Skip site navigation (1)Skip section navigation (2)
Date:      Fri, 25 Aug 2017 15:59:37 -0500
From:      Tim Daneliuk <tundra@tundraware.com>
To:        FreeBSD Mailing List <freebsd-questions@freebsd.org>
Subject:   Re: How to block facebook access
Message-ID:  <39cf20a1-a45e-808f-77cd-9a6b7a3364f3@tundraware.com>
In-Reply-To: <4c9d24fc-021b-cde6-babc-a1c34d770c53@nofroth.com>
References:  <59988180.7020301@gmail.com> <4c9d24fc-021b-cde6-babc-a1c34d770c53@nofroth.com>

next in thread | previous in thread | raw e-mail | index | archive | help
On 08/25/2017 03:41 PM, Duane Whitty wrote:
> 
> 
> On 17-08-19 03:20 PM, Ernie Luzar wrote:
>> Hello list;
>>
>> Running 11.1 & ipfilter with LAN behind the gateway server. LAN users
>> are using their work PC's to access facebook during work.
>>
>> What method would recommend to block all facebook access?
>>
>> `
>> _______________________________________________
>> freebsd-questions@freebsd.org mailing list
>> https://lists.freebsd.org/mailman/listinfo/freebsd-questions
>> To unsubscribe, send any mail to
>> "freebsd-questions-unsubscribe@freebsd.org"
> 
> Not sure if I missed this but did you say whether the users on you LAN
> are tech savvy?  If they understand networking which of the above
> solutions, other than white-listing, would prevent one of them from
> setting up a web proxy at an address they control?  Maybe they might
> even be really clever/motivated and take turns running a proxy at
> different addresses :-)
A number of my corporate clients have very strict regulatory
requirements.  They have significant concerns about data leakage to
machines outside their control solve this problem on their own networks by:

- Assigning non-routable IPs to their hosts, whether server or desktop.
  To make these nonrepudiable, the smarter customers use MAC-based
  DHCP to keep the same non-routable associated with a specific host.

- Closing every outbound port at the NATing firewall except 80 and 443
  which they ...

- Run through a proxy server which also acts as a man-in-the-middle SSL
  intruder so they can look at the content of encrypted connection.

- Very tight policies about what part of the web anyone can even go to,
  typically controlled on a per LDAP or AD group basis.  Among things
  routinely blocked are entertainment sites like FaceBook and YouTube
  (but there are many others).

- Deep inspection of all outbound emails for signs of leakage.

- Shutting off and alarming any attempt to use the USB ports to plug
  things in ... even just for charging.

It works remarkably well.  What NO one can stop is:

- A user's own device and wireless bandwidth (unless you run a cell
  jammer) and/or user connectivity to a nearby WiFi hotspot.  But even
  in that case, there is still an airgap between the users' devices
  and the corporate machinery.

- A user taking photographs of a screen with their cell phone thereby
  removing data. This is essentially impossible to catch 100% of the
  time.  The clients that are in Financial Services therefore require
  all employees and consultants to agree to realtime access to their
  retirement and trading accounts to defend against insider trading.


That's all it takes :)

----------------------------------------------------------------------------
Tim Daneliuk     tundra@tundraware.com
PGP Key:         http://www.tundraware.com/PGP/




Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?39cf20a1-a45e-808f-77cd-9a6b7a3364f3>