - CaseLabs Mercury S8 Build Log 

Betsy - NCase M1 Media/ LAN Build Log

Bertha - 12TB  NAS Build Log

Link to post
Share on other sites
Posted

If you can push updates to client computers, you can use host files on them to block whatever you want. I'm like 99% sure it will still block an HTTPS page. You could also just go around and do it manually on each client if you need. It won't stop them from going there on their phones though.

May your framertes be high and your remperatures low.

Link to post
Share on other sites
Posted

It's always hard to block access to certain sites completely...

 

The most common options you have when dealing with encrypted traffic like https are:

IP range blocking, looking up the sites you want to block and just drop all outgoing traffic to their networks, crude but effective.

Set up your own inhouse DNS server/forwarder where you redirect traffic to a "blocked page" you host. This is easy to bypass unless you can lock the dns settings on the clients.

Link to post
Share on other sites
Posted
  • Author

If you can push updates to client computers, you can use host files on them to block whatever you want. I'm like 99% sure it will still block an HTTPS page. You could also just go around and do it manually on each client if you need. It won't stop them from going there on their phones though.

Tried it already, it still allows HTTPS through... It works perfectly for HTTP but it auto redirects to the HTTPS version for Facebook, Amazon, Ebay etc which have HTTPS versions.

 

I cant block HTTPS as a whole though... as there is a lot of sites we need to access which need to have the data encrypted.

 

It's always hard to block access to certain sites completely...

 

The most common options you have when dealing with encrypted traffic like https are:

IP range blocking, looking up the sites you want to block and just drop all outgoing traffic to their networks, crude but effective.

Set up your own inhouse DNS server/forwarder where you redirect traffic to a "blocked page" you host. This is easy to bypass unless you can lock the dns settings on the clients.

I am thinking of setting up a DNS server now. I have been reading and it looks like the best method for dealing with HTTPS  traffic.

 

The issue with IP address blocking is that Facebook has multiple IP addresses which redirect to the main version, Same with Ebay and Amazon. I already tried this method also...

 

First of all what sort of 'very powerful commercial' router do you have. 

 

Also if your router can't accomplish this the easiest most cost effective solution is to setup an internal DNS server and handle it that way. 

 

We have got two Linksys RV082's... However I am starting to think whether to sell them my Linksys WRT 1900AC or not...

 

Yeh, a DNS server might work. We have got a few spare servers so I could take some parts from a few of those and make a nice server to run a DNS server from.

 

I thought that for the DNS server to work it would have to be on the internet side of the firewall or am I thinking wrongly here?

Leviathan - CaseLabs Mercury S8 Build Log 

Betsy - NCase M1 Media/ LAN Build Log

Bertha - 12TB  NAS Build Log

Link to post
Share on other sites
Posted

I used to do support for the RV082 for Cisco. I can tell you that router (nor any of the other Cisco Small business line of products for that matter) can't block certain HTTPS sites.

 

Do the DNS server, or purchase a DNS service (like OpenDNS for example). It's your best bet.

Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
 Share
Go to topic listing Networking

×