Web filtering solution based on IP through a DSL router?

[ditto]

We have a small office that is a workgroup (XP machines) that uses a
Win2k file server. However, all internet access is direct through a
NAT'd firewall (netgear prosafe) and then a cisco DSL modem. The
server could be down and users can still surf.

Is there any software you know of that can filter web pages based on
source IP address? It's the only way I can think of that can work. The
admin for the netgear lets you block web sites for all users except
*one* defined by IP but we have several users that need filtering from
most (but not all) web sites.

Most solutions offer only server based filtering (domain) and we don't
have that.

It would be great if there was a piece of software that could watch
the gateway for a given IP address and allow only access to yahoo. com
and cnn.com but not allow any other sites at all. All other users
could surf without restriction.

Is it out there?

thanks

 

[Steven L Umbach]

Unless you want to spend the money for and learn how to use Microsoft ISA
2004, I think your best bet is through a router. The various NAT routers
have many different capabilities. I have used Netgear and they work well but
have a limited number of rules that you can create. I would suggest that you
go to the websites for D-Link and Linksys and download the manuals for their
various devices to see what the capabilities are. A more expensive device
from the likes of Sonicwall could probably do what you want fairly well but
the cost would probably be in the several hundred dollar range depending on
the number of users behind the device and the capabilities needed, BUT may
be well worth the investment. Another possibility is to install a personal
firewall on each computer such as Sygate, which would only be configurable
by a local administrator. Some personal firewalls such as Portslock can have
different configuration based on logged on user. --- Steve

http://www.sonicwall.com/products/tz170.html -- example of a Sonicwall SOHO
device
http://www.portslock.com/

 

[ditto]

I did download the netgear manual and that's where saw that it only
provides for one IP getting exceptions...I think I smell a Domain
controller installation down the line.

 

[Steven L Umbach]

I am not familiar with that device but most devices are much more flexible
than that. I would also look at the manuals of other devices as you may be
able to find a cheap solution from Dlink or Linksys. While a domain
controller has it's merits it would not be the solution to your problems.
You can however download the full evaluation version of ISA 2004 if you want
to try that out. --- Steve

 

[Phillip Windell]

A Domain controller has no bearing on this at all.

 

[ditto]

A Domain controller has no bearing on this at all.

I'm not so sure. Without filtering control at the router, converting
the server to a domain controller and then getting the workstations to
authenticate it directly THEN go out through the router let's me
install a variety of software created to control user groups, private
IP's etc.

 

[Phillip Windell]

I'm not so sure.

....need to get sure ;-)

Without filtering control at the router, converting
the server to a domain controller and then getting the workstations to
authenticate it directly THEN go out through the router let's me
install a variety of software created to control user groups, private
IP's etc.

The Netgear Router is never going to care what the DC thinks about anything
and likewise the DC is never going the care what the Netgear box thinks
about anything. they live in two different worlds. Netgear has never come up
with a way (that I ever heard of) for the NAT Box to integrate into the
Domain Authentication System and hence be able to leverage Integrated
Authentication.

Now if you spend the $$$ for MS ISA Server then that is a different
story,...but even then you must use the *proxying* services such as the Web
Proxy or Firewall Service of ISA to do that. Otherwise if you use ISA's
SecureNAT Services you are back in the same boat because the ISA SecureNAT
Server will not authenticate by user accounts either. That is part of the
weakness of NAT by itself.

 

[ditto]

The Netgear Router is never going to care what the DC thinks about anything
and likewise the DC is never going the care what the Netgear box thinks
about anything. they live in two different worlds. Netgear has never come up
with a way (that I ever heard of) for the NAT Box to integrate into the
Domain Authentication System and hence be able to leverage Integrated
Authentication.

No I understand but with filtering software installed (i.e.
SurfControl) on a server handling DHCP for all clients and then going
into a passive hub (remove the Netgear or disbale everything but the
firewall) then the filtering software can screen selected IP's and
control surfing.

 

[Phillip Windell]

Ok, yes,..you may be able to do somehting with the stand-alone SurfControl.
I have never used it and don't know the specifics of it though. I believe
they also build it as plugins for proxys such as the old MS Proxy2 or the MS
ISA Server, but again, I have never actually used it myself.