LinuxQuestions.org
Download your favorite Linux distribution at LQ ISO.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Security
User Name
Password
Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.

Notices


Reply
  Search this Thread
Old 07-03-2007, 04:28 PM   #16
rg.viza
Member
 
Registered: Aug 2006
Posts: 74

Rep: Reputation: 15

blocking ports won't work. Only default deny. Install a squid box and deny all outgoing traffic except the squid box. Point browsers at squid. Turn on packet mangling so nothing works but http traffic.

Set up a whitelist of web sites they can see. Allow www.google.com. As people complain add the sites they need to see. At first it will be hell, but all of your talky problems will be gone forever.

Set up an approval process. Supply a form on the intranet. If someone needs to get to a site, they fill out form, their boss signs off on it, and forwards to you. Gradually you'll have a whitelist of nothing but work related sites.

No one will be fired for looking at porno again because they can't any more.

This way you know who is looking at what, why, and if some VP says "Why is this site in there?" You can pull the form and give a copy to the vp so they can go ask the manager themselves. This will solve a lot of problems in one fell swoop.

People will bitch and moan but they'll get over it.

Just tell management that it will be hell for a little while but their network will be under control. IMHO this is how you deal with the "power users" that like to exploit your network.

This will keep them from getting dialers from porno sites, shareware trojans, music pirating, etc etc etc. It will solve a crapload of problems related to unauthorized outgoing connections for you.

It won't make you the most popular person in the office but you and your boss will look great to the people that hand out raises XD and your bandwidth usage will drop by 90%.

Special needs people will have a different form to fill out where they authorize you to open a port for their box. If they abuse it, it's their ass.

default allow just doesn't work, neither does just trying to block "bad stuff". It's an endless race against your users. You need to block everything but the "good stuff" and have a document for every site people are accessing. Draconian but very very effective.

-Viz
 
Old 07-03-2007, 04:53 PM   #17
Crito
Senior Member
 
Registered: Nov 2003
Location: Knoxville, TN
Distribution: Kubuntu 9.04
Posts: 1,168

Rep: Reputation: 53
I'd only allow http://www.ask.com to start, as google itself is spyware.
 
Old 08-10-2007, 06:39 AM   #18
nixonmohan
LQ Newbie
 
Registered: Jul 2007
Posts: 16

Rep: Reputation: 0
can u reply to mail please
 
Old 10-08-2007, 05:12 PM   #19
BrianWGray
Member
 
Registered: Oct 2003
Posts: 54

Rep: Reputation: 15
Post

Quote:
Originally Posted by slimm609 View Post
as for skype that is the hardest application to block. The only way that i have seen to block skype is to do a packet matching with CISCO MARS systems. I use sidewinder firewalls at work and we cant even block skype on those.

This method works pretty well for skype. It will work on the sidewinders. you have to make some minor modifications to the regex types in the white paper because of how old squid is on the sidewinders but it will work.
http://www.net-security.org/article.php?id=876

This method kills ICQ too.

Creating Regex rules for instant messenger mime types will also stop several of the clients like msn, yahoo, and aol when combined with blocking the login pages for the messengers. Tons of documentation all over the web for the mime types and uri's to block.
 
Old 10-08-2007, 09:49 PM   #20
slimm609
Member
 
Registered: May 2007
Location: Chas, SC
Distribution: slackware, gentoo, fedora, LFS, sidewinder G2, solaris, FreeBSD, RHEL, SUSE, Backtrack
Posts: 430

Rep: Reputation: 67
Quote:
Originally Posted by BrianWGray View Post
This method works pretty well for skype. It will work on the sidewinders. you have to make some minor modifications to the regex types in the white paper because of how old squid is on the sidewinders but it will work.
http://www.net-security.org/article.php?id=876

This method kills ICQ too.

Creating Regex rules for instant messenger mime types will also stop several of the clients like msn, yahoo, and aol when combined with blocking the login pages for the messengers. Tons of documentation all over the web for the mime types and uri's to block.
Most people that i have ever seen dont run squid on the sidewinders. Most companies that have the money to go with sidewinder normally go with a seperate proxy server. It should work though... depending on the proxy server appliance. every time sykpe gets blocked and the developers find out how they will change it to work again. It is an on-going battle and will be for a long time.
 
Old 10-09-2007, 08:08 AM   #21
BrianWGray
Member
 
Registered: Oct 2003
Posts: 54

Rep: Reputation: 15
Squid on the box, squid off the box, it doesn't matter. The methods have proven to be effective at this point.
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off



Similar Threads
Thread Thread Starter Forum Replies Last Post
Block MSN, YM, ICQ.... All..... gabriellai Linux - Networking 2 04-05-2005 06:21 PM
ICQ/MSN/IRC all-in-one for Linux? Cyberian Linux - Software 4 07-03-2004 09:52 PM
Yahoo Messenger or ICQ on FreeBSD? selvyn Linux - Software 11 03-03-2004 11:57 AM
MSN AND ICQ in one with filtransfer support pollymorf Linux - Newbie 1 09-24-2003 09:33 AM
SmoothWall + ICQ & MSN Messenger Albinus Linux - Networking 1 08-24-2001 11:34 PM

LinuxQuestions.org > Forums > Linux Forums > Linux - Security

All times are GMT -5. The time now is 02:32 PM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Open Source Consulting | Domain Registration