[Dshield] web access list

Bjørn Ruberg bjorn at ruberg.no
Tue Jun 29 23:06:09 GMT 2004


On Tue, 2004-06-29 at 20:53, Guy Barnum wrote:
> I'm reading the latest Computer World security roundup:
>  http://www.computerworld.com/newsletter/0,4902,94125,00.html?nlid=SEC
> 
> and towards the bottom you'll notice two MS vulnerabilities mentioned,
> one without a patch.  With this text in the article "Microsoft hasn't
> yet positively identified the flaw being exploited" and another huge
> web-wide credit card hack mentioned in the same Computer World mailing I
> have to wonder what you guys are doing to protect your surfers.
> 
> I know there is no secure computer other than the one boxed up in your
> closet.  To keep the pc's out of the closet my current idea is to make a
> list of authorized web sites that I'll allow users to visit.  When they
> have a new site they need access to they can email the IT Dept. to have
> it authorized and added to the list.  Overhead danger right?  Well we're
> a small shop and I can get away with it but even with a bigger
> organization what's going to cost more, allowing people to surf
> unfettered trashing their pc and eventually the network?  Or put man
> hours into filtering and authorizing a web access list?

An explicit whitelist of each and every site on the web will take quite
some effort to maintain.

A suggestion would be to implement a virus scanning web proxy, and
effectively block all direct web access from the client computers making
the proxy the only way to reach the web. On the web proxy, establish a
blacklist of sites you do not want your users to visit (e.g.
gotomypc.com and other tunneling/backdooring systems, toolbars that
register and log your surfing patterns, etc).

Additionally, install anti-virus software from a different vendor on the
client computers. Make sure both are updated regularly, preferrably in
intervals as short as one hour. Chances are that at least one vendor
will have distributed updated antivirus/malware patterns.

Then, block all HTTPS access (which can't be virus checked) except for a
defined whitelist of approved sites.

Bjørn




More information about the list mailing list