Hot!Ask : LAN to Internet restricted to one destination

Author
papapuff
Silver Member
  • Total Posts : 113
  • Scores: 0
  • Reward points: 0
  • Joined: 2012/05/24 20:31:44
  • Status: offline
2019/04/19 09:28:45 (permalink)
0

Ask : LAN to Internet restricted to one destination

Hi there,
 
need advise.
I want to make sure, clients only can access internet to single website.
can't browse to other website or use internet for other purpose.
 
this website like vforum. is it correct, I just need to :
- make IPv4 policy, that only allow port 80 and 443 to that website
- make new web filter, and only to pointed to that website.
 
need advice please. thank you
 
#1

4 Replies Related Threads

    Toshi Esumi
    Expert Member
    • Total Posts : 1501
    • Scores: 128
    • Reward points: 0
    • Joined: 2014/11/06 09:56:42
    • Status: offline
    Re: Ask : LAN to Internet restricted to one destination 2019/04/19 10:07:21 (permalink)
    0
    I would define an FQDN address for the website host, and allow HTTP and HTTPS to the address in the first policy then deny all other destinations for HTTP and HTTPS in the second policy.
    #2
    papapuff
    Silver Member
    • Total Posts : 113
    • Scores: 0
    • Reward points: 0
    • Joined: 2012/05/24 20:31:44
    • Status: offline
    Re: Ask : LAN to Internet restricted to one destination 2019/04/20 10:19:05 (permalink)
    0
    hi Toshi,
     
    thank you for reply.
    is that working properly?
    I mean there is no chance clients can access to other website(s)?
    using apps or like free proxy
    #3
    Toshi Esumi
    Expert Member
    • Total Posts : 1501
    • Scores: 128
    • Reward points: 0
    • Joined: 2014/11/06 09:56:42
    • Status: offline
    Re: Ask : LAN to Internet restricted to one destination 2019/04/20 21:56:30 (permalink)
    0
    What it would do is all HTTP/HTTPS access from the source interface is allowed only for the host/FQDN. Of course if there are other policies to allow another source interface toward the internet, you have to create another policy to block them too.... in other words, you have to check through all paths to the internet and control all policies. Then if you overlooked any of them you'll need to troubleshoot and  shut them down. 
    #4
    ede_pfau
    Expert Member
    • Total Posts : 5929
    • Scores: 466
    • Reward points: 0
    • Joined: 2004/03/09 01:20:18
    • Location: Heidelberg, Germany
    • Status: offline
    Re: Ask : LAN to Internet restricted to one destination 2019/04/21 07:34:51 (permalink)
    0
    There are a lot of evasion techniques out there. For example, tunneling any sort of traffic via DNS port 53. What you can do is apply an application control sensor (filter) to the outbound policy which suppresses the most common services like peer-to-peer, DNS tunneling etc.
    I bet you'd thought this was easy.

    Ede

    " Kernel panic: Aiee, killing interrupt handler!"
    #5
    Jump to:
    © 2019 APG vNext Commercial Version 5.5