Block internal IP?

[Distant]

So lately we have been having an issue with people viewing adult content at work.

Basically someone comes in and forgets they are on the company wireless and goes to find a site o' fun on their mobile device.

Until recently, I've been able to track down who it was. But now default device naming conventions prevent that. Android_longassstring doesn't help me.

All I know is it is 192.168.100.18.

Two questions:

1. How can I block this IP from accessing the internet while it has a DHCP lease.

2. Any other ways of tracking down the idiot?

Thanks.

[Detection]

This sounds like a job for...

[+BudMan MVC]

What do you have in place at work for your router/firewall? How are you seeing where the people are going? Many proxies have a way of filtering.

Give me some details of what your working with for infrastructure and or budget and we can work out the best way to filter using what you have or that will fit into your budget. I can not believe a place of business does not filter internet traffic? You can do some amazing things on really 0 budget, if you have some hardware to work with and some time for setup.

As to tracking down a wireless client - yeah that can be very difficult. You could implement login to access your wireless via your AD/LDAP, etc You could setup a captive portal sort of thing even if you just allow open wireless connectivity.

There are lots and lots of options here - just need to know what your working with, and what you might be able to add to your network.

Off the cuff, some random mobile device its going to be impossible to track - simple thing would be to block his mac from getting an IP of said device... Or just setup a reservation for his mac so that he gets same IP you block at your firewall from getting to the internet. If you know his IP, you know his mac - if you know his mac you can setup a reservation so he always gets the same IP, once you know that device will always get the same IP, you can block that IP from accessing the internet. Or depending on your setup block from even getting an IP, etc.

Love to help you fix up your network so you can filter and monitor users internet traffic - just need somewhere to start, ie what do you have to work with.

[Distant]

Pretty simple setup -

Server -> Sonicwall w/ 2 switches and an AP -> ISP -> OpenDNS

So if content manages to get by the Sonicwall, it happens - hits OpenDNS and gets stopped.

We have the filtering in place, that's not the issue. It's finding out who attempted to access these sites.

So I know the IP because of DHCP, how can I pull the MAC ID and block that? Can I block it in DHCP?

[sc302 Veteran]

Why allow phones to access the network anyway? Why. It throw in a content manager other than opendns. Something that can manage it better? Or have open dns integrate with ad so it requires ad auth. The auth, it creates a log of who and what the accessed. No need to hunt crap down, you know who did it based on user account.

[+BudMan MVC]

"hits OpenDNS and gets stopped."

What?? Sorry opendns is provider of dns, it does not stop anything. You ask it for stuff like www.neowin.net or www.playboy.com, etc. and then it either returns the correct IP for you to go there, or it sends you its IP so you end up on some block page. It does not actually filter traffic, unless they have recently added proxy support?

So do you block 53 outbound to everything else other then the opendns servers? If not circumvention of your opendns filtering there any 6 year old could bypass ;) What sonicwall do you have? They provide web content filtering services - you just have to be licensed for them.

You could tie to opendns enterprise insight, sure this ties it to your AD -- I don't believe its very cost friendly?? And unless your blocking outbound udp/tcp 53 anyone can bypass it really easy.

What AP do you have? Does it tie in with your sonicwall? Model numbers of your devices would be very helpful so we know exactly what we are dealing with. But you have a sonicwall, which sc302 I believe has more exp with than me. But clearly they can block who you want, and if your AP is tied in with it you can require AD to auth to even get on your wireless.

[garethevans1986]

http://www.opendns.com/web-filtering

[Distant]

What?? Sorry opendns is provider of dns, it does not stop anything.

OpenDNS has a content filter that sometimes does better than the Sonicwall. That's what I meant about content getting stopped.

We have a Sonicwall TZ210, Cisco Aironet 1040 AP.

OpenDNS is too pricey for my budget (non profit organization) even with their "discounts".

I would imagine that either the Sonicwall or the Cisco device could tie in to AD but I've never done that before.

@sc302 - wireless is a "perk" I guess. But it's also needed so people can do their jobs and I'm not sure how much work it is to lock it all down to only X devices.

[sc302 Veteran]

The sonic wall appliance has a purchasable subscription package for content filtering that does a pretty good job and should be the same or better than opendns. With this, it should also tie into ad to be able to give you reports based on user. If you don't sign in with an ad account, you don't get access. Turn off anonymous access.

[+BudMan MVC]

Well if you want to know who is going where, I would connect both of them to AD. I would require auth to get on your wireless. So its just completely open now, or you have just a PSK setup?

So do you control your AP from the sonicwall or is it standalone? You don't have a cisco wireless controller for 1 AP that is for sure. But the TZ210 can handle up to 16 sonicpoints, or AP ;)

So you do content filtering now on the sonicwall, but you don't set policy based upon AD users?

But still a bit hazy on even your original question - if your doing content filtering at the sonicwall, and you notice someone going to site X, just block site X at the sonicwall. You don't really have to know who is going there to prevent them from going. Content filtering at sonicwall clearly has ability to whitelist/blacklist urls, ie custom filtering of sites.

So do you control your AP on the sonicwall, or standalone? Either way can show you how to point to your AD. What AD do you have setup? NT, 2k, 2k3, 2k8? Or you just running LDAP on some linux box?

[Roger H. Veteran]

I would do AD auth requirements, RADIUS or is it called 802.x EAP?. I was working at the City Hall for a few weeks last year and they set it up to use 802.1x EAP - which then required me to also put in my username/password. That would definitely lead back to me if I was browsing anything wrong even on my mobile phone :)

[Distant]

AP is controlled standalone.

AD is 2k8.

[sc302 Veteran]

regardless, it still goes through the sw does it not? if you set it up where users need to auth to access the web, regardless of whether or not they are on the domain, you would easily be able to determine who is going where.

for example, when I am on my ad computer I can go out to the web where I am allowed and if I am on my phone I need to auth with my ad creds to get out to the web where I am allowed. In either case, they know where I am going and how long I have been there, or if I access a questionable site.

[Distant]

regardless, it still goes through the sw does it not? if you set it up where users need to auth to access the web, regardless of whether or not they are on the domain, you would easily be able to determine who is going where.

for example, when I am on my ad computer I can go out to the web where I am allowed and if I am on my phone I need to auth with my ad creds to get out to the web where I am allowed. In either case, they know where I am going and how long I have been there, or if I access a questionable site.

Yeah the AP goes through the Sonicwall. I don't know where I should setup the auth tho, I'd imagine I'd do that at the AP. Would it be better on the Sonicwall? Never done either...would love it to associate with LDAP though.

[sc302 Veteran]

That would be done in the sonicwall.

http://www.fuzeqna.com/sonicwallkb/consumer/kbdetail.asp?kbid=7768

[Distant]

That would be done in the sonicwall. http://www.fuzeqna.com/sonicwallkb/consumer/kbdetail.asp?kbid=7768

That did the trick, thank you.

[sc302 Veteran]

there is also sso if you have the right os.

http://www.sonicwall.com/downloads/SonicOS_5.5_Single_Sign_On_Feature_Module.pdf

if they cannot auth with their os (phones or other hand held devices) it will send them to the logon page to auth.

[Distant]

That may be a better solution so the people on workstations won't have to auth every time.

[Graimer]

I don't know how Things work were you live(laws and such), but you should be aware of something called privacy. In Norway we're pretty strict about privacy. You should NEVER log computer usage like web traffic that can identify the user(without approval from the employees). If you Discover that employees often tries to Access blocked content, the right thing to do would be to: 1. Block Access(ex. using Your SW's content filtering). And 2. Send an email to ALL employees reminding them of the company's IT-policy, including accessing non-workrelated websites(or whatever you policy is).

[sc302 Veteran]

That is usually in the employee handbook that you sign and agree to adhere to. Computer usage policy.

[Distant]

Indeed it is, and monitoring web traffic is a part of that on personal or company devices connected to the company network.

[Graimer]

Wow. That wouldn't fly well here :p

[Detection]

Android + Wifi Kill > wait for bad guy to complain about no net > capture bad guy :p

[+BudMan MVC]

@Graimer, yeah there is a huge difference between US law and say Norway for privacy.

So after you send out 140th mass email saying stay off the porn what happens? Do you finally track down the user and say Quit it?? ;)