From owner-freebsd-questions@freebsd.org Fri Aug 25 21:41:18 2017 Return-Path: Delivered-To: freebsd-questions@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id CC135DE209C for ; Fri, 25 Aug 2017 21:41:18 +0000 (UTC) (envelope-from duane@nofroth.com) Received: from mail-it0-x234.google.com (mail-it0-x234.google.com [IPv6:2607:f8b0:4001:c0b::234]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (Client CN "smtp.gmail.com", Issuer "Google Internet Authority G2" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 9AAB771C55 for ; Fri, 25 Aug 2017 21:41:18 +0000 (UTC) (envelope-from duane@nofroth.com) Received: by mail-it0-x234.google.com with SMTP id n5so815782itb.1 for ; Fri, 25 Aug 2017 14:41:18 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=nofroth.com; s=google; h=cc:subject:to:references:from:message-id:date:user-agent :mime-version:in-reply-to:content-language:content-transfer-encoding; bh=uSfWLpkzH5z7GRXq+GCPr9nLAdhtPNEIpkkgjzaNBpo=; b=Uce2PKa2sGczYAHu4UUx8vvAaMq+QPkME2s+KIWOnpW5Q7EQhHdyljcK+zprnL/IXl F4nyWepcrY8v8d+4rEMDkG9q7GGF1Ew4pcdRkZQl4MGGPZlRuczMQOJ+TG9vjYR3+11g ls4Ph7loLgQIPyj08l42BhclrBtrYlwnDZ3Ip7zWBo4hz26EqBD23kcUzrhwj8gWM5Uw M6OTLny0s3jEWxvU0avSlMtP1jX3RSMtzx10AT7kcIFZNwClZJbB0KLt04sBtgPV1t8m 3xejtPMjyCbAsMAVX6ce1EivIfO3ibcrOBeS/jPs2YilAemHYuSiDxB7SQFP2EHnAOxF cGDw== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:cc:subject:to:references:from:message-id:date :user-agent:mime-version:in-reply-to:content-language :content-transfer-encoding; bh=uSfWLpkzH5z7GRXq+GCPr9nLAdhtPNEIpkkgjzaNBpo=; b=nzkABFamKMIJw9f+LIonGFEKlBdFK4qMUZqrfHd39XlyP/2G0maGiiXehH12FvLRR7 kys5wrzOod6fbUEEZglJ1SgdlbGZ/wRHZZU1AUBtjtZdEBaXhKkproVbYPJAuRu/LjJd fb8RW61JSbHBzFJ/rAO3t4eOL/jeIc/3QTSj7+4tHRh5vOuM39SyZ5iEa3zU+42lfiOT SCk1QQLso3flk/F8qM27go9SbZ08Xkt5bo6IYza0gjHLm0mp69n54hodkE0k48wz6Z/v CFYSQheOw5320PiFSPnj040AbbxtrfUXK6ONk/jGsZOCseh8pepv4Dhtbmu+HgRRIsd6 hRSg== X-Gm-Message-State: AHYfb5h/cPBMV7XCRdVVB+PpydUkfy03wrebbuQTLQ7hq020WR89xuyI 1qMhh4ZXitvFJL+34WgwOA== X-Received: by 10.36.209.133 with SMTP id w127mr862564itg.124.1503697277762; Fri, 25 Aug 2017 14:41:17 -0700 (PDT) Received: from [10.8.8.76] ([184.75.212.77]) by smtp.gmail.com with ESMTPSA id s26sm3242663ioe.56.2017.08.25.14.41.16 (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Fri, 25 Aug 2017 14:41:17 -0700 (PDT) Cc: duane@nofroth.com Subject: Re: How to block facebook access To: freebsd-questions@freebsd.org References: <59988180.7020301@gmail.com> <4c9d24fc-021b-cde6-babc-a1c34d770c53@nofroth.com> <39cf20a1-a45e-808f-77cd-9a6b7a3364f3@tundraware.com> From: Duane Whitty Message-ID: Date: Fri, 25 Aug 2017 18:41:12 -0300 User-Agent: Mozilla/5.0 (X11; Linux i686; rv:52.0) Gecko/20100101 Thunderbird/52.2.1 MIME-Version: 1.0 In-Reply-To: <39cf20a1-a45e-808f-77cd-9a6b7a3364f3@tundraware.com> Content-Type: text/plain; charset=utf-8 Content-Language: en-US Content-Transfer-Encoding: 7bit X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.23 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 25 Aug 2017 21:41:18 -0000 On 17-08-25 05:59 PM, Tim Daneliuk wrote: > On 08/25/2017 03:41 PM, Duane Whitty wrote: >> >> >> On 17-08-19 03:20 PM, Ernie Luzar wrote: >>> Hello list; >>> >>> Running 11.1 & ipfilter with LAN behind the gateway server. LAN users >>> are using their work PC's to access facebook during work. >>> >>> What method would recommend to block all facebook access? >>> >>> ` >>> _______________________________________________ >>> freebsd-questions@freebsd.org mailing list >>> https://lists.freebsd.org/mailman/listinfo/freebsd-questions >>> To unsubscribe, send any mail to >>> "freebsd-questions-unsubscribe@freebsd.org" >> >> Not sure if I missed this but did you say whether the users on you LAN >> are tech savvy? If they understand networking which of the above >> solutions, other than white-listing, would prevent one of them from >> setting up a web proxy at an address they control? Maybe they might >> even be really clever/motivated and take turns running a proxy at >> different addresses :-) > A number of my corporate clients have very strict regulatory > requirements. They have significant concerns about data leakage to > machines outside their control solve this problem on their own networks by: > > - Assigning non-routable IPs to their hosts, whether server or desktop. > To make these nonrepudiable, the smarter customers use MAC-based > DHCP to keep the same non-routable associated with a specific host. > > - Closing every outbound port at the NATing firewall except 80 and 443 > which they ... > > - Run through a proxy server which also acts as a man-in-the-middle SSL > intruder so they can look at the content of encrypted connection. > > - Very tight policies about what part of the web anyone can even go to, > typically controlled on a per LDAP or AD group basis. Among things > routinely blocked are entertainment sites like FaceBook and YouTube > (but there are many others). > > - Deep inspection of all outbound emails for signs of leakage. > > - Shutting off and alarming any attempt to use the USB ports to plug > things in ... even just for charging. > > It works remarkably well. What NO one can stop is: > > - A user's own device and wireless bandwidth (unless you run a cell > jammer) and/or user connectivity to a nearby WiFi hotspot. But even > in that case, there is still an airgap between the users' devices > and the corporate machinery. > > - A user taking photographs of a screen with their cell phone thereby > removing data. This is essentially impossible to catch 100% of the > time. The clients that are in Financial Services therefore require > all employees and consultants to agree to realtime access to their > retirement and trading accounts to defend against insider trading. > > > That's all it takes :) > > ---------------------------------------------------------------------------- > Tim Daneliuk tundra@tundraware.com > PGP Key: http://www.tundraware.com/PGP/ > > _______________________________________________ > freebsd-questions@freebsd.org mailing list > https://lists.freebsd.org/mailman/listinfo/freebsd-questions > To unsubscribe, send any mail to "freebsd-questions-unsubscribe@freebsd.org" > Yup, that sounds about right. Don't forget audits as well to make sure there are no "rogue" web/network engineers running their own proxies so that they can get around these measures. Best Regards, Duane -- Duane Whitty duane@nofroth.com