> wants to limit web access to certain "approved" sites. I know this is
> possible with IP Chains, but I fear writing a 100+ rule chain
> to do this. Is there a better way to accomplish this task?
Three suggestions
1) Don't do it
2) Don't do it
3) If you really must do it, don't do it on your firewall.
Censorship, as we all know, is a steep and slippery slope
to start down and for more than the reasons that are immediately
obvious. Be carefull, and don't do it.
That said, you're very right in not wanting to write a
dirty great big rule list - it will slow down your
firewall for everything. In any case, what is a 100 rule
list today will grow into 200, 300, ... in time. Ugly.
If you really want to filter on web sites (and I insist
that you do not) then you should do it in a caching proxy
inside your firewall - they are better at doing this kind
of stuff, and they have more time on their hands than
the firewall.
You don't say if you have budget to do this stuff. If you
do have $$$ to throw at the problem there are a bunch of
commercial software products that will automagically import
lists generated by a third party and do all your filtering
for you. In practice, these lists...
1) Are over-zealous - as a result of the sheer size of the
net, the lists tend to block entire sites, not just
offending pages. A couple of years ago, one of the
better known lists blocked one of Australia's largest
ISPs. (I never had much respect for OzEmail anyway, so
I though it was a good thing - but there is a problem
in principle).
2) These lists cost money. They cost money in upfront purchase,
in ongoing maintenance (they usually cost an annual fee
for ongoing use) and they have larger administration
overheads than they should have
(User 'x' in the research department complains that she
searched for something legitimate to her work, but was
blocked by the list - please remove it from the list -
blah blah blah)
3) They eventually get switched off and forgotten - as
a result of the problems in points (1) and (2). Money
down the gurgler.
A similar but different bunch of commercial products work
on so-called lexical analysis. They don't use lists, but
try to analyse the content of the pages based on the words
(and if you're lucky, sentence structures) used therein.
Trouble with those is that the user in research will be doing
a paper on 'breast cancer' one day, and will ring up complaining
that the filter blocked her 'sexually explicit' request.
Enough said on lexical analysis huh... :-)
If you don't want your money to go down the gurgler, don't
put it in the bathtub in the first place...
"Well, that should just about cover the fly-bys..."
Non-commercial: Do this, since you were going to have a
proxy-cache anyway, and you'll get to show the boss the
error of his ways fairly smartly...
Run Squid (the cache software) on a FreeBSD box inside your
network. Set all the user's browsers to proxy via the
squid box, and set the firewall to dissallow web access but
from the squid box.
Set up your restrictions in squid - it is well capable of doing
that type of stuff, with access to regular expressions and all
kinds of nice things. If you really want to prove the error
of all this restriction stuff, go direct for lexical analysis
and block any page with "bottom, tit, f*ck, pig, bum, poo,
breast, or penis" in it.
When the boss comes by and asks you to set the firewall to
allow his desktop PC and the squid box direct access to
HTTP on the net, mumble something about it being difficult,
impossible, etc, etc. Tip: DHCP helps this argument.
I suspect that the bottom line here for your boss is this:
He wants people to do their work and not screw around on the
net all day. Right? Of course I'm right. Here's a cheaper,
better, faster way to achieve that.
Way back when, I was a one man IT Manager, Security Guy,
PC Support guy, toilet cleaner, etc, etc...
I built the office firewall, and when I set it up, I had a
monitor on the shelf opposite my desk. On this monitor, the
real-time logs from the firewall scrolled up the screen
all day and night.
People would come to visit my office - usual questions about
the 'any' key, the broken cup-holders, you know the ones.
Invariably, they would ask "Hey, what's that on the screen?"
So I would take a few minutes, and point out interesting
stuff scrolling past: "Look, there's Bill looking at the
online newspaper, and there's Mary checking her hotmail"...
You can see the thoughts running through their mind: "So,
when I visited that porn site the other day for a quick
peek......". Thye never say it out loud, but they think it.
They soon got the message. Word got around that I was watching,
and they could all see first hand that I really could see
what they were doing.
In truth, I wasn't really watching at all, save for maybe a
quick look over the HTTP request logs on a quiet afternoon
once a month or so...
In two years, on only ever once had a problem with someone
visiting somewhere inappropriate, and as it turned out, that
was accidental - followed a link that wasn't what it said
it was.
The real key to all of this stuff is that, you can never control
the people - you only think you control what they are doing. To
improve security at your site, you need to put in a firewall,
and get rid of all the dial-up modems right?
Now, if you put in the firewall and issue an edict from on high
that modems are evil and bad and shall not be used, nothing will
happen _UNLESS_ you make the firewall faster and easier to use
than 'the old way'.
If you start filtering and censoring, people will go back to the
modems, but it will be worse than before. They will go out of
their way to hide the modems from you.
They will still have their cake however (and their porn).
Hope this helps, (and good luck)
Geoff
--
CREDIT | FIRST Geoff Breach, [EMAIL PROTECTED], +61293944040
SUISSE | BOSTON Global Network Services - Asia Pacific Engineering
Opinions expressed herein are mine, not my employer's
-
[To unsubscribe, send mail to [EMAIL PROTECTED] with
"unsubscribe firewalls" in the body of the message.]
