We have a customer which have many sites, each one with a Mikrotik router.
Many years ago, the gerency of this company, asked me to block certain web sites
We have tried with Layer7 and we could make a black list but we couldnt make a white list
So, we started to use proxy in every site.
Since then, they asked us to add a lot of websites in different mikrotiks
Today, we have a lot of entries in the proxy access list in each mikrotik, that this is to hard to know what is being allowed.
I am wondering if there is something new I can do to block sites in Mikrotiks
We have other sites with Fortigates, using web filter with categories based filters, which is not free, working fine.
I think a category filter should be nice, because of the site dependecies.
When they ask to allow certain website, we usually need to allow multiple sites (Each site and all the websites required to this site to work)
Any suggestion?
Thanks in advance.
Regards,
Damián
Of course, I asked my boss to quote them a firewall from another vendor, but he didn't get anything, that's why I'm trying to do it with the Mikrotiks they currently have.
Is there anything better than proxy access list?
Not a surprise the customer is silent. You’re using a “half-baked” solution that in the long run is difficult to manage but from the customers perspective “it works”.
Now you’re trying to charge them for a device that costs ~2500€ and gives no other benefits to them, unless your sales team properly marketed the product.
Sorry but this is no longer an “IT problem”, at least in my opinion.
If you want a proper IDS/ IPS with SSL inspection that has a proper database you need to invest in proper hardware.
A useful solution is to set up a proper dns server with blacklists and send dns resolution there. It doesn't have to run on a local device and can be run in the cheapest vps that is shared for all sites.
Not as robust as tls decryption, but it works well for normal sites. And it's within budget for basically anyone.
Hello! Thanks for your answer!!
This seems better than proxy, because the list is shared.
I think I will need a white list instead of black list, I think this will be possible too, right?
What happen in this case if a site has dependencies? I think I will need to add also the dependencies to the white list, right?
Yep. Whitelists are harder, exactly as you point out. Many websites today have all sorts of dependencies: CDNs, captcha providers, analytics, etc.
Look or ask whether blacklists would be suitable for you; there are lots of well maintained ones on github for all sorts of categories that you can mix and match: ads, tracking, gambling, social media (youtube/facebook/tiktok usually have their own categories), nsfw, porn, etc.