blocking internet access for employees
14 October 2009, 12:58 PM
#1
Scooby Regular
Thread Starter
Join Date: Feb 2006
Posts: 2,519
Likes: 0
Received 0 Likes
on
0 Posts
blocking internet access for employees
so they have a draytek vigor, and I've set the 4 managers up with fixed IP address
the draytek firewall rules I setup permit the 4 IP addresses through, and blocks port 80 for anything else.
So, assuming the employees get clever, which other ports should I block to prevent them from access the net using other methods ?
the draytek firewall rules I setup permit the 4 IP addresses through, and blocks port 80 for anything else.
So, assuming the employees get clever, which other ports should I block to prevent them from access the net using other methods ?
14 October 2009, 01:10 PM
#2
Scooby Regular
it depends on your actual goals - the internet is short for interconnected network
you have blocked port 80 access to the internet -- this in reality is only http traffic - what most people know as www (or the web)
what about FTP traffic on port 21? should they be allowed FTP access to the internet
they could set up a webserver on the internet on port 8080 and connect to it or even 3389 which would mean the could RDP to a remote machine and the surf the net
the instant messaging protocols?
most enterprise organisation block all out bound requests apart from 80 and 443 -- then block actual dodgy URL's/IP's -- so if you want to block internet traffic you may just have to block all outbound access aprt from the managers fixed IP's
you managers might need 443 access btw
you have blocked port 80 access to the internet -- this in reality is only http traffic - what most people know as www (or the web)
what about FTP traffic on port 21? should they be allowed FTP access to the internet
they could set up a webserver on the internet on port 8080 and connect to it or even 3389 which would mean the could RDP to a remote machine and the surf the net
the instant messaging protocols?
most enterprise organisation block all out bound requests apart from 80 and 443 -- then block actual dodgy URL's/IP's -- so if you want to block internet traffic you may just have to block all outbound access aprt from the managers fixed IP's
you managers might need 443 access btw
Last edited by hodgy0_2; 14 October 2009 at 01:14 PM.
14 October 2009, 05:39 PM
#3
Scooby Regular
Join Date: Apr 2004
Location: Cardiff
Posts: 1,928
Likes: 0
Received 0 Likes
on
0 Posts
yep as Hodgy with my 2600G I used to have the first filter rule as block everything unless an exeption and then add exceptions after this, on the 2600 you had to specify TCP and UDP as seperate rules or it wouldn't work. Also it didn't support IP protocols (GRE for example) and only had simplified SPI, hopefully the newer 2800's are better for this, it did however support wildcard masking (ranges) so to keep the rules as few as possible make the managers IP next to each other so to speak (192.168.1.20-192.168.1.24)
so it was
Block all TCP
Block all UDP
allow port 53 UDP (unless you have internal DNS servers this would also
be needed)
Allow port 80 TCP (http) for 192.168.1.20-192.168.1.24
Allow port 443 TCP (https)
allow port 21 TCP (ftp)
the above may cause probs with FTP connections as passive (might be active can't remember which
) FTP makes another connection to the same IP on a random tcp port on the range 1024-65535 so this would be blocked by the filter unless the 2800 has an FTP inspect feature on the firewall (the 2600 didn't)
so it was
Block all TCP
Block all UDP
allow port 53 UDP (unless you have internal DNS servers this would also
be needed)
Allow port 80 TCP (http) for 192.168.1.20-192.168.1.24
Allow port 443 TCP (https)
allow port 21 TCP (ftp)
the above may cause probs with FTP connections as passive (might be active can't remember which
) FTP makes another connection to the same IP on a random tcp port on the range 1024-65535 so this would be blocked by the filter unless the 2800 has an FTP inspect feature on the firewall (the 2600 didn't)
Last edited by mike1210; 14 October 2009 at 05:48 PM.
14 October 2009, 11:59 PM
#5
Scooby Regular
Join Date: Apr 2004
Location: Cardiff
Posts: 1,928
Likes: 0
Received 0 Likes
on
0 Posts
15 October 2009, 09:54 AM
#6
Scooby Regular
Join Date: Feb 2004
Location: High Wycombe
Posts: 3,763
Likes: 0
Received 0 Likes
on
0 Posts
Do they need access to the web at all?
Just remove their route (default gateway) to the web.
If your network is DHCP - remove the gateway & manually add it to those that need it.
Just remove their route (default gateway) to the web.
If your network is DHCP - remove the gateway & manually add it to those that need it.
15 October 2009, 01:15 PM
#7
Scooby Regular
Thread Starter
Join Date: Feb 2006
Posts: 2,519
Likes: 0
Received 0 Likes
on
0 Posts
to answer that, the managers put the internet in and "trusted them" for about 3 months, when one of the machines was caught surfing a dodgy site in thailand and picked up a really nasty virus - that resisted all attempts to remove it, until the hard drive was removed and sorted externally, resulting in loss of production to the equipment that was connected to it.
Last edited by spectrum48k; 15 October 2009 at 01:23 PM.
Trending Topics
15 October 2009, 01:16 PM
#8
Scooby Regular
Thread Starter
Join Date: Feb 2006
Posts: 2,519
Likes: 0
Received 0 Likes
on
0 Posts
yep as Hodgy with my 2600G I used to have the first filter rule as block everything unless an exeption and then add exceptions after this, on the 2600 you had to specify TCP and UDP as seperate rules or it wouldn't work. Also it didn't support IP protocols (GRE for example) and only had simplified SPI, hopefully the newer 2800's are better for this, it did however support wildcard masking (ranges) so to keep the rules as few as possible make the managers IP next to each other so to speak (192.168.1.20-192.168.1.24)
so it was
Block all TCP
Block all UDP
allow port 53 UDP (unless you have internal DNS servers this would also
be needed)
Allow port 80 TCP (http) for 192.168.1.20-192.168.1.24
Allow port 443 TCP (https)
allow port 21 TCP (ftp)
the above may cause probs with FTP connections as passive (might be active can't remember which) FTP makes another connection to the same IP on a random tcp port on the range 1024-65535 so this would be blocked by the filter unless the 2800 has an FTP inspect feature on the firewall (the 2600 didn't)
so it was
Block all TCP
Block all UDP
allow port 53 UDP (unless you have internal DNS servers this would also
be needed)
Allow port 80 TCP (http) for 192.168.1.20-192.168.1.24
Allow port 443 TCP (https)
allow port 21 TCP (ftp)
the above may cause probs with FTP connections as passive (might be active can't remember which
) FTP makes another connection to the same IP on a random tcp port on the range 1024-65535 so this would be blocked by the filter unless the 2800 has an FTP inspect feature on the firewall (the 2600 didn't)question - anti-virus software on these factory workstations needs to update itself. How do you go about allowing that ? Do I need to check with anti-virus website and find the except method of communication and create a specific rule for it ?
Last edited by spectrum48k; 15 October 2009 at 01:19 PM.
15 October 2009, 01:49 PM
#9
Scooby Regular
and allow that out of the firewall
but in any case you are going to have to be slighly smart in configuring your internt access
basically you cannot do a global deny -- so no that won't do you
Last edited by hodgy0_2; 15 October 2009 at 01:53 PM.
15 October 2009, 04:15 PM
#10
Scooby Regular
Join Date: Apr 2004
Location: Cardiff
Posts: 1,928
Likes: 0
Received 0 Likes
on
0 Posts
Another thing as well......windows updates ....unless you have an internal WSUS server. I didn't think of Anti-Virus updates either
If you knew the anti-virus server IP you technically could add an exception on port for an IP address and the microsoft range but this could proove to be a major ****, a default deny in this case could proove to be too obstructive. The draytek routers I'm sure have a surfcontrol interface which you can subscribe too which allowes websites to be blocked but could allow out other traffic for a small fee. What draytek do they have?
DrayTek Web Content Management
If you knew the anti-virus server IP you technically could add an exception on port for an IP address and the microsoft range but this could proove to be a major ****, a default deny in this case could proove to be too obstructive. The draytek routers I'm sure have a surfcontrol interface which you can subscribe too which allowes websites to be blocked but could allow out other traffic for a small fee. What draytek do they have?
DrayTek Web Content Management
Last edited by mike1210; 15 October 2009 at 04:21 PM.
20 October 2009, 09:19 PM
#11
Scooby Regular
Thread Starter
Join Date: Feb 2006
Posts: 2,519
Likes: 0
Received 0 Likes
on
0 Posts
Another thing as well......windows updates ....unless you have an internal WSUS server. I didn't think of Anti-Virus updates either
If you knew the anti-virus server IP you technically could add an exception on port for an IP address and the microsoft range but this could proove to be a major ****, a default deny in this case could proove to be too obstructive. The draytek routers I'm sure have a surfcontrol interface which you can subscribe too which allowes websites to be blocked but could allow out other traffic for a small fee. What draytek do they have?
DrayTek Web Content Management
If you knew the anti-virus server IP you technically could add an exception on port for an IP address and the microsoft range but this could proove to be a major ****, a default deny in this case could proove to be too obstructive. The draytek routers I'm sure have a surfcontrol interface which you can subscribe too which allowes websites to be blocked but could allow out other traffic for a small fee. What draytek do they have?
DrayTek Web Content Management
Windows Updates - good point - I'll check out the ports and addresses
Thread
Thread Starter
Forum
Replies
Last Post
bluebullet29
General Technical
9
05 October 2015 02:17 PM
