Date: Fri, 25 Aug 2017 18:41:12 -0300 From: Duane Whitty <duane@nofroth.com> To: freebsd-questions@freebsd.org Cc: duane@nofroth.com Subject: Re: How to block facebook access Message-ID: <b8f0ecc6-7416-d2d8-6030-5df8b9048a7e@nofroth.com> In-Reply-To: <39cf20a1-a45e-808f-77cd-9a6b7a3364f3@tundraware.com> References: <59988180.7020301@gmail.com> <4c9d24fc-021b-cde6-babc-a1c34d770c53@nofroth.com> <39cf20a1-a45e-808f-77cd-9a6b7a3364f3@tundraware.com>
next in thread | previous in thread | raw e-mail | index | archive | help
On 17-08-25 05:59 PM, Tim Daneliuk wrote: > On 08/25/2017 03:41 PM, Duane Whitty wrote: >> >> >> On 17-08-19 03:20 PM, Ernie Luzar wrote: >>> Hello list; >>> >>> Running 11.1 & ipfilter with LAN behind the gateway server. LAN users >>> are using their work PC's to access facebook during work. >>> >>> What method would recommend to block all facebook access? >>> >>> ` >>> _______________________________________________ >>> freebsd-questions@freebsd.org mailing list >>> https://lists.freebsd.org/mailman/listinfo/freebsd-questions >>> To unsubscribe, send any mail to >>> "freebsd-questions-unsubscribe@freebsd.org" >> >> Not sure if I missed this but did you say whether the users on you LAN >> are tech savvy? If they understand networking which of the above >> solutions, other than white-listing, would prevent one of them from >> setting up a web proxy at an address they control? Maybe they might >> even be really clever/motivated and take turns running a proxy at >> different addresses :-) > A number of my corporate clients have very strict regulatory > requirements. They have significant concerns about data leakage to > machines outside their control solve this problem on their own networks by: > > - Assigning non-routable IPs to their hosts, whether server or desktop. > To make these nonrepudiable, the smarter customers use MAC-based > DHCP to keep the same non-routable associated with a specific host. > > - Closing every outbound port at the NATing firewall except 80 and 443 > which they ... > > - Run through a proxy server which also acts as a man-in-the-middle SSL > intruder so they can look at the content of encrypted connection. > > - Very tight policies about what part of the web anyone can even go to, > typically controlled on a per LDAP or AD group basis. Among things > routinely blocked are entertainment sites like FaceBook and YouTube > (but there are many others). > > - Deep inspection of all outbound emails for signs of leakage. > > - Shutting off and alarming any attempt to use the USB ports to plug > things in ... even just for charging. > > It works remarkably well. What NO one can stop is: > > - A user's own device and wireless bandwidth (unless you run a cell > jammer) and/or user connectivity to a nearby WiFi hotspot. But even > in that case, there is still an airgap between the users' devices > and the corporate machinery. > > - A user taking photographs of a screen with their cell phone thereby > removing data. This is essentially impossible to catch 100% of the > time. The clients that are in Financial Services therefore require > all employees and consultants to agree to realtime access to their > retirement and trading accounts to defend against insider trading. > > > That's all it takes :) > > ---------------------------------------------------------------------------- > Tim Daneliuk tundra@tundraware.com > PGP Key: http://www.tundraware.com/PGP/ > > _______________________________________________ > freebsd-questions@freebsd.org mailing list > https://lists.freebsd.org/mailman/listinfo/freebsd-questions > To unsubscribe, send any mail to "freebsd-questions-unsubscribe@freebsd.org" > Yup, that sounds about right. Don't forget audits as well to make sure there are no "rogue" web/network engineers running their own proxies so that they can get around these measures. Best Regards, Duane -- Duane Whitty duane@nofroth.com
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?b8f0ecc6-7416-d2d8-6030-5df8b9048a7e>