[Dshield] web access list

Ed Truitt ed.truitt at etee2k.net
Wed Jun 30 12:13:25 GMT 2004



Guy Barnum wrote:

[snip]

>  To keep the pc's out of the closet my current idea is to make a
>list of authorized web sites that I'll allow users to visit.  When they
>have a new site they need access to they can email the IT Dept. to have
>it authorized and added to the list.  Overhead danger right?  Well we're
>a small shop and I can get away with it but even with a bigger
>organization what's going to cost more, allowing people to surf
>unfettered trashing their pc and eventually the network?  Or put man
>hours into filtering and authorizing a web access list?
>
>[snip]
>
>Does anyone on this list currently make an authorized surfing list like
>this?  Any problems or suggestions with this kind of plan?  What are
>your thoughts?
>
>Guy
>
>  
>
Nice idea... but what happens when one of the "authorized" web sites is 
compromised (reportedly, some "major" sites were compromised, and 
altered to deliver the scob trojan)?  Unfortunately, the system you 
propose does nothing to assure the integrity of the target web site -- 
only that someone 'needs' to access it.  As such, I am afraid this looks 
like another "Doing something for the sake of appearing to be doing 
something" type security schemes.  No offense meant -- it's just how I 
see it.

It would probably be easier to give those who need access to external 
Web sites a second PC, which would have NO access to internal IT 
resources, and which would be flattened/rebuilt automatically every 
Friday PM.

In any case, remember that it is ultimately a BUSINESS decision, not a 
TECHNICAL decision.  This is one of the hard lessons I have had to 
learn, when I see something that is a no-brainer and should be done "in 
the name of security", that the business types decide not to do.

-- 
Cheers,
Ed Truitt
PGP fingerprint:  5368 D25E 468C A250 9833  CCD6 DBAE 9C25 02F9 0AB9
http://www.etee2k.net
http://www.bsatroop148.org

"Note to spammers:  my 'delete' key is connected to YOUR ISP.
 Also, if you send me UCE, I reserve the right to post your spew
on my Web site, with the appropriate color commentary, so that
others may have a good laugh at your expense."




More information about the list mailing list