Limiting Internet access by domain

[HumHead]

To all of the networking gurus:

I am currently looking for a reasonably priced (under $1K) hardware or software solution for establishing strict controls on internet access from within a network.

The goal is to keep the devices on the network generally isolated from the internet while still allowing limited access to security patch and software update sites, and some other limited web resources.

Here are the things that are tripping me up:
1) I need to control access to HTTP, HTTPS, and FTP content. I may ultimately need the ability to define other application specific services.
2) I need the ability to allow access by domain name, not just IP address. (This is the requirement that is currently killing me.)

I have found plenty of good firewalls that can provide very good control by IP address, and I have found plenty of good web gateways and proxies that will filter by domain. I have not yet been able to identify the one solution that can do it all.

Thanks in advance for any suggestions!

[tvsjr]

If you want cheap and don't mind spending some time, a linux box running iptables and squid should work. iptables for firewall, squid for proxy. If you want to go a bit further, try a Cisco ASA5505 for a firewall with a linux/squid box behind it. Squid ACLs will filter based on, among others:

* Source/Destination IP address
* Source/Destination Domain
* Regular Expression match of requested domain
* Words in the requested URL
* Words in the source or destination domain
* Current day/time
* Destination port
* Protocol (FTP, HTTP, SSL)
* Method (HTTP GET or HTTP POST)
* Browser type
* Name (according to the Ident protocol)
* Autonomous System (AS) number
* Username/Password pair
* SNMP Community

Beware, squid can be a real pain in the arse. You need to plan to spend some time with it if you want to grok it in fullness.

Filtering by domain name can be dangerous - what's your application?

[HumHead]

Thanks Terry. Here's the basic (simplified) story of the application:

The network runs audio devices in a number of performance venues. The devices on the network are a mixture of standard Windows workstations running control and playback applications, and dedicated audio hardware running embedded proprietary software. The majority of the audio devices were designed by overly trusting engineers and most can be connected to and controlled by their designated applications without the need for so much as a password. It is all run by operators who, honestly given the chance, would rather spend their time paying more attention to porn than their shows.

The network is already zoned with inter-zone routing rules to keep venues isolated from each other, and isolated from the outside world, with the exception of a VPN gateway (with one user- me).

The goal is to allow the Windows workstations to stay current on MS updates, virus definitions, etc. While also allowing operators to access some additional software patch sites and reference databases, without the freedom to fully roam the net and download arbitrary content.

The current firewall can provide good access control by IP address, however, the thinking is that keeping those lists fully current would be something near impossible, especially with content distribution sites. It seems easier to put in a controlled gateway with one interface accessible to the internal zones, and a second exposed to the WAN.

[tvsjr]

A linux+squid box should suit you just fine, then. You will need enough control of the devices to tell them to use a web proxy, or do some tricks with default gateway (assuming you need to let the embedded devices out a bit too).

Or, another approach would be WSUS for Microsoft updates, internal server for antivirus updates, etc.

You can also do authentication with the squid box... make the lusers enter user/pass, so you can track who they are and where they go.

Drop me an IM on AOL if you want to discuss....

[thebigphish]

i second terry's vote for a squid box. All in all you will be creating a whitelist thru the squid, which will allow the MS stuff, as well as the pre-approved update / patch / download sites as needed by you. This will be very effective once set up, but it had a steeper learning curve (IMO)...but not as bad as LDAP authentication. Great thing about linux, is you can spend as much as you want on hardware to make it work, and then the software is 0. A nice package based distribution (read as :Debian: - big fan here) makes this rediculously simple to install and maintain, then it's just down to the configuration of the beast.
It is doable, and very effective.

[tvsjr]

Well, you *could* do Debian... or you could use a real distro like RHEL/Centos.

Or you could consign yourself to the "40-year-old-virgin" crew and build your own Gentoo box.

[videonerd]

Given the few number of devices, how about a Linksys WRT54G router running DD-WRT? I have the VPN version running on mine, and there's a basic website blacklist with keywords... but there's also the actual linux running underneath if you want to add more geeky stuff.

[HumHead]

For better or for worse, our IT department has a knee-jerk aversion to anything that says Linksys on it.

When I get back on my normal side of the globe, I should have a new box waiting for me which I am going to try loading with Debian and Safe Squid when I have some spare time. (Sorry Terry, I'm already too close to 40, and couldn't face being a virgin again )