RATE THIS ANSWER
0
Click to Vote:
- 0
0
Last Answered:
Oct 31 2006 3:35 PM GMT
by astronomer
If they are intransigent about blocking the entire domain then you are stuck.
On the other hand, if they are willing to be flexible, you may have some options. In our environment, we have blocked the "entire" student net from direct access to the internet. They have to use the proxy server, which is filtered and throttled, to get to the outside. This gives us two ways to do filtering. The pix blocks outgoing traffic by IP and port. The squid proxy filters requests by header, including domain information.
Another possibility suggested but not implemented by me is to use fake domains in our DNS server. For example, install a zone in you internal DNS server for myspace.com and direct requests to your regular web server.
For the exceptions, we have several strategies.
In some cases, we have allowed direct access to specific servers and made exceptions to using the proxy for those addresses.
In others, the instructor has asked for one or two workstations with full access to the internet. I have implemented rules in the firewall for these systems with the understanding that these workstations will be carefully monitored.
In more complicated cases we have specific allows and specific denies within squid making use of strings in the header. Using regular expressions, we can block strings like myspace and can allow specific strings as well.
In one case, the client systems use the proxy for HTTP and have direct access to a specific oracle port on an external server.
The staff systems are not forced to use the proxy, (although there has been talk of setting up a separate proxy for staff), so they have relatively unlimited download abilities. When students need large amounts of data from an internet site, we suggest the instructor download the files outside of our busy hours of 7:00-3:00 and place them on a server for the students.
As you can see, significant flexibility can be achieved depending on what the network people are willing to do. There are less legitimate ways around this problem but I suspect you don't want to open that can of worms.
rt
Networking, Availability, Bandwidth, Network applications management, Performance management, Help Desk, Tech support, Hardware, Interoperability, Software
I work for a school district. Teachers would like access to streaming video on YouTube website for educational purposes. Our IT department prefers to block the site because it only goes to the domain level specific URL for exceptions. Does anyone know of a way to access specific content of YouTube for legitimate educational purposes without opening up access to the entire site? 
