Date: Fri, 25 Aug 2017 15:59:37 -0500 From: Tim Daneliuk <tundra@tundraware.com> To: FreeBSD Mailing List <freebsd-questions@freebsd.org> Subject: Re: How to block facebook access Message-ID: <39cf20a1-a45e-808f-77cd-9a6b7a3364f3@tundraware.com> In-Reply-To: <4c9d24fc-021b-cde6-babc-a1c34d770c53@nofroth.com> References: <59988180.7020301@gmail.com> <4c9d24fc-021b-cde6-babc-a1c34d770c53@nofroth.com>
next in thread | previous in thread | raw e-mail | index | archive | help
On 08/25/2017 03:41 PM, Duane Whitty wrote: > > > On 17-08-19 03:20 PM, Ernie Luzar wrote: >> Hello list; >> >> Running 11.1 & ipfilter with LAN behind the gateway server. LAN users >> are using their work PC's to access facebook during work. >> >> What method would recommend to block all facebook access? >> >> ` >> _______________________________________________ >> freebsd-questions@freebsd.org mailing list >> https://lists.freebsd.org/mailman/listinfo/freebsd-questions >> To unsubscribe, send any mail to >> "freebsd-questions-unsubscribe@freebsd.org" > > Not sure if I missed this but did you say whether the users on you LAN > are tech savvy? If they understand networking which of the above > solutions, other than white-listing, would prevent one of them from > setting up a web proxy at an address they control? Maybe they might > even be really clever/motivated and take turns running a proxy at > different addresses :-) A number of my corporate clients have very strict regulatory requirements. They have significant concerns about data leakage to machines outside their control solve this problem on their own networks by: - Assigning non-routable IPs to their hosts, whether server or desktop. To make these nonrepudiable, the smarter customers use MAC-based DHCP to keep the same non-routable associated with a specific host. - Closing every outbound port at the NATing firewall except 80 and 443 which they ... - Run through a proxy server which also acts as a man-in-the-middle SSL intruder so they can look at the content of encrypted connection. - Very tight policies about what part of the web anyone can even go to, typically controlled on a per LDAP or AD group basis. Among things routinely blocked are entertainment sites like FaceBook and YouTube (but there are many others). - Deep inspection of all outbound emails for signs of leakage. - Shutting off and alarming any attempt to use the USB ports to plug things in ... even just for charging. It works remarkably well. What NO one can stop is: - A user's own device and wireless bandwidth (unless you run a cell jammer) and/or user connectivity to a nearby WiFi hotspot. But even in that case, there is still an airgap between the users' devices and the corporate machinery. - A user taking photographs of a screen with their cell phone thereby removing data. This is essentially impossible to catch 100% of the time. The clients that are in Financial Services therefore require all employees and consultants to agree to realtime access to their retirement and trading accounts to defend against insider trading. That's all it takes :) ---------------------------------------------------------------------------- Tim Daneliuk tundra@tundraware.com PGP Key: http://www.tundraware.com/PGP/
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?39cf20a1-a45e-808f-77cd-9a6b7a3364f3>