Re: [fw-wiz] Firewalling at the domain users level instead of network level
Oh yeah, and calamaris for parsing the resulting squid logfiles :)
On Wed, 2004-07-21 at 16:34, charlie wrote:
> Have you looked into using iptables + squid + squidguard for transparent
> proxying, content filtering and access control?
> This combination is very effective and extremely flexible. You can limit
> access by time, source ip, destination url/ip etc.
> Check out www.squidguard.org
> Hope this helps..
> On Wed, 2004-07-21 at 14:34, Daniel Pittman wrote:
> > On 21 Jul 2004, Santos wrote:
> > > Chuck Swiger wrote:
> > >> On Jul 18, 2004, at 2:41 AM, Santos wrote:
> > [...]
> > >> The second concern is a matter of policy: why do you want your
> > >> firewall to treat users differently? If it's a bad idea for person A
> > >> to do some type of network connection, why should it be OK for person
> > >> B to do so? If you restrict things so that only the services which
> > >> you trust all users to do are permitted, your security is likely to be
> > >> much improved compared to a policy based on an ever-growing pile of
> > >> per-user rules and exceptions.
> > >
> > > Because the people that contracted me wanted so :)
> > That was my presumption when I read this thread; it isn't a techies
> > idea, generally.
> > > Some people should be working on other stuff instead of traveling on
> > > the web.
> > >From my years of experience, I would advise that you go back to your
> > client and suggest to them, gently but firmly, that trying to apply a
> > technical solution to a social problem is seldom effective.
> > Before I go into detail there, though, do you actually need the
> > 'hotseat' functionality that you are looking for, or would it be enough
> > to put the "unprivileged" users in a fixed IP range with DHCP, and then
> > firewall that more strongly?
> > Anyway, back to the reasons why solving the abuse problem through
> > firewall restrictions is a poor idea:
> > The biggest reason is that drawing this distinction between users is a
> > great way to encourage resentment and unhappiness among staff.
> > By drawing that line your clients are saying "these people are important
> > enough to flout the rules, those people are not" -- because having some
> > staff able to surf the web at leisure implies precisely that.
> > The other big reason is that the analysis that reaches the conclusion
> > that some staff are abusing the Internet access is often flawed in my
> > experience.
> > When I have been asked to implement this, which has happened at a number
> > of places, it usually turns out that access to the Internet is a
> > critical part of the day to day operation of that part of the
> > organization.
> > The most common requirements are data verification and queries about
> > addressing, phone numbers and postage data -- and these are not things
> > that the management are usually aware are required as part of the job.
> > Finally, once you start telling people that they are going to do the
> > wrong thing -- which this technical rules does tell them -- they are
> > less likely to want to do the right thing in other areas.
> > A more concrete and effective way of curbing the abuse of Internet
> > access is to announce, *very* publicly, that Internet use will be
> > monitored, and randomly sampled for compliance to policy.
> > Then, give it two weeks and implement that: pick a half hour chunk of
> > Squid logs *outside* of lunch breaks, and find out which of the staff
> > are silly enough to still abuse their access.
> > That requires minimal technical input, does not lead to any "unfair"
> > rules at a technical level, and gives people the feeling that
> > management and the technical staff expect them to do the right thing,
> > not the wrong thing.
> > So, in summary: there are probably much better ways of doing this.
> > Daniel
> > Footnotes:
> >  Well, actually, uniformly incorrect, and reflective of a poor
> > understanding of what is actually done by staff, but I still
> > hesitate to make it an absolute statement.
> >  This is extremely important if you don't want to find that all the
> > staff hate you for implementing (or colluding with) this unfair
> > system.
> >  ...and, yes, the "random sample" thing is the same technical
> > effect, but perceived quite differently as a general rule -- not
> > least of which is because it can be checked by a more clever
> > human, not a blind and uncaring machine.
> > --
> > Any attempt to curb user abuse will only result in more expensive abuse.
> > -- Garret Boer
> Charles Kidson
> Systems Administrator
> General Pants Group
> ph 02 9290 0813
> fx 02 9299 6485
> mb 0428 61 7766
General Pants Group
ph 02 9290 0813
fx 02 9299 6485
mb 0428 61 7766