How to Block Yahoo.com, Google.com?

[nairsunil7]

Hi Grp,

Pls tell me how I can block certain sites completely like Yahoo.com(it should block yahoo.co.uk, yahoo.co.in etc). Since there will be more than 50 servers for these web sites, how I can block these sites without kbowing the ip address?

Thanks in Advance,

Sunil

[northlandboy]

Three options here, ranked best to worst, in my opinion:

* Don't allow any systems direct access to anything on the Internet. Use a proxy server, force all systems to go via that proxy server. Either use URL filtering software, or configure DNS for your proxy server to send requests to google, yahoo to 127.0.0.1. This is far and away the most secure option, and gives you reasonably good control over the types of sites that staff can access, and perhaps more importantly, gives you reporting.

* Control DNS for all clients, and put blackholes in for those domains on your own, locally controlled, DNS servers. Don't let clients do DNS lookups to anyone else.

* Use domain objects. I would strongly advise against this though, as many people have reported problems with these.

Think carefully about what you are trying to achieve. What's the point in blocking access to a couple of search engines? Why on earth would you want staff to have Internet access, but not access to the most widely used search engine? What's the point? Where's the risk/benefit analysis? So you block access to google.com - big deal, I'll just use ask.com, or alltheweb.com, or altavista.com, or....

Or maybe I'll just use one of the anonymous proxies that are out there.

Think carefully about what you are trying to achieve, and do a proper risk/benefit analysis of the situation, and do a cost/benefit analysis of your proposed solution. Don't just put in a knee-jerk "block all access to google quick!" solution.

[nairsunil7]

Hi,

Thanks for the detailed reply. I just put google.com as an example, my requirement is to block some other sites.

I tried with domain object, I could able to block cisco.com and wipro.com, but Yahoo is still coming. I don't know why?

Thanks once again,

Sunil

[kva.kva]

northlandboy is right, better don't use domain objects.
May be better to use URI resource than domain object?
But decision with DNS is more elegant if you don't use proxy.

[nairsunil7]

Hi Grp,

Thanks for the valuabale input.

Regards,

Sunil

[stuartgreen]

i've seen problems with domain objects where there is an alias in the DNS record which some clients seem to resolve when the main / primary IP address cannot be resolved. The other problem with domain objects is the processing overhead. If you have a large amount of domain objects it will slow things down a fair bit while each is being resolved. I'd agree with northlandboy, get a dedicated web filtering solution. While check point does offer this as a feature - don't mistake it for a fully singing and dancing proxy!

[abusharif]

as mentioned above block it with uri resource. Dont know anything about your network but good to know is that resource rules do have negative impact on performance but in "most" cases it should be fine. In the resource object you can match on host path etc..

[Acidio]

Smart Defense allows you to block domains - essentially blocks DNS lookups for the banned domains. Seems to work OK.

As Northland boy has mentioned, using domain objects in the rule will most likely casue problems.