Re: [fw-wiz] Firewalling at the domain users level instead of network level

To: debian-firewall@lists.debian.org
Subject: Re: [fw-wiz] Firewalling at the domain users level instead of network level
From: charlie <charlesk@generalpants.com.au>
Date: Wed, 21 Jul 2004 16:34:15 +1000
Message-id: <[🔎] 1090391655.933.16.camel@charlie.generalpants.com.au>
In-reply-to: <[🔎] 87r7r6nfla.fsf@enki.rimspace.net>
References: <40FA1B9E.7070206@netvisao.pt> <A0F682D2-D9AF-11D8-8C40-003065ABFD92@codefab.com> <[🔎] 40FDE4E3.50502@netvisao.pt> <[🔎] 87r7r6nfla.fsf@enki.rimspace.net>

Hi,

Have you looked into using iptables + squid + squidguard for transparent
proxying, content filtering and access control?
This combination is very effective and extremely flexible. You can limit
access by time, source ip, destination url/ip etc.

Check out www.squidguard.org 

Hope this helps..

regards
charlie

On Wed, 2004-07-21 at 14:34, Daniel Pittman wrote:
> On 21 Jul 2004, Santos wrote:
> > Chuck Swiger wrote:
> >> On Jul 18, 2004, at 2:41 AM, Santos wrote:
> 
> [...]
> 
> >> The second concern is a matter of policy: why do you want your
> >> firewall to treat users differently?  If it's a bad idea for person A
> >> to do some type of network connection, why should it be OK for person
> >> B to do so?  If you restrict things so that only the services which
> >> you trust all users to do are permitted, your security is likely to be
> >> much improved compared to a policy based on an ever-growing pile of
> >> per-user rules and exceptions.
> >
> > Because the people that contracted me wanted so :)  
> 
> That was my presumption when I read this thread; it isn't a techies
> idea, generally.
> 
> > Some people should be working on other stuff instead of traveling on
> > the web.
> 
> >From my years of experience, I would advise that you go back to your
> client and suggest to them, gently but firmly, that trying to apply a
> technical solution to a social problem is seldom effective.
> 
> 
> Before I go into detail there, though, do you actually need the
> 'hotseat' functionality that you are looking for, or would it be enough
> to put the "unprivileged" users in a fixed IP range with DHCP, and then
> firewall that more strongly?
> 
> 
> Anyway, back to the reasons why solving the abuse problem through
> firewall restrictions is a poor idea:
> 
> The biggest reason is that drawing this distinction between users is a
> great way to encourage resentment and unhappiness among staff.
> 
> By drawing that line your clients are saying "these people are important
> enough to flout the rules, those people are not" -- because having some
> staff able to surf the web at leisure implies precisely that.
> 
> 
> The other big reason is that the analysis that reaches the conclusion
> that some staff are abusing the Internet access is often flawed[1] in my
> experience.
> 
> When I have been asked to implement this, which has happened at a number
> of places, it usually turns out that access to the Internet is a
> critical part of the day to day operation of that part of the
> organization.
> 
> The most common requirements are data verification and queries about
> addressing, phone numbers and postage data -- and these are not things
> that the management are usually aware are required as part of the job.
> 
> 
> Finally, once you start telling people that they are going to do the
> wrong thing -- which this technical rules does tell them -- they are
> less likely to want to do the right thing in other areas.
> 
> 
> A more concrete and effective way of curbing the abuse of Internet
> access is to announce, *very* publicly, that Internet use will be
> monitored, and randomly sampled for compliance to policy.
> 
> Then, give it two weeks and implement that: pick a half hour chunk of
> Squid logs *outside* of lunch breaks, and find out which of the staff
> are silly enough to still abuse their access.
> 
> That requires minimal technical input, does not lead to any "unfair"
> rules at a technical level[2], and gives people the feeling that
> management and the technical staff expect them to do the right thing,
> not the wrong thing.
> 
> 
> So, in summary: there are probably much better ways of doing this.
> 
>     Daniel
> 
> 
> Footnotes: 
> [1]  Well, actually, uniformly incorrect, and reflective of a poor
>      understanding of what is actually done by staff, but I still
>      hesitate to make it an absolute statement.
> 
> [2]  This is extremely important if you don't want to find that all the
>      staff hate you for implementing (or colluding with) this unfair
>      system.[3]
> 
> [3]  ...and, yes, the "random sample" thing is the same technical
>      effect, but perceived quite differently as a general rule -- not
>      least of which is because it can be checked by a more clever
>      human, not a blind and uncaring machine.
> -- 
> Any attempt to curb user abuse will only result in more expensive abuse.
>         -- Garret Boer
-- 
============================
Charles Kidson
Systems Administrator
General Pants Group
charlesk@generalpants.com.au
ph 02 9290 0813
fx 02 9299 6485
mb 0428 61 7766
============================

Reply to:

Follow-Ups:
- Re: [fw-wiz] Firewalling at the domain users level instead of network level
  - From: charlie <charlesk@generalpants.com.au>
- Re: [fw-wiz] Firewalling at the domain users level instead of network level
  - From: Daniel Pittman <daniel@rimspace.net>

References:
- Re: [fw-wiz] Firewalling at the domain users level instead of network level
  - From: Santos <casd@netvisao.pt>
- Re: [fw-wiz] Firewalling at the domain users level instead of network level
  - From: Daniel Pittman <daniel@rimspace.net>

Prev by Date: Re: [fw-wiz] Firewalling at the domain users level instead of network level
Next by Date: Re: [fw-wiz] Firewalling at the domain users level instead of network level
Previous by thread: Re: [fw-wiz] Firewalling at the domain users level instead of network level
Next by thread: Re: [fw-wiz] Firewalling at the domain users level instead of network level
Index(es):
- Date
- Thread