[Dshield] web access list
mtombaugh at alliedcc.com
Tue Jun 29 21:39:51 GMT 2004
On Tuesday 29 June 2004 2:53 pm, Guy Barnum wrote:
> Does anyone on this list currently make an authorized surfing list like
> this? Any problems or suggestions with this kind of plan? What are
> your thoughts?
I think that was Microsoft's plan with the default I.E. settings for Internet
Explorer in Windows Server 2003. Since the castle has very thin walls, they
just built a bigger mote.
Even in a small shop I think your solution would be hard to manage. You might
end up having to block search engines since the links to the results would
almost all be blocked. Your browsers, firewall, proxy might get laggy too
with all the broken connections. Plus, it might give you a false sense of
security: if a content provider that you have approved gets compromised and
starts serving malware, the goose is cooked. Even worse, the humans on your
network could end up hating you, send you hardcover versions of 1984 for your
birthday, attempt to sabatoge the system, or petition your employer to send
You might have better results using a firewall, IDS, or IPS, or a gateway
security appliance, roll your own or big vendor, that can block websites,
e-mail, and ftpsites, based on name or sting pattern.
If I implemented the system you proposed, I would last about 15 minutes until
I added *.* to the proxy. Then again, if it fits your network, and was
coupled with something to scan the sites that you allow through, it would be
very secure. But before you implement it, can you list the more than 90% of
the sites you will visit in the next thrity days? I can't. Could you live
with a broken google? Not me.
PS - Firewalls arent falling behind. Look how far iptables has come with
string pattern matching. Best thing since sliced bread imo. Heck, neither are
browsers, except for one in particular...
Mark Tombaugh <mtombaugh at alliedcc.com>
Allied Computer Corporation <http://www.alliedcc.com>
USiHOST, iNC. <http://www.usihost.com>
More information about the list