Cyber Monday

Is that practical? I don't want to have to draw up a list of approved sites for my company, the list would be almost never ending because many of our staff use the internet for research which means they could legitimately end up going almost anywhere.

Reply to
Brian Cryer
Loading thread data ...

Isn't it simply a case of blocking all traffic to a specific destination? SSL is still layered over TCP. What the traffic is doesn't matter. Of course (as Leythos will point out) that requires a decent firewall, or maybe not given that my cheapo router at home lets me block specific destinations (although probably not many).

Of course obtaining an up to date list of proxies, that would be a good trick. My daughters at school know of more proxies than I do, maybe I should ask them.

Reply to
Brian Cryer

X-No-Archive: Yes

Proxies come and go so fast, your lists would be out of date in no time. The various filtering vendors cannot keep up with it. Your daughter might be able to give you a list, but it will be out of date in no time.

Reply to
Chilly8

Quite true. No argument there.

Reply to
Brian Cryer

Yea, and it's what should be done. If you have a select group that does research, using the web, you could (and should) create a different HTTP rule for them, allowing them access to ALL of the web, but restrict them using content/other filters to block most of the crap. The generic users and others would fall under the block all except business rule.

We do this with managers in most companies, permit them to authenticate with the firewall, or have their PC's in a reserved area (IP), and have different rules for managers.

Either way, spotting an abuser is simple.

Reply to
Leythos

And that's why you have to adopt the idea that no one has a "Right" to internet access for anything other than Business functions. They don't have a right to personal use of the company network at all.

Block all access, approve only business legit sites, doesn't matter how many new/old proxy are out there since they can't get to them at all.

Reply to
Leythos

Easy:

- Allow outbound SSH only from whitelisted hosts,

- Allow outbound https only to whitelisted sites.

- Use a transparent proxy for all outbound http.

- Block all other outbound connections.

Besides, despite the encryption it is quite possible to distinguish between SSH and https connections.

Try getting a clue before posting next time.

cu

59cobalt
Reply to
Ansgar -59cobalt- Wiechers

X-No-Archive: Yes

What you are talking about requires one filteirng tool, CyBlock, with the most expensive annual licensing, $799 annually for just 10 users. CyBlock can handle specific groups and their filteirng requirements, and can do whitelisting, and there is one European filter maker, though I cannot recall the name right now, that can whitelist, but unless you use these pricey filtering products, whitelisting is just not practical.

Reply to
Chilly8

Again, you are WRONG:

1) Block all access except approved sites - ANY Firewall appliance cand do this as shipped - any real firewall has this function already, no fee, no additional cost, no subscription. 2) Blocking based on Categories of Sites, yes, this has a subscription, provides hourly/daily updates, still only allows access to approved sites in the list or can be set to only block what is in the list. Cost is under $200 per year in most cases, for the ENTIRE FIREWALL, not a per-user cost. 3) Multiple, simple groups, for HTTP access: 3a - Default rule - block all except business approved sites. 3b - MANAGERS_Rule - allows access to search, etc... still most sites blocked 3c - SoftwareUpdate_Rule - allow unlimited access by servers to specific IP ranges for Windows Updates/AV updates (not for workstations). 4 rules for HTTPS: 4a - Default rule - block all except to business approved sites. 4b - Managers/Admins - Allow all HTTPS access.

And the list goes on....

cheap, easy, works well, completely blocks your crap from all users except IT Admins in network.

Reply to
Leythos
  • Chilly8 :

Wrong as usual but then we've come to expect that from you.

Jason

Reply to
Jason

Good luck... do you have deep packet inspection where you are able to filter by protocol? i doubt it. block port 22 I'll use 443 or whatever else is available

Wouldn't want to mange that...you'd have people screaming at you all day long to add sites and it's not practical from a business point of view

Again, easily bypassed (haven't worked for a company yet that I couldn't get around)

No complaint there

True > Try getting a clue before posting next time.

from one security expert to another.... touche'

Reply to
slackerama

from one security expert to another... touche

Do I really need to post a rebuttal to this??

Reply to
slackerama

Wont work on a properly secured network.

You can't use 443 to connect to sites that are not approved at the firewall.

While white-listing is VERY practical - As soon as businesses adopt the ideals that users don't need internet service to work, and most don't, then it becomes very simple and it doesn't take much time at all.

Reply to
Leythos

At one figure skating event we are broadcasting, when the Cumpulsory Dance fell during the working hours in Europe, on Thursday, there were a large number of connections coming from corporate IPs in Europe. Ice Dance is far more popular in Europe, than in the Americas (which is why European nations usually win all the medals), so I do see a lot of connections to my station from Europe whenever ice dancing is own. And with yet another possible judging scandal develeoping among Russian judges, it it keeping more people glued to ice dancing broadcasts. I do expect that in the Grand Prix Final, this will drive up traffic to coverage of the event, when the ice dancing is going on, as people will want to see what happens between Belbin/Agosto and Dominina/Shabalin. In fact, the ice dance on Friday,

14th December will fall during the working hours in America, so I expect to see a lot of hits from coporate IPs in the U.S. starting at around 12:30 PM Eastern Standard Time that day. The talk in the various figure skating boards about another possible Russian judging scandal, in the ice dancing event, is already driving up traffic to sites where skating coverage is available. The fact that one very controversial Russian judge will be on the dance judging panel, in Torino, is going to drive the traffic up, considerably, to coverage of that part of the Grand Prix Final.
Reply to
Chilly8

To address the points you tried to make in the post you apparently cancelled (MID ):

We don't have an application level filter in place, because our employees are allowed to use the internet for their own purposes (as long as they don't overdo it). However, if I had the need to filter at application level I'd probably use something like l7-filter:

formatting link

There isn't anything else available to you.

- 22/tcp is allowed only from whitelisted hosts on the LAN

- 80/tcp and 443/tcp are redirected transparently to the proxy, which allows https connections only to whitelisted domains

- 53/udp and 53/tcp are allowed only from the company's DNS servers

- 25/tcp is allowed only from the company's mail server

- everything else is blocked

Users don't need to access that many sites using SSL for their work, and the sites they need to access don't change that frequently, so contrary to your belief it is quite manageable.

Get around a transparent proxy? Do you even understand how a transparent proxy works? The router indiscriminately redirects all traffic on the given ports to the proxy (and you're not allowed to establish outbound connections on other ports), so pray tell how you think you can get around that.

cu

59cobalt
Reply to
Ansgar -59cobalt- Wiechers

Cabling-Design.com Forums website is not affiliated with any of the manufacturers or service providers discussed here. All logos and trade names are the property of their respective owners.