Blocking Facebook and Myspace by IP address

Who do you use as your DNS provider? If you can switch to someone like OpenDNS (it's free) they provide automatic (& very configurable) blocking of social networking sites, webmail, adult content etc.

EDIT: You don't have to change anything with your ISP either.

On your Cisco asa you can do the following:

regex facebook1 "facebook\.com"

class-map type inspect http match-any block-url-class
  match request uri regex facebook1


policy-map type inspect http block-url-policy
  parameters
class block-url-class
  drop-connection log
policy-map global_policy
  class inspection_default
  inspect http block-url-policy

service-policy global_policy global

I would highly suggest you read the full details on Cisco's website.

1. Gather logs of the user's web activity.
2. Go over to the user's desk.
3. Show them the logs, and tell them if they don't stop screwing around on company time, they'll be fired.
4. Log the event.

You might even get promoted to management if you keep this up. ;)

A client of mine had this exact problem. Here's how we tackled the solution:

1. Installed an IPCop box with a built-in Squid proxy and also installed the URLFilter add on. All traffic now flows through the IPCop box.

2. Hard coded everyone's IP address to their telephone extension for the simple fact that it made it WAY easier to identify the offenders. We also changed all of the DNS server settings to point to OpenDNS. (Further filtering options are possible with OpenDNS but it turned out they were not required after all.)

3. Removed (and banned) the use of all public IM clients such as Yahoo Messenger, MSN, AOL, ICQ, etc., etc. Instead we installed a secure company-only XMPP server called SecuredIM so that all IM traffic would be logged and would be guaranteed to be company-to-company communications only.

4. SecuredIM also has the unique ability to take screenshots of desktops every XX minutes. If an employee was suspected of goofing off (based on IPCop logs) a picture was worth 1,000 words. Select screenshots could be archived and emailed for later review (or diciplinary action).

5. We blocked Facebook, Myspace, Hulu, and two or three other major abuses via the URLFilter on the IPCop box.

6. Manual review (and more sites blocked if necessary) for about a week.

7. Opened up "free/unblocked" surfing during the lunch hour (12:00 pm-1:00 pm).

By the end of the week the company was a total transformation. Productivity increased dramatically and nobody so much as complained.

As with any company, there's always the 1-2 rebels out there who think it's a "game".

When nytimes.com was blocked they went to another news site. When that was blocked they picked yet another. Others stopped surfing and took up hobbies such as Solitaire and Minesweeper, but the SecuredIM screenshots caught that (IPCop could not obviously).

Within two weeks (and a couple of employer/employee discussions including disciplinary action for stubborn individuals) everything was running smoothly and has been running smoothly for almost two years.

URLS:

http://www.ipcop.com

http://www.securedim.com

http://www.opendns.org

SIDE NOTE:

As a funny side story. About a year later, an electrical problem in the building caused the power supply on the IPCop box to go out and it was 2-3 days before a new IPCop box could be put in place.

We found that it took less than 48 hours for the employees to go back to their old/original surfing habits and productivity to drop.

It was quite the social experiment. :-)

The DNS solution sounds like the best answer to me, but be aware that of course they most likely will still be able to access the sites via IP address (you probably are aware from the level of your question, but others who find this on Google might not be).

Secondly, look at Evan's response to Discretely restrict users from running certain programs on Windows computers about stopping users from running certain programs. I think you are trying to solve a management problem with IT. Really they should probably be hiring people who are responsible enough to obey whatever rules are made clear, and they should probably worry about them getting their tasks done well and on time instead of what websites they visit in their downtime. Blocking this stuff is probably just going to spread resentment throughout the company. You do of course, have to do whatever you have to do, and it's probably not even up to you -- but I think this should always be considered before taking this sort of step if it wasn't already.

I took a different approach to solving this issue.

Instead of having the ASA decipher traffic I created a forward lookup zone on my local DNS server for "facebook.com" and left all the DNS entries blank. If you would like, you can always point the site to an internal web page telling the user they are trying to access a site that is forbidden by company policy.

I hope this helps.

If you don't have the time or staff to build your own solution, you might consider a turn-key product.

We use eSoft's Threatwall, which does a great job of controlling access (via IP or URL). Pretty easy to configure with check boxes for all the common types of sites, plus the ability to add your own and have a whitelist. They have different packages available (ours also filters spam, for instance).

Not affiliated with eSoft, other than as a customer, Dave

Maybe instead of blocking the IP addresses, you could direct the host names to localhost, that is, edit your host file so it looks something like:

www.facebook.com     127.0.0.1

This would stop the true IP address of Facebook, etc. ever being looked up.