how to block pogo.com and yahoo mail thru pix and/or 3640

jhassett · ‎10-10-2004

I'm a network administrator (self-taught) who has beginner knowledge of ios and cisco pix and router products. We use all cisco for our infrastructure here, and network and internet access is controlled by the 3640 router and our pix firewall.

The president of my company is tired of seeing people playing games during working hours at pogo.com. he's also concerned about all the people accessing their non-corporate email through hotmail and yahoo mail.

I'm interested in knowing how to block these sites and applications at the router/firewall level. I'm not really wanting to go to every pc and adjust their hosts file to try and block these sites, cause i'm sure some of our smarter employees will find ways around it!

Thanks in advance,

Jason Hassett

Network Administrator

Beacon Credit Union

nkhawaja · ‎10-10-2004

I think the easiest will be block the IP addresses belonging to pogo.com and hotmail.com/yahoo.com

there could be several of them, so you need to block them all.

See this output below

> www.hotmail.com

Non-authoritative answer:

Name: www.hotmail.com

Addresses: 207.68.172.239, 207.68.173.245, 207.68.171.233

> hotmail.com

Server: dns-sjk.cisco.com

Address: 171.68.226.120

Non-authoritative answer:

Name: hotmail.com

Addresses: 64.4.33.7, 64.4.32.7

> mail.yahoo.com

Non-authoritative answer:

Name: login.yahoo.akadns.net

Address: 66.218.75.184

Aliases: mail.yahoo.com, login.yahoo.com

Non-authoritative answer:

Name: login.yahoo.akadns.net

Address: 66.218.75.184

Aliases: login.yahoo.com

Non-authoritative answer:

Name: www.pogo.com

Address: 159.153.234.5

You may atleast start with these IPs

Thanks

Nadeem

jimwelsh · ‎10-10-2004

Another approach you might consider is to configure a local caching DNS server to claim to be authoritative for pogo.com, hotmail.com and yahoo.com. Of course, the local DNS sever will use your ISP-provided DNS servers as "forwarders". Then, configure no records for those zones. Give your users's machines the local caching DNS server's IP Address for their DNS server config via DHCP. Restrict outbound DNS access to allow only your local DNS server access on DNS udp and tcp ports.

jhassett · ‎10-10-2004

Thanks for the replies.

I'm going to block the IPs first, see if they find a way around them. There seems to be all sorts of posts on how to get around corporate blocking of pogo, but not on how to block it! LOL...

After that, the DNS idea sounds like a good one.

Endwigast · ‎10-11-2004

hi,

try using nbar on the router. it blocks by name not by ip.

reference --> http://cisco.com/en/US/products/sw/iosswrel/ps1835/products_tech_note09186a0080110d17.shtml

also you would need to add proxy web sites to this too.

:>

crose · ‎12-02-2004

Websense with the pix works REAL good. Plus you get the bonus of being able to be big brother!

Serioiusly though...

I have discoverd that what people do on computers is more of an HR issue then a technology issue. You can't block every possible time wasting distraction. What needs to happen is managers need to manage employees and when they are caught playing games or doing webmail they need to be severly disciplined. After the first guy gets fired it will stop. You will be chasing your tail all day trying to block stuff.

mkhuber · ‎12-05-2004

Another method we employ is to create a DNS entry to point yahoo.com, webshots.com, etc at our intranet server. We also have a strict internet usage policy that allows us to be "big brother"