[Dshield] web access list

Mark Tombaugh mtombaugh at alliedcc.com
Tue Jun 29 21:39:51 GMT 2004


On Tuesday 29 June 2004 2:53 pm, Guy Barnum wrote:
> Does anyone on this list currently make an authorized surfing list like
> this?  Any problems or suggestions with this kind of plan?  What are
> your thoughts?

I think that was Microsoft's plan with the default I.E. settings for Internet 
Explorer in Windows Server 2003. Since the castle has very thin walls, they 
just built a bigger mote.

Even in a small shop I think your solution would be hard to manage. You might 
end up having to block search engines since the links to the results would 
almost all be blocked. Your browsers, firewall, proxy might get laggy too 
with all the broken connections. Plus, it might give you a false sense of 
security: if a content provider that you have approved gets compromised and 
starts serving malware, the goose is cooked. Even worse, the humans on your 
network could end up hating you, send you hardcover versions of 1984 for your 
birthday, attempt to sabatoge the system, or petition your employer to send 
you packing.

You might have better results using a firewall, IDS, or IPS, or a gateway 
security appliance, roll your own or big vendor, that can block websites, 
e-mail, and ftpsites, based on name or sting pattern. 

If I implemented the system you proposed, I would last about 15 minutes until 
I added *.* to the proxy. Then again, if it fits your network, and was 
coupled with something to scan the sites that you allow through, it would be 
very secure. But before you implement it, can you list the more than 90% of 
the sites you will visit in the next thrity days? I can't. Could you live 
with a broken google? Not me.

PS - Firewalls arent falling behind. Look how far iptables has come with 
string pattern matching. Best thing since sliced bread imo. Heck, neither are 
browsers, except for one in particular...

-- 
Mark Tombaugh <mtombaugh at alliedcc.com>
Allied Computer Corporation <http://www.alliedcc.com>
USiHOST, iNC. <http://www.usihost.com>



More information about the list mailing list