And that is, in my opinion, the way to go. Blacklists are far less work than whitelists. What some people, like those who advocate whitelists, dont understand, is how Gen X and younger(anyone roughly
42 years of age, or less) values convenience over all else, and are willing to pay for it, which is why SurfControl, WebSense, etc have made a lot of money, even when the rest of the tech industry was imploding. Gen Xers, when I am one of, believe that convenience comes first, no matter how much it costs. WebSense, CyBlock, SurfControl, etc, etc, know this, and that is why their products are big sellers. Convenience sells. Make it convenient, and they will buy it.
There is one thing you and Charles both overlook. That is the fact that citywide WiFI is available in many areas, either provided by the city, or through a commercial venture. Wireless ISPs (wISPS) use the same 802.11 standard as your home of office access point. Someone could disconnect from the office network and sign on to the citywide WiFI network, and totally bypass your firewalls and everything else. If thre is any citiwide WiFi network, whether provided by the city, or by a commercial venture, watch out. Someone may well disconnect from the ofice network and sign on to the citywide WiFi network. Since it would be the wISP that wold be handling the traffic, the activity would not show up in any of the network logs. Heck, someone could even bring in their own laptop and plug into the citywide WiFi network (if your city has one). And there are ways to hide ones activity. There is the caller to my online talk show, whoj called in from her workplace in Vegas, and she was able to do it in a way where the boss would have NO CLUE as to what she was up to. And being that I only stream at 24K, when I do my talk show, that would only amount to a few megabyts a day, overall, if someone listened to the entire 2-hour program. That would be no more than than an average days Web browsing, so it would not stand out for any ecessive bandwidth usage. And I am seeing more listeners coming in from workplaces all over the USA, when my talk show is on the air. Because of the low bandwidth usage, the boss would have no CLUE they were listening to an online talk show for 2 hours.
Oh, so do you really mean that management hasn't got a policy, and you can't restrict on your own, or you don't even know what traffic is on your net.
That game is called "wack-a-mole" and you'll find you'll waste far more time trying to shut down a _single_ problem than if you bit the bullet and set the defaults to block. If your management doesn't want to or doesn't understand the need to support you - that makes it harder still. But don't bother looking outside trying to find some magic list - look at the traffic ON YOUR WIRE. That _may_ give you a clue of who you should watch more closely.
But you'd rather waste the time chasing phantoms.
No, some of us know better than to waste time. You haven't learned that lesson.
Not a problem. It's an accurate description of trying to stop crap, one IP address at a time - same as one ant at a time. As of mid-month, there really were 2,357,975,546 IPv4 addresses out there. Some one wants to stop "the bad ones"? Totally useless.
If you want to take the whitlest approach, the best way to do it would be with the CyBlock filter. It has a category called "Other". If that is selected to block, access will only allowed to the other categories that are set to "allow". Of course, as I have said before, if you are going to use CyBlock, you will need to configure your firewall to close a gaping hole that Wavecrest still has not fixed. You will need to restrict incoming access to the CyBlock proxy to your subnet, and restrict outgoing traffic on CyBlock to ports 80 and 443.
That is one approach that Mr Dorn could take to the problem. Have his client install CyBlock on their network, and then turn the "Other" category to block. That would solve a lot of the problem. This is where CuyBlock has the advatage over a hardware appliance. It can do whitelist blocking far better than a hardware appliance could. CyBlock can block/allow in 72 categories of content. No hardware firewall made can do that yet.
Anyone taking the whitelist approach may want to take a look at CyBlock. It can implement a wihtelist approach with very little work on the part of IT. Just install and configure the software, and then simply E-mail instructions to the users on how to configure their Web browsers to use the new proxy, and you are done.
If you can prevent from in a sensible way. You seem to see "whitelisting the web" as a sensible provision, while I don't think that this is a good idea.
It isn't, as you can hardly evaluate the suitability of a certain host for tunnelling and almost any is suitable. Just a cookie, a session ID or any kind of storage is enough to transfer states with a third party.
Well, what hour of the day I do my show depends on where I am in the world. I was in the USA the other day, and was on during the "working hours" in the western USA. That is when I had the caller from Vegas on my program. I am in Europe for a couple of weeks to cover figure skating comeptitions here, and I was doing my show during the hours of 10AM to
12PM CET, and I could see a lot of connections from wokplaces in Europe during that time. In the chat room I have asscociated with the show, there were a lot of European listeners sneaking onto their home computers (broadband is more widespead in Europe) and listening to my show that way. I did also see a lot of connections via Tor and Corkscrew nodes. If I keep the bitrate down, and the bandwidth usage low, listening to the entire 2 hour program would amount to no more than a few megabytes per day, well below what might trigger any suspicion, since it would look like normal Web traffic coming in via the HTTP protocol Any European syadmins monitorong their systems between 10AM and
12PM CET would have seen some strange traffic on their networks, but the low bandwidth usage would make it look like normal Web traffic, on port 80, and they would have NEVER been the wiser to what was really going at a particular users workstation. I wonder what will happen when we go to do live audio from the Nebelhorn trophy later on this week. On Thursday and Friday, it will be during the working hours in Europe. Parr of the Friday schedule falls during hte working hours in the Eastern USA, so admins in the USA might have a few problems detecting it as well.
What you fail to understand is that many administrators look for just that type of think - and streaming audio/video is very easy to spot.
In the case of a properly configured security solution you would never stand a chance of your show reaching the target people.
Several of us, those that design secure networks, have already shown how easy it is to block your data from being reached, as people become more aware of that type of threat to productivity and security they will also start blocking it.
Not if the bandwidth usage is kept very low. For a talk show, the audio quality does not need to be that high. I use 24K on the live 365 feed, and the backup feed I have, that kicks on if Live 365 goes down, streams at 10K.. Either way, the bandwidth usage is kept very low, and wold not be stand out in any usage reports, becuase it will look like ordinary Web traffic.
However, there are STILL the citywide public WiFi networks. One could disconnect their workstation from the office network, and plug in to the citywide WiFi network (if your city has one). Just disconnect the computer fro the office network, plug in a USB wireless network card, re-boot the system, and you are good to go.
A talk show would be hardly a threat to network security. About the only ones that would consider our talk show a serious threat would be the right-wing nutjobs who do not like my anti-Bush commentary. I even had one reporter from the ultra-conservative Fox network call me up on my show and call me a "Godless Commie", because I support a few Democratic candidates in the upcoming elections in America (I am a USA/Australia dual national). To get to my show she connected via her cable modem on Optimum Online, and the got to my show that way. The admins at Fox News Channel would have had no CLUE she connected to her cable modem, and then to my show. The network admins at Fox News Channel would have known she made a connection to her cable modem at Optimum Online, but where she went beyong that point would ONLY be know to her, and to Optiimum Online. She even admitted cirumventing the company's filtering system so she could get on my show and chew my ass out for my political views, using an encrypted tunnel to her cable modem. All the admins at FNC would have seen, if they were monitoring the connection, was a bunch of unbreable encryption. If you had been the network admin at Fox news, you, too would have had no CLUE as to WHAT this person at Fox News was up to.
Wrong, it's easy to spot, the connection is maintained while the user listens - it's very easy to spot. Any firewall/security setup that doesn't allow unrestricted outbound will block your site also.
Ha, Ha, Ha - and what makes you think that Admins don't monitor the event logs for their nodes? What makes you think an admin would not see the addition of a USB device in the event logs... What makes you think that admins leave USB enabled on all machines...
Anything that is not approved, as a general rule, is a threat to security. It's also a threat to productivity which an cost the company even more in some cases.
[snipped crap]
Anything that a user can do on a company network can and will be detected if the company wants to see it. Streaming audio/video is the easiest to detect, even at your low bit rate, and it's even easier to block.
However, if they machine is not connected to the network, there are no event logs on the server. I am talking about disconnecting entirely from the company network. If you are not on the network, there is no event log.
Well, Live365 runs a secure network. Every time you switch the live broadcasting, from automated "basic" mode, you are dynamically assigned a new address for your users to connect to to listen. It does two things. It improves security for their network, and it also makes it harder for admins to stamp out. They may block one address and port for a particular Live 365 live broadcaster, but the next time they go live, there will be a new address that will require the admin to block, the "whack a mole'" scenario as one user put it. To block Live 365 live streams, admins wold be playing "Whack A Mole" all the time, as Live
365 dynamically changed the address a particular broadcaster was assigned.
Wll, in the case of the one Fox reporter who called my show to chew my ass out for my political beliefs, her use of an encrypted tunnel to get to my show means her admins will NEVER know what she was doing on that encrypted tunnel.
You're not thinking again - there will be an event entry in the local workstation, and any good admin already has a setup that monitors the logs for various entries...
And you've missed the idea that users don't need unrestricted Web access, in fact, most places don't need to get users any internet access. The "whack-a-mole" is only for people that use Black-Lists, smarter admins, that don't want to play that game will use White-Lists and none of your servers will be on it, so in one setting they've given users access to approved company resources and blocked every connection you could offer.
What you don't seem to understand, very few people need tunnels, and for an employee that creates one, that normally has no reason, it sends a red-flag, not to mention that the simple white-list would have blocked it.
You keep trying, there is nothing you can provide that can't be blocked or detected.
Event logs could be erased though. Some tests with Evidence Eliminator indicate that EE will clear the event logs. You dont have to through the entire elimination process, just let it go past the point where it says "Erasing Start Menu Click History". When it does that, it erases the entire event log.
You are reaching for straws - users can't erase the Event logs, they don't have permission to access them.
You keep trying, one day you will understand what is possible and not why hype is.
This should be real easy for you to understand: There is nothing that users can do, to listen to your program, on company hardware, that can't be detected, and with the exception of connecting to another network with the PC, it can all be blocked, but it can also be detected and the employee fired for the abuse and theft of company time/resources.
You do realize that has no effect on quoted articles. Your statements are there for all time, so that people can later see how clueless they are.
Our expert never heard of packet sniffing - never heard of awk, and sort. For clues Charles, when we first set up a white list, we captured packet headers for a month. That was an unattended operation that took roughly one minute to set up. At the end of the month, we took the logs, and snarfed outbound destination, outbound port, inbound source and inbound port. We had already put a rule in place blocking "new" inbound connections (no, we don't offer services to the world from "this" or "that" address range, and all of our public servers are in DMZ blocks separated from "userspace"). The result was about 350 Megabytes of logs. You claim to have some accounting skills, so you _might_ comprehend the relative ease of data analysis. It took two guys less than two days (under 16 man-hours) to ID all of the remote sites. The data showed something like 200 firewall rules were needed. Since then, our users have requested access to roughly three times as many sites, and _most_ had holes poked through the firewall for them. Done. No surprises of new sites or services needing to be blocked, and no complaints from the users.
One problem we encountered was people wanting to be able to access several "news" sites such as cnn.com. Radio reception within our buildings is quite poor due to the construction, and we found it useful to add several "radio" channels as multicast.
That's been the case here for years.
I doubt that in the extreme. Remember, he has no technical background, and no desire to learn anything.
Oh, please. First, if I go out into the parking lot, and use a 36 inch (91 cm - about 23.3 dBi) dish, I can detect _two_ access points - they're in a residential neighborhood and are probably home systems. Without using the dish, we can't even detect those, as the signals are that weak. None the less, we do have monitors looking for wireless signals. They cause the same alarms that unidentified systems on our wires trigger. Sorry, but you really shouldn't believe those Verizon commercials.
No - corporate wide policy prohibits that, and the employees are aware of the rules. Also, there are big signs at ALL of the entrances reminding everyone that unauthorized computers are subject to confiscation.
Keep dreaming - the traffic would stand out like a sore thumb. To bad your "engineers" don't tell you these things. And lest you think otherwise, I know what the traffic looks like, because as noted above, we have such service on our wires now. Like Charles, you have no technical skills, and don't understand what signals look like on the network. Thus, you don't understand the words "normal" and "abnormal", and how they pertain to network traffic.
Actually, we have several systems sniffing for WiFi, and detected two instances over the past two years. One was a "gift" from the boyfriend of a secretary, and the other was a vendor who had a system in his truck. Both were found and shut down within five minutes.
One of the blessings of working in a secure environment - no cell phones, and no pagers. Again, those signs at the door.
A long post when there are three individuals/levels of quoting does make things a bit confusing, I'll admit.
Fifteen years ago, I was still at our San Francisco Bay facility, and we had a few government contracts there. This was about the time we introduced our no-visiting computers policy corporate wide (for internal reasons, not military). The first visiting computer we nailed was (naturally) the laptop owned by president... the same guy who had signed the policy several days earlier. The second one was being used by the DoD security auditor who was visiting to lecture us on security. Gotta love it.
We've always run a fairly tight ship, as we are a research facility, and after an incident where an individual was caught doing a st00pid, security got a royal reaming with the Wire Brush Of Enlightenment. Then someone else got nailed at one of our European manufacturing facilities and someone else got nailed in South America less than a month later. Corporate lost it's temper, and a few (fairly high) heads rolled. It should be no surprise that this got everyone's attention.
Cabling-Design.com Forums website is not affiliated with any of the manufacturers or service providers discussed here.
All logos and trade names are the property of their respective owners.