From owner-freebsd-questions@freebsd.org Fri Aug 25 21:06:12 2017 Return-Path: Delivered-To: freebsd-questions@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id C218BDE1728 for ; Fri, 25 Aug 2017 21:06:12 +0000 (UTC) (envelope-from tundra@tundraware.com) Received: from oceanview.tundraware.com (oceanview.tundraware.com [45.55.60.57]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client CN "mailman.tundraware.com", Issuer "mailman.tundraware.com" (not verified)) by mx1.freebsd.org (Postfix) with ESMTPS id 8AEB370A09 for ; Fri, 25 Aug 2017 21:06:12 +0000 (UTC) (envelope-from tundra@tundraware.com) Received: from [192.168.0.2] (ozzie.tundraware.com [75.145.138.73]) (authenticated bits=0) by oceanview.tundraware.com (8.15.2/8.15.2) with ESMTPSA id v7PKxgCH090934 (version=TLSv1.2 cipher=DHE-RSA-AES128-SHA bits=128 verify=NO) for ; Fri, 25 Aug 2017 15:59:42 -0500 (CDT) (envelope-from tundra@tundraware.com) Subject: Re: How to block facebook access References: <59988180.7020301@gmail.com> <4c9d24fc-021b-cde6-babc-a1c34d770c53@nofroth.com> From: Tim Daneliuk To: FreeBSD Mailing List Message-ID: <39cf20a1-a45e-808f-77cd-9a6b7a3364f3@tundraware.com> Date: Fri, 25 Aug 2017 15:59:37 -0500 User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:52.0) Gecko/20100101 Thunderbird/52.2.1 MIME-Version: 1.0 In-Reply-To: <4c9d24fc-021b-cde6-babc-a1c34d770c53@nofroth.com> Content-Type: text/plain; charset=utf-8 Content-Language: en-GB Content-Transfer-Encoding: 7bit X-Greylist: Sender succeeded SMTP AUTH, not delayed by milter-greylist-4.6.2 (oceanview.tundraware.com [45.55.60.57]); Fri, 25 Aug 2017 15:59:43 -0500 (CDT) X-TundraWare-MailScanner-Information: Please contact the ISP for more information X-TundraWare-MailScanner-ID: v7PKxgCH090934 X-TundraWare-MailScanner: Found to be clean X-TundraWare-MailScanner-SpamCheck: not spam (whitelisted), SpamAssassin (not cached, score=-0.928, required 1, autolearn=not spam, ALL_TRUSTED -1.00, AWL 0.07, RP_MATCHES_RCVD -0.00) X-TundraWare-MailScanner-From: tundra@tundraware.com X-Spam-Status: No X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.23 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 25 Aug 2017 21:06:12 -0000 On 08/25/2017 03:41 PM, Duane Whitty wrote: > > > On 17-08-19 03:20 PM, Ernie Luzar wrote: >> Hello list; >> >> Running 11.1 & ipfilter with LAN behind the gateway server. LAN users >> are using their work PC's to access facebook during work. >> >> What method would recommend to block all facebook access? >> >> ` >> _______________________________________________ >> freebsd-questions@freebsd.org mailing list >> https://lists.freebsd.org/mailman/listinfo/freebsd-questions >> To unsubscribe, send any mail to >> "freebsd-questions-unsubscribe@freebsd.org" > > Not sure if I missed this but did you say whether the users on you LAN > are tech savvy? If they understand networking which of the above > solutions, other than white-listing, would prevent one of them from > setting up a web proxy at an address they control? Maybe they might > even be really clever/motivated and take turns running a proxy at > different addresses :-) A number of my corporate clients have very strict regulatory requirements. They have significant concerns about data leakage to machines outside their control solve this problem on their own networks by: - Assigning non-routable IPs to their hosts, whether server or desktop. To make these nonrepudiable, the smarter customers use MAC-based DHCP to keep the same non-routable associated with a specific host. - Closing every outbound port at the NATing firewall except 80 and 443 which they ... - Run through a proxy server which also acts as a man-in-the-middle SSL intruder so they can look at the content of encrypted connection. - Very tight policies about what part of the web anyone can even go to, typically controlled on a per LDAP or AD group basis. Among things routinely blocked are entertainment sites like FaceBook and YouTube (but there are many others). - Deep inspection of all outbound emails for signs of leakage. - Shutting off and alarming any attempt to use the USB ports to plug things in ... even just for charging. It works remarkably well. What NO one can stop is: - A user's own device and wireless bandwidth (unless you run a cell jammer) and/or user connectivity to a nearby WiFi hotspot. But even in that case, there is still an airgap between the users' devices and the corporate machinery. - A user taking photographs of a screen with their cell phone thereby removing data. This is essentially impossible to catch 100% of the time. The clients that are in Financial Services therefore require all employees and consultants to agree to realtime access to their retirement and trading accounts to defend against insider trading. That's all it takes :) ---------------------------------------------------------------------------- Tim Daneliuk tundra@tundraware.com PGP Key: http://www.tundraware.com/PGP/