ASA Quick’n'Dirty Web Filtering
A subject that comes up again and again with some of our smaller clients is that of Web Filtering.
Whilst there are a whole host of solutions out there, the client’s requirements are often very straightforward:
“I don’t want my staff wasting time on the Internet!”
I’m sure we could all spend hours (or days) debating the pros and cons of allowing unrestricted Internet access. But, let’s be honest, we’ve all spent some of our work hours browsing when we should have been working (sorry James!).
Whilst researching the options, I came across this excellent article by René Jorissen:
Cisco ASA: DNS Reply Filtering
I love this solution.
It tackles the problem at the right point in the stack; the beginning, with the initial DNS request.
If all you’re looking to do is stop users (and it would be all users) from accessing specific sites or services, then this could be the solution for you. By dropping DNS replies for the specific sites, you knee-cap the connection at the start.
Yes, it’s not perfect.
There’s no flexibility in relation to specific users, groups, machines or times of day. But that’s not the point. This is a simple solution to meet a simple requirement.
So when a client comes to you and says, “I want to block that bloody [insert current social networking fad of the month] site,” you can now make it happen.
No cost, no fuss.
I like these kind of solutions…
