Thread Info
  • State Not Answered
  • Locked Locked
  • Replies 5 replies
  • Subscribers 2 subscribers
  • Views 15662 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

can WebControl disable whole Internet ?

ChristianKL

Hi,

is it possible to disable complete internet access with webcontrol and not just categories ?

i could disable the browser with application control, but we need the browser for the intranet.

i just want to disable some devices for internet access.

any idea how to manage this with sophos tools ?

thx christian

:26655


This thread was automatically locked due to age.
  • 0

    Hello Christian,

    something like this is usually done at the network level.

    In principle you can do this with Web Control using the block list - but it might be tedious to allow your intranet (the block list takes precedence - the allowed sites only override the categories).

    Christian

    :26659
  • 0

    OK, i understand.

    wouldnt it be a good feature for the next version if the allow list overrides all ?!

    so you can allow just one or some specific sites, and anything other is disabled

    within the categories ...

    so this would be an all in one feature of sophos, and there is no need to configure network or

    firewall settings.

    :26663
  • 0

    Hello Christian

    As you can't have it both ways there will always be some cases which can't be handled conveniently (or not at all) - admittedly for your purpose an "allow precedence" would be ideal. Don't forget that Web Control is real-time so it mustn't be too complex (people are complaining about performance even without it :smileywink:).

    so this would be an all in one feature of sophos, and there is no need to configure network or firewall settings

    The endpoint should only come into play when necessary (this includes its role as "last defense"). It is also subject to tampering in various ways. For example Web Control blocking of IP ranges can be bypassed (depending on the settings maybe quite easily). If you don't have complete control over the devices there are always ways to "sneak out".

    Considering the cases where Web Control might be used in absence of a gateway solution it probably makes sense though to make allow override both categories and block list.

    Christian

    :26667
  • 0

    The way we do it here is to use the Sophos Firewall.

    Set up group for the computers you want to lock down, then set up a Sophos Firewall rule for:

    - General - Block By Default

    then either 

    - Global Rules - add a rule with a name like "Intranet Only"

    Allow It

    Where the protocol is Stateful TCP
    and the direction is Outbound

    and the remote address is (whatever your Intranet or corporate IP address range is)

    and the remote port is HTTP, HTTPS
    Allow it
    and concurrent connections

    or set up a rule similar to this but in Applications instead and base the rul on the application on just IE or Firefox or Word or whatever programs you want to lock down

    Then apply the rules to those special groups

    :26969
  • 0 in reply to ChristianKL

    I think censornet has such a capability in their system - I know a large bank in Norway uses that system to control devices so that pc's stationed for customers . worth taking a look at if that is your need. 

Unfiltered HTML