[Dshield] web access list

Willy, Andrew AWilly at eSMIL.net
Tue Jun 29 22:24:09 GMT 2004


Guy,

"To keep the pc's out of the closet my current idea is to make a list of
authorized web sites that I'll allow users to visit."

We limit our users to specific sites that are necessary for job
functionality. I can't imagine doing it any other way.  

"When they have a new site they need access to they can email the IT Dept.
to have it authorized and added to the list."

This is how we get it done.

"Overhead danger right?"

No.  If your IT dept., no matter the size of the shop, can't spend 5 minutes
adding/modifying an allowed site once a week, or even less, then perhaps
they need a larger staff.  Unless of course you intend to manage a large
list and make whatever change a user requests -- that would indeed be time
consuming.  If you make an effort to identify exactly what sites are
required by your users in order to do their job, I think you will find your
list manageably small.

"IMHO firewalls and AV wares are going to continue falling further behind"

Firewalls, no.  AV Wares, unlikely.  The multitude of AV writers are smarter
and better funded than the legions of script kiddies.  There are just more
of the kiddies and what they're doing is easier.  (If you're a consipiracy
theorist, maybe the AV writers ARE the script kiddies, in which case each
faction will remain one step ahead/behind the other).

"Users might think its draconian, choking off their web usage,"

What difference does that make?  Users aren't entitled to high-speed free
web-browsing just for having a job.  The company comes first, of course, and
malware puts a company at risk. Every user on your network with
(unnecessary) unfettered access to the Internet is a risk you probably
shouldn't take.

We've had no difficulties with this method.  There is of course the
possibility that an allowed site will be compromised, so nothing is perfect.

Andrew


-----Original Message-----
From: Guy Barnum [mailto:GuyBarnum at Armscole.com] 
Sent: Tuesday, June 29, 2004 11:53 AM
To: list at lists.dshield.org
Subject: [Dshield] web access list


I'm reading the latest Computer World security roundup:
http://www.computerworld.com/newsletter/0,4902,94125,00.html?nlid=SEC 

and towards the bottom you'll notice two MS vulnerabilities mentioned, one
without a patch.  With this text in the article "Microsoft hasn't yet
positively identified the flaw being exploited" and another huge web-wide
credit card hack mentioned in the same Computer World mailing I have to
wonder what you guys are doing to protect your surfers.

I know there is no secure computer other than the one boxed up in your
closet.  To keep the pc's out of the closet my current idea is to make a
list of authorized web sites that I'll allow users to visit.  When they have
a new site they need access to they can email the IT Dept. to have it
authorized and added to the list.  Overhead danger right?  Well we're a
small shop and I can get away with it but even with a bigger organization
what's going to cost more, allowing people to surf unfettered trashing their
pc and eventually the network?  Or put man hours into filtering and
authorizing a web access list?

IMHO firewalls and AV wares are going to continue falling further behind
(drastically) in their ability to detect or stop internet born threats.
Users might think its draconian, choking off their web usage, but if your IT
Dept. has the pull to make it happen it seems like the best compromise to
putting the pc's back in the boxes that I can think of.

Does anyone on this list currently make an authorized surfing list like
this?  Any problems or suggestions with this kind of plan?  What are your
thoughts?

Guy
_______________________________________________
list mailing list
list at lists.dshield.org
To change your subscription options (or unsubscribe), see:
http://www.dshield.org/mailman/listinfo/list
NOTICE OF CONFIDENTIALITY-The information in this email, including
attachments, may be confidential and/or privileged and may contain
confidential health information. This email is intended to be reviewed only
by the individual or organization named as addressee. If you have received
this email in error please notify Scottsdale Medical Imaging, an affiliate
of Southwest Diagnostic Imaging, LTD immediately - by return message to the
sender or to support at esmil.com - and destroy all copies of this message and
any attachments. Please note that any views or opinions presented in this
email are solely those of the author and do not necessarily represent those
of Scottsdale Medical Imaging. Confidential health information is protected
by state and federal law, including, but not limited to, the Health
Insurance Portability and Accountability Act of 1996 and related
regulations.



More information about the list mailing list