How to block facebook access

Duane Whitty duane at nofroth.com
Fri Aug 25 21:41:18 UTC 2017 


On 17-08-25 05:59 PM, Tim Daneliuk wrote:
> On 08/25/2017 03:41 PM, Duane Whitty wrote:
>>
>>
>> On 17-08-19 03:20 PM, Ernie Luzar wrote:
>>> Hello list;
>>>
>>> Running 11.1 & ipfilter with LAN behind the gateway server. LAN users
>>> are using their work PC's to access facebook during work.
>>>
>>> What method would recommend to block all facebook access?
>>>
>>> `
>>> _______________________________________________
>>> freebsd-questions at freebsd.org mailing list
>>> https://lists.freebsd.org/mailman/listinfo/freebsd-questions
>>> To unsubscribe, send any mail to
>>> "freebsd-questions-unsubscribe at freebsd.org"
>>
>> Not sure if I missed this but did you say whether the users on you LAN
>> are tech savvy?  If they understand networking which of the above
>> solutions, other than white-listing, would prevent one of them from
>> setting up a web proxy at an address they control?  Maybe they might
>> even be really clever/motivated and take turns running a proxy at
>> different addresses :-)
> A number of my corporate clients have very strict regulatory
> requirements.  They have significant concerns about data leakage to
> machines outside their control solve this problem on their own networks by:
> 
> - Assigning non-routable IPs to their hosts, whether server or desktop.
>   To make these nonrepudiable, the smarter customers use MAC-based
>   DHCP to keep the same non-routable associated with a specific host.
> 
> - Closing every outbound port at the NATing firewall except 80 and 443
>   which they ...
> 
> - Run through a proxy server which also acts as a man-in-the-middle SSL
>   intruder so they can look at the content of encrypted connection.
> 
> - Very tight policies about what part of the web anyone can even go to,
>   typically controlled on a per LDAP or AD group basis.  Among things
>   routinely blocked are entertainment sites like FaceBook and YouTube
>   (but there are many others).
> 
> - Deep inspection of all outbound emails for signs of leakage.
> 
> - Shutting off and alarming any attempt to use the USB ports to plug
>   things in ... even just for charging.
> 
> It works remarkably well.  What NO one can stop is:
> 
> - A user's own device and wireless bandwidth (unless you run a cell
>   jammer) and/or user connectivity to a nearby WiFi hotspot.  But even
>   in that case, there is still an airgap between the users' devices
>   and the corporate machinery.
> 
> - A user taking photographs of a screen with their cell phone thereby
>   removing data. This is essentially impossible to catch 100% of the
>   time.  The clients that are in Financial Services therefore require
>   all employees and consultants to agree to realtime access to their
>   retirement and trading accounts to defend against insider trading.
> 
> 
> That's all it takes :)
> 
> ----------------------------------------------------------------------------
> Tim Daneliuk     tundra at tundraware.com
> PGP Key:         http://www.tundraware.com/PGP/
> 
> _______________________________________________
> freebsd-questions at freebsd.org mailing list
> https://lists.freebsd.org/mailman/listinfo/freebsd-questions
> To unsubscribe, send any mail to "freebsd-questions-unsubscribe at freebsd.org"
> 
Yup, that sounds about right.  Don't forget audits as well to make sure
there are no "rogue" web/network engineers running their own proxies so
that they can get around these measures.

Best Regards,
Duane

-- 
Duane Whitty
duane at nofroth.com

More information about the freebsd-questions mailing list