| Lesson 5 | Restricting outbound traffic with domain filters |
| Objective | Describe how Proxy Server domain filters prevent unauthorized Internet access. |
Restricting outbound Traffic using Domain Filters
You can restrict private network traffic to Internet resources by specifying Proxy Server domain filters.
Domain filters provide a way for you to restrict access to Internet content using the DNS names of the destination servers to which you want to restrict access. For example, if you are having problems with users going to aol.com to check the personal ads, you can place a domain filter for aol.com and no resources from that domain will be accessible to internal network users.
Why focus on domain filters?
Proxy Server domain filters affect the SOCKS proxy, Web proxy, and WinSock proxy. As with packet filters, you can create a combination of domain filters in order to meet the particular security requirements of any organization. Domain filters and packet filters both apply to all Proxy Server services. You cannot selectively apply domain filters to a particular Proxy Server service, and you cannot restrict particular users or groups from accessing specified domains. Again, this is an "all or nothing" situation, as it is with packet filtering.
Granting or denying access with Exceptions
To grant or deny access to all Internet sites, you will set the default behavior of Proxy Server domain filters. You can then build a list of Internet sites that are the exceptions to the default behavior.
Suppose, as mentioned above, you want to allow access to all Internet domains except for aol.com. You need to selectively deny access to AOL because of the large amount of wasted bandwidth. The table below describes the process. Click on the thumbnails to see full-sized images of the GUI.
Suppose, as mentioned above, you want to allow access to all Internet domains except for aol.com. You need to selectively deny access to AOL because of the large amount of wasted bandwidth. The table below describes the process. Click on the thumbnails to see full-sized images of the GUI.
The Enable checkbox has been selected. This enables the domain filtering mechanism. At this point, access to all Internet sites will be granted. Notice that there are no exceptions in the list at this time. To add an exception, click the Add button.
Except to those listed below
The Deny Access To Dialog Box thumbnail
You see now that all Internet sites are available except aol.com. If a user attempts to go to a resource located on the aol.com domain, the Proxy Report informs them that access has been denied.
As a result, you can specify Proxy Server domain filters to:
- Reject packets specified in the criteria of the filter and forward all others
- Forward packets specified in the criteria of the filter and reject all others
How to define domain-filter criteria
You should define the Proxy Server domain-filter criteria based on the security requirements of the organization.
For example, if an organization wants to restrict access to a specific Web site by name, you should define a Proxy Server domain filter that is based upon the domain name of the Web site.
The following image lists the criteria upon which you can base your Proxy Server domain filter, and when you would specify that criteria in your design.
The following image lists the criteria upon which you can base your Proxy Server domain filter, and when you would specify that criteria in your design.
Proxy Server Domain Filter
Your Proxy Server domain filter can be based on only one of the criteria listed in the MouseOver above.
In the next lesson, you will learn how Proxy Server Web Publishing prevents unauthorized access to Web servers on the private network.
Restricting Outbound Traffic - Exercise
Click the Exercise link to check your understanding of the criteria on which to base the use of domain filters.
Restricting Outbound Traffic - Exercise
