internet filter and access control

[Bill Vermillion]

As Kenneth Brody was scratching "For a good prime call 
391581 * 2^216193 -1" on the wall, he suddenly said:

> Bill Vermillion wrote:
> [...]

> > > > And then you have to keep the users from chaning the
> > > > network settings to use an external DNS. Since a good
> > > > many people are computer savy then you need a very
> > > > good internal policy as to what will happen to anyone
> > > > violating the policies.

> > > Just as many ISPs block SMTP access to anything except their own
> > > servers, you should be able to block external DNS attempts, or
> > > even have your router reroute them to your own DNS server.

> > But if you block access to external DNS servers, then you have the
> > problem of blocking just who will be able to see the outside DNS
> > servers.    But you still have to have strict policied to keep
> > the computer savy people from changing these items.

> > As to local DNS it is going to depend on just what/how you are
> > using DNS.

> > If you are responsible for your own DNS - eg you are the primary
> > DNS while your ISP is secondary - then you run two DNS servers
> > on your DNS machine.   This is handy when you have a machine
> > acting as a web server, mail, router, or ??.     You put
> > your public IP on one interface.  And your private IP on the other
> > interface.
> [...]

> I have every system on our LAN configured to use the router for
> DNS. While I don't block external DNS, I could easily configure
> the router to block and/or redirect external DNS requests from
> inside the LAN. The router also has its own hosts file, so I
> can add shortcuts to some of fPTech's systems. (For example,
> "bill.fptech" resolves to Bill's system, and "fpchat.fptech"
> resolves to the fPChat server, regardless of the "real" names
> of those systems. When the fPChat server was moved from the Sun
> box in Indy down to a Windows box in Florida, I simply changed
> the router's host file, and no changes were needed to the local
> fPChat clients' configurations.) If the name isn't listed in
> the hosts file, the router goes out to the ISP's DNS server.
> I can also prevent some annoying ads from appearing by adding
> things like "ads.x10.com" to the router's hosts file.

You don't even have to go as far as the router to do things
like that.

I have my system set it's resolving to query hosts first and then
the DNS.

In the hosts file I have several of the doubleclick.net IPs and
others as going to 127.0.0.1.  It helps if I accidentally hit
a wrong link in lynx so I don't go to annoying places.

Doing it in the router as you have done certainly takes care of 
all the local machines.   It will block everyone from that site,
but I was thinking of rules based systems where certain people are
permitted to go anywhere, while others are restricted.  I have one
client site like that.

The ONLY problem they encountered was when one of the owners
grandson's was let to use one of the computers in her office
and proceeded to get to places he shouldn't have been :-(

So much of the security problems are from people walking away from
machines and not logging out, and also not have passwords that
are known to others.

Far too many people seem to think PC means PUBLIC computer, not
PERRSONAL computer.

Bill
-- 
Bill Vermillion - bv @ wjv . com