whitelisting websites

Discussion in 'other security issues & news' started by treehouse786, Aug 6, 2011.

Thread Status:
Not open for further replies.
  1. treehouse786

    treehouse786 Registered Member

    Joined:
    Jun 6, 2010
    Posts:
    1,388
    Location:
    Lancashire
    hiya guy's

    my niece and sister in law (both under 8 years old) have bought a netbook and being a sensible bloke, i want to only allow certain websites which they can access.

    so far i have tried OpenDns and it was a nightmare as you are only allowed 1 IP per login etc etc.

    blacklisting is not ideal as there is every chance they can access a website which has not been blacklisted when it should have been so it has to be whitelisting. preferably i want to achieve this with a desktop application which can be password protected and can be directed to filter only certain windows user accounts. needs to work with windows 7 and it also needs to be free :D

    this might be a tough request but there has to be a program out there that can do this.

    thanks in advance
     
  2. wat0114

    wat0114 Guest

    Yes it can be done and maybe the best way, afaik, is to use ip addresses with CIDR masks as explained here...

    -http://en.wikipedia.org/wiki/Classless_Inter-Domain_Routing

    ...if the firewall you're using allows this, and I'm quite sure you'll find some 3rd party ones that will handle this easily. Win7/Vista's firewall can achieve this. I experimented with this whitelisting approach before in Win7 fw and it works fine, but it is also extremely labour-intensive in building the number of entries needed to accommodate all your favourite sites. You can end up with literally > 100-150 entries. Of course you have to apply these whitelist restrictions to applicable browsers or potentially other web-accessing processes. I've done just this with MS' wuauserv.exe (Windows update process) as shown:

    Rule Name: Custom Rule - Allow svchost - wuauserv to Port 80 & 443 - Service: wuauserv
    ----------------------------------------------------------------------
    Enabled: Yes
    Direction: Out
    Profiles: Public
    Grouping:
    LocalIP: Any
    RemoteIP: 65.54.51.0/24,65.54.95.0/24,65.55.0.0/16,206.108.207.0/24,207.46.0.0/16
    Protocol: TCP
    LocalPort: Any
    RemotePort: 80,443
    Edge traversal: No
    Action: Allow

    This one is easy because I only need to restrict it to some of MS' update servers - the ones that apply to me in my geographical region. Notice the remote port restrictions as well to TCP 80 & 443. For browsers I recommend TCP ports: 80,443,554,1935,1755

    Finally, after having said all this, because I've experimented with this browser restriction approach before, I can not recommend this approach. It's simply too much work and not really worth it, imo. However, I would recommend the remote port restrictions as I've posted above. This is easy to do and will provide a bit of extra security.
     
    Last edited by a moderator: Aug 7, 2011
  3. treehouse786

    treehouse786 Registered Member

    Joined:
    Jun 6, 2010
    Posts:
    1,388
    Location:
    Lancashire
    many thanks for that info which i am sure i will use in future.

    i have found the perfect and i mean PERFECT solution :thumb:

    forticlient!! yes forticlient! 12mb in size and by far the best web filter available anywhere and its free.

    during installation you just untick everything apart from the web filter and your good to go. the best part of this program is that you can automatically block all unknown websites and only allow the ones the ones based on their categories list or your own set. the other killer feature is that you can enable certain rules per user account so admins can go on any website and children accounts can only browse within the allowed category, all this can be setup in a couple or so minutes.

    i am very very happy with this program :thumb:
     
  4. Sully

    Sully Registered Member

    Joined:
    Dec 23, 2005
    Posts:
    3,719
    You can use what is in your router, which is the best way IMO. Not all routers have this. Mine does, and it works great.

    You could use a local proxy on thier machine. There are quite a few out there, each with different features. I have not tried using that approach, but there are for instance blacklists, whitelists, killlists, etc in Proxomitron. I haven't tried too many others.

    I think I recall seeing a port of squid for using on a windows box. Not sure, but think it was squid. For sure I seen at least 2 linux proxy type tools that were ported. Those might offer somthing.

    Maybe a little overkill, but I am currently looking at using squid and squidguard on a linux firewall/router distro. I haven't gotten it to work completely yet, but I am using a blacklist that blocks a lot of stuff on your choise. I have been using pfSense for this right now because it was the easiest to install the packages.

    Sul.
     
  5. treehouse786

    treehouse786 Registered Member

    Joined:
    Jun 6, 2010
    Posts:
    1,388
    Location:
    Lancashire
    hi Sully, router meddling is not an option as the netbook will be taken outside to random houses and outdoor free WIFI areas.

    forticlient's web filter has to be tried to fully understand the awesomeness of it, i know i sound silly but its just that good!
     
Loading...
Thread Status:
Not open for further replies.