Internet Related/Filtering/Firewall Thread, directed to block all video - limited tools in Technical; Hey again,
I'm being directed to block all types of video to our remote schools, and have limited tools to ...
I'm being directed to block all types of video to our remote schools, and have limited tools to do this with. Here's what I'm playing with:
In the elementary schools (we have 3), I have core Cisco switches and a Cisco router. Internet traffic then goes over lines to our main site, (in through our Cisco router), and is in turn sent back out to the internet, through our Fortigate web filter. Elementary schools are currently connected to the main site via two T1 lines (3 Mb total) and an additional T1 that's reserved for voice traffic. Our main site has a sufficient connection to the web that we're not concerned with rate limiting yet.
The goal is to limited bandwidth used by the remote schools, while allowing access to certain critical software (student information system, food services, library automation, etc), and provide web access, but nothing bandwidth-intensive.
Short of blacklisting video streaming sites, what's the most effective way to do this? Block port #'s that carry streaming video? Use rate limiting (?) on the Cisco equipment to restrict how much bandwidth a specific port can use?
Is QOS an option in the Cisco equipment to prioritize certain traffic? If so, are there resources I can research on how to set this up and verify that it's working?
Our web filter, the Fortigate, claims to be able to be able to reserve bandwidth for certain connections but doesn't appear to have worked in the past.
I'm relatively weak in the switch / router configuration department, so there may be more out there that I'm unaware of.
If you block out ports for video streaming sites you'll just see a surge in flash videos, which come down through HTTP so you can't break them at router level (router is layer three, flash works at the application layer, seven). You need to concentrate on some kind of filtering, either what you've got already or some alternative.
My solution here is Smoothwall, which is available free with limited features, because it Just Works (tm). But there are plenty of other filters in use in schools, or you could even be as drastic as forging DNS records for popular sites so they can't be resolved (which is what I used to do).
Don't know the fortigate product at all, but a bit of googling suggests that its web filter can import squidguard blacklists. If this is true, then look at SquidGuard for some sets of blackists; there's one called "audio video" which is basically a list of popular web sites providing video. If you blocked all of those then it would be a start!
In ISA server and Squid there's a facility to say "for Mime type XXXX allow YYY% of bandwidth" - this makes it easy to say that audio/video is seriously throttled on every web site but everything else goes through OK. Can you have a look for something similar in fortigate???