Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1453
Views
0
Helpful
3
Replies

How to block users based not on thier ip-address

Imran Ahmad
Level 2
Level 2

‎11-08-2014 09:01 AM

Hello experts,

 

I had been using normal ACLs for blocking web-browsing (https/http) access for my company users.     but recently, we started using DHCP providing auto ip-addrs for users. this means i am no more able to block/allow spicific users web-access based ip thier ip-addrs because they have automatic ip assigned

 

Can anyone advise me what other option except ACLs i can use to block users web-access ?   

 

2- Second question:  How can i block Tor-Browser on my network.  I tried using NBAR2, tried using  (class-map match protocol attribute sub-category client-server )  options..... but none of them given any plus result to me.   any advise plz

 

Thanks

1 person had this problem
Labels:
0 Helpful
3 Replies 3

Marvin Rhoads
Hall of Fame
Hall of Fame

‎11-08-2014 09:06 PM

If you're using a router, it knows about IP addresses, not user identities.

If you're using an ASA firewall, you can use the identity firewall features.

Otherwise you'd have to do a web proxy that has hooks to authenticate the end users, either actively or passively. You could also do this with a Cloud Web Security (former ScanSafe product) connector in your router.

I've not tried to do anything with blocking TOR so I don't know about that one.

0 Helpful

Tagir Temirgaliyev
Spotlight
Spotlight

‎11-09-2014 07:56 PM

your both questions can easely do palo-alto firewall

it can see users in windows ad and block

and it can see protocol tor and block 

latest asa software also can see users in ad and pc ip addresses 

but I am not shure about tor protocol

0 Helpful

SriSagar Kadambi
Cisco Employee
Cisco Employee

‎11-11-2014 01:06 AM

Here are different ways you can block TOR traffic :

* Requiring NTLM auth in explicit proxy mode stops it cold - this is
just a missing feature in TOR.
* If you disable auth, or use Basic auth, then requiring that SSL
destinations have server certs signed by known CA's will stop it.  (This
works regardless of the decryption reputation, as the WSA always appears
to check this in explicit mode when configured.)
* If you disable the above two methods, the "filter avoidance" URL
category is only effective against the initial "find directory servers"
boot-up.  If we miss one, or the client has this info cached from
before, the URL category is not effective.
* Another method that would be effective would be to block all browsing
by IP address; however, this has a pretty good chance of false
positives.

Notice that the above will only work if all egress ports which are not proxied are blocked. TOR will attempt to go outbound on higher ports; if the customer is not blocking these (eg on the Firewall), it becomes nearly impossible to effectively block TOR.

0 Helpful
Customers Also Viewed These Support Documents