How to block facebook access
Duane Whitty
duane at nofroth.com
Fri Aug 25 21:41:18 UTC 2017
On 17-08-25 05:59 PM, Tim Daneliuk wrote:
> On 08/25/2017 03:41 PM, Duane Whitty wrote:
>>
>>
>> On 17-08-19 03:20 PM, Ernie Luzar wrote:
>>> Hello list;
>>>
>>> Running 11.1 & ipfilter with LAN behind the gateway server. LAN users
>>> are using their work PC's to access facebook during work.
>>>
>>> What method would recommend to block all facebook access?
>>>
>>> `
>>> _______________________________________________
>>> freebsd-questions at freebsd.org mailing list
>>> https://lists.freebsd.org/mailman/listinfo/freebsd-questions
>>> To unsubscribe, send any mail to
>>> "freebsd-questions-unsubscribe at freebsd.org"
>>
>> Not sure if I missed this but did you say whether the users on you LAN
>> are tech savvy? If they understand networking which of the above
>> solutions, other than white-listing, would prevent one of them from
>> setting up a web proxy at an address they control? Maybe they might
>> even be really clever/motivated and take turns running a proxy at
>> different addresses :-)
> A number of my corporate clients have very strict regulatory
> requirements. They have significant concerns about data leakage to
> machines outside their control solve this problem on their own networks by:
>
> - Assigning non-routable IPs to their hosts, whether server or desktop.
> To make these nonrepudiable, the smarter customers use MAC-based
> DHCP to keep the same non-routable associated with a specific host.
>
> - Closing every outbound port at the NATing firewall except 80 and 443
> which they ...
>
> - Run through a proxy server which also acts as a man-in-the-middle SSL
> intruder so they can look at the content of encrypted connection.
>
> - Very tight policies about what part of the web anyone can even go to,
> typically controlled on a per LDAP or AD group basis. Among things
> routinely blocked are entertainment sites like FaceBook and YouTube
> (but there are many others).
>
> - Deep inspection of all outbound emails for signs of leakage.
>
> - Shutting off and alarming any attempt to use the USB ports to plug
> things in ... even just for charging.
>
> It works remarkably well. What NO one can stop is:
>
> - A user's own device and wireless bandwidth (unless you run a cell
> jammer) and/or user connectivity to a nearby WiFi hotspot. But even
> in that case, there is still an airgap between the users' devices
> and the corporate machinery.
>
> - A user taking photographs of a screen with their cell phone thereby
> removing data. This is essentially impossible to catch 100% of the
> time. The clients that are in Financial Services therefore require
> all employees and consultants to agree to realtime access to their
> retirement and trading accounts to defend against insider trading.
>
>
> That's all it takes :)
>
> ----------------------------------------------------------------------------
> Tim Daneliuk tundra at tundraware.com
> PGP Key: http://www.tundraware.com/PGP/
>
> _______________________________________________
> freebsd-questions at freebsd.org mailing list
> https://lists.freebsd.org/mailman/listinfo/freebsd-questions
> To unsubscribe, send any mail to "freebsd-questions-unsubscribe at freebsd.org"
>
Yup, that sounds about right. Don't forget audits as well to make sure
there are no "rogue" web/network engineers running their own proxies so
that they can get around these measures.
Best Regards,
Duane
--
Duane Whitty
duane at nofroth.com
More information about the freebsd-questions
mailing list