Block Facebook HTTPS

[karldenton]

Hi
We currently have EXA networks as our ISP and they do our filtering. We don't have a proxy set in IE as the filtering is at ISP end.

Works fine until ...

... the kids have realised that you can change HTTP to HTTPS://www.facebook.com and it loads fine.

EXA networks say block HTTPS (which isn't possible as finance use it for Inland revenue etc) or change our network so you have 2 subnets - staff and student and then block HTTPS on the student subnet only.

Is there an alternative way ? A cheap software proxy that allows all traffic apart from to Facebook ? Smoothwall ?

Thanks in advance

[irsprint84]

a quick a dirty block is to change HOSTS files via gpp

[karldenton]

Thanks could you elaborate a bit more.

[irsprint84]

on each client there is a HOSTS file at: C:\windows\system32\drivers\etc\

in this file you can edit this file to redirect IANA — Example domains to anything IP you want like googles ip

[karldenton]

Top bombing - sounds perfect.


Can you edit the hosts file in GP or is it a reg edit job then publish that via GP.

[irsprint84]

I just do it for worst case scenario

for example I put a edited host file on my apps server, share it and then I do a 'replace' action at gpp at user configuration

[computer_expert]

You could also block facebook.com by modifying the DNS records on your server (eg adding an A record which points facebook.com to 127.0.0.1).

As far as I know, only the commercial versions of smoothwall can intercept/block HTTPS.

[tom_newton]

Blocking https entirely is using a sledgehammer to crack a nut. I don't remember what exa use to filter, but it should be able to do this ok, I might forgive if it is transparent filtering and you use xp, but otherwise... Grr.

A word of caution on host file jiggery poker. If you use a proxy the dns lookup is done there so host won't work. Also, if students can hit facebook over https, then it is woefully easy to access other secure sites that might cause problems, from secure Google images to secure proxy anonymizers.

The easiest way to control https by domain is to use a traditional proxy. You could perhaps run up squid with an https whitelist as a cheap and not very cheerful alternative. Happy to discuss further options if you want to explain how exa are filtering, either here or by phone /email, tho I am out of the office for a day or so now, I'm still vaguely in touch!

[karldenton]

@computer expert. Where abouts in DNS ca I add this. When I've looked it thinks I'm doing it internally. IE facebook.com.stjohns.local !
Also will this block HTTPS of facebook too ?
Thanks

Update: I've added a secondary dns zone called facebook.com and pointed it to an ip on our server but there is an error and it says it can't transfer the zone from the master server -- we only have 1 DNS server by the way

[GrumbleDook]

If they don't block HTTPS (not unheard of) can you not force, through your proxy settings, all web traffic via their proxy or is it transparent? I was pretty sure that they had a specified proxy you can set your machines to.

If you can't control that I would suggest you run something internally ... either a firewall so that you limit the machine which can get straight out, a filtering solution or a combination ... and yes, I know that will be at extra cost.

[zag]

Our Sophos Web Appliance does this automatically. Very cool!

Our old cachepilot has the same problems but upgrading to the sophos box fixed it.

[computer_expert]

@computer expert. Where abouts in DNS ca I add this. When I've looked it thinks I'm doing it internally. IE facebook.com.stjohns.local !
Also will this block HTTPS of facebook too ?
Thanks

Update: I've added a secondary dns zone called facebook.com and pointed it to an ip on our server but there is an error and it says it can't transfer the zone from the master server -- we only have 1 DNS server by the way

I've just tried this on a server 2008 machine and it worked for me:

You can do this in DNS. Set up a Forward Lookup Zone for the domain, IE. facebook.com.
Create an Alias (CNAME) in the zone that points to the destination server you want to redirect them to.
Creat a Host (A) record that point them to the destination server's IP address and use * for the Name.

This will redirect all *.facebook.com and the www.facebook.com and http://facebook.com queries. It doesn't redirect something like facebook.com/whatever so the user will get a "cannot display a webpage" error for those addresses.

Thanks to DThornton123 from this page . However the method can be bypassed fairly easily though, so I'd think of this as a temporary solution. It will block both the http and secure sites for facebook (as if you set the destination IP as 127.0.0.1 (localhost), the machine will try to connect to it self and present the user with a site not found error or a 404 page if the machine has a web server installed) for all computers that use that DNS server to perform lookups.

[karldenton]

Thanks for this everyone.
Got round it by adding the DNS record in Server 2003 and it works fine.

[chilli6971]

Hi you will be pleased to know that Exa do now provide the means to filter HTTPS requests. They have a product called SurfProtect which can be used by either customers with an EXA internet connection or as a service for non exa connections too.

They have documents here - Support Documentation