I fail to see how NTP could be misused. If you have had experience where someone abused network time-correction data, I would be very interested to hear it, as it would doubtless be a hilarious story!
IMAP and POP are mail protocols, so I just assumed you also included them when you said you permitted mail. But I suppose it is not really necessary in a work environment, since I guess you make whitelist exceptions for any work-specific traffic. On 23 May 2012 11:39, sanga collins <[email protected]> wrote: > Juniper SSG or netscreen Firewalls, so no iptables or shell scripting in > the same way you could with software firewalls. As far as mail and web > ports ... even you give too much leeway. my list is more like > > Web: 80 and 443 > mail: 25 (and only to my mail servers) > icmp: always useful > > Custom state specific services or vendor services if any, but in the last > year most have switched over to VPN based traffic and the rest make the > user connect to their service via dial-up modem. > > No dns, ntp, imap, pop etc etc etc. unless its through the VPN. > > > On Wed, May 23, 2012 at 4:25 AM, Benjamin Tayehanpour < > [email protected]> wrote: > >> Depending on what firewall software you are using on your router, you >> could just write a simple shell script which updates the firewall entries >> to reflect the contents of said blacklists. What are you using? iptables? >> >> I suppose they weren't smart enough, since you know of those times! :) >> >> Mail and web. That is, ports 25 (SMTP), 80 (HTTP), 110 (POP3), 143 (IMAP) >> 443 (HTTPS), 465 (SSMTP), 585 (IMAP4-SSL), 993 (IMAPS), 995 (SSL-POP)? How >> about ICMP traffic? >> >> >> On 23 May 2012 10:32, sanga collins <[email protected]> wrote: >> >>> A log is a record. In this case I am recording traffic and not content. >>> Regardless of semantics we play on the ethical side of the court. >>> >>> Known Proxy: Squidguard and Dans Guardian blacklists are kept up to date >>> so i don't have to chase them down myself. >>> Blocking in the firewall is painful. It means i have to maintain a list >>> of IP's or domains in more than 30 firewalls spread across the country. >>> When i could just use Squid+DansG in one location >>> >>> Yes there are ways of obfuscating traffic to make it appear as something >>> else. But i can count on 1 hand the number of times an individual has been >>> smart enough to do that let alone spell the word. >>> >>> We block all outbound ports except mail, and web. But these days all you >>> need is port 80 to connect to a proxy server that then opens playboy.comon >>> port80 for you. I never know you are on >>> playboy.com until the sexual harrasment lawsuit comes down the pipe or >>> a visitor to one of our nursing facilities claims that an resident was busy >>> watching porn in the dining room ... >>> >>> What to do? >>> >>> >>> On Wed, May 23, 2012 at 3:02 AM, Benjamin Tayehanpour < >>> [email protected]> wrote: >>> >>>> In that case, you are logging, not recording as you previously stated. >>>> There is a difference, so please refrain from mixing those two terms in the >>>> future. "Monitoring" is an umbrella word which could entail both logging >>>> and recording or even none of them and instead other approaches. >>>> >>>> And, as long as you don't record, you are staying on the ethical side >>>> of things, I suppose :) >>>> >>>> Although, I am a bit curious. What, exactly, entails "known proxy"? Do >>>> you keep a list of them? In that case, why not block them outright in the >>>> firewall? Also, there are ways of obfuscating traffic to make it >>>> indistinguishable from "legitimate" traffic. How do you counter that? >>>> >>>> Wouldn't it be easier just to block all outgoing ports except the ones >>>> you use in your line of work? That way you would blanket-block almost every >>>> public proxy out there, and there would be less traffic to monitor. >>>> >>>> >>>> On 23 May 2012 09:52, sanga collins <[email protected]> wrote: >>>> >>>>> The process of blocking requires monitoring. I believe blocking is >>>>> acting on monitored traffic, is it not? >>>>> >>>>> I think there is a misunderstanding as to what my monitoring entails. >>>>> I can not read a users email or view the website they are viewing live. >>>>> All >>>>> i can see is what site was visited, when, and from which computer. Basic >>>>> information available in all routing equipment. On this basic information >>>>> rules are set in the organization with penalties for violating the rules. >>>>> If you access a known proxy or i determine you are circumventing the >>>>> monitoring, i dont need to know why you did it, or where you went. The >>>>> fact >>>>> that you did, on a computer that isnt yours is grounds for termination >>>>> >>>>> >>>>> >>>>> On Wed, May 23, 2012 at 2:45 AM, Victor van Reijswoud < >>>>> [email protected]> wrote: >>>>> >>>>>> How long are records kept? Who is able to access and examine them? >>>>>> These are important issues when 'everything' is monitored. >>>>>> >>>>>> For medical information (as you refer to) this has been arranged by >>>>>> law in most countries. Is this also arranged for data/information >>>>>> related to computer use of individuals in your organisation? >>>>>> >>>>>> Un-ethical is a strong word but I feel it more transparent to block >>>>>> than to monitor 'everything'. >>>>>> >>>>>> >>>>>> On Wed, May 23, 2012 at 7:27 AM, Sanga Collins < >>>>>> [email protected]> wrote: >>>>>> > Why is it un ethical? You work in our office using our computers >>>>>> handling patient medical information and financial data. The govt >>>>>> mandates >>>>>> we keep a 'paper trail' of everything coming and going. We also clearly >>>>>> state in the terms of employment that all Internet traffic is monitored. >>>>>> > >>>>>> > Don't see the unethical part. >>>>>> > >>>>>> > Besides most routers and networking equipment log all traffic >>>>>> anyway. >>>>>> > >>>>>> > Sent from my mobile device >>>>>> > >>>>>> > On May 23, 2012, at 9:19 AM, Victor van Reijswoud < >>>>>> [email protected]> wrote: >>>>>> > >>>>>> >> +1 >>>>>> >> >>>>>> >> >>>>>> >> On Wed, May 23, 2012 at 7:13 AM, Benjamin Tayehanpour >>>>>> >> <[email protected]> wrote: >>>>>> >>> Recording traffic is even worse than outright blocking it, from >>>>>> an ethical >>>>>> >>> point of view. It's quite fun, though :) >>>>>> >>> >>>>>> >>> >>>>>> >>> On 22 May 2012 16:09, Sanga Collins <[email protected]> >>>>>> wrote: >>>>>> >>>> >>>>>> >>>> We don't block apps or websites we haut record everything. HR >>>>>> has new >>>>>> >>>> employees sign terms of use. If they are violated the employee is >>>>>> >>>> terminated. Use of proxies or circumvention techniques counts as >>>>>> 2 >>>>>> >>>> violations. Leaving 1 violation for termination. >>>>>> >>>> >>>>>> >>>> Each year your violations reset to zero and all cases are >>>>>> investigated >>>>>> >>>> since spam, spyware or viruses can also cause traffic to be >>>>>> recorded that is >>>>>> >>>> not allowed. >>>>>> >>>> >>>>>> >>>> Btw we allow far book twitter and social networking sites. But >>>>>> if you >>>>>> >>>> spend majority of your day 'networking' then that counts as a >>>>>> violation :) >>>>>> >>>> >>>>>> >>>> Sent from my mobile device >>>>>> >>>> >>>>>> >>>> On May 22, 2012, at 4:02 PM, erias swraggy <[email protected]> >>>>>> wrote: >>>>>> >>>> >>>>>> >>>>> I think its a total waste of time especially with the existence >>>>>> and >>>>>> >>>>> free use of Bennett Haselton's circumventors such as >>>>>> >>>>> https://jellykey.info/ and many more others. >>>>>> >>>>> >>>>>> >>>>> On 5/22/12, Victor van Reijswoud <[email protected]> >>>>>> wrote: >>>>>> >>>>>> Indeed OT but interesting. From a technical perspective >>>>>> blocking is >>>>>> >>>>>> easy, but from a human perspective this is more difficult. I >>>>>> created a >>>>>> >>>>>> very bad situation when I first blocked FB in an organisation >>>>>> (on >>>>>> >>>>>> request of the management). Blocking working hours was the >>>>>> solution >>>>>> >>>>>> (interesting to see how many people liked to stay after working >>>>>> >>>>>> hours). >>>>>> >>>>>> >>>>>> >>>>>> What about blocking hotmail, gmail and other freemail when all >>>>>> people >>>>>> >>>>>> have office mail? I tend to block these as well in office >>>>>> hours. >>>>>> >>>>>> >>>>>> >>>>>> >>>>>> >>>>>> >>>>>> >>>>>> On Tue, May 22, 2012 at 9:55 AM, Kyle Spencer < >>>>>> [email protected]> >>>>>> >>>>>> wrote: >>>>>> >>>>>>> Hi Joseph, >>>>>> >>>>>>> >>>>>> >>>>>>> This is slightly OT, but I've always been of the opinion that >>>>>> -- in >>>>>> >>>>>>> general >>>>>> >>>>>>> -- business networks shouldn't blacklist content. There's a >>>>>> few >>>>>> >>>>>>> reasons >>>>>> >>>>>>> for >>>>>> >>>>>>> this: >>>>>> >>>>>>> >>>>>> >>>>>>> 1) Blacklisting applications and websites quickly (and >>>>>> inevitably) >>>>>> >>>>>>> becomes >>>>>> >>>>>>> a >>>>>> >>>>>>> wild goose chase. New sites, services, and workarounds pop >>>>>> up all the >>>>>> >>>>>>> time >>>>>> >>>>>>> and your users will find them (unless you white-list). If >>>>>> bandwidth >>>>>> >>>>>>> is >>>>>> >>>>>>> your >>>>>> >>>>>>> concern, just implement per-host throttling. >>>>>> >>>>>>> >>>>>> >>>>>>> 2) Office Internet connections are many people's only access >>>>>> to the >>>>>> >>>>>>> Internet >>>>>> >>>>>>> in Uganda. Therefore, I believe we should ensure they have >>>>>> access to >>>>>> >>>>>>> the >>>>>> >>>>>>> full (undiluted) experience. >>>>>> >>>>>>> >>>>>> >>>>>>> 3) People need mental down-time in order to be fully >>>>>> productive. If >>>>>> >>>>>>> my >>>>>> >>>>>>> staff are doing their jobs well, why should I care if they >>>>>> browse >>>>>> >>>>>>> Facebook >>>>>> >>>>>>> or watch Youtube videos from time-to-time? >>>>>> >>>>>>> >>>>>> >>>>>>> 4) This is ultimately an HR/management issue, not a technical >>>>>> one. If >>>>>> >>>>>>> your >>>>>> >>>>>>> staff spend all of their time on Facebook and Youtube, the >>>>>> problem is >>>>>> >>>>>>> the >>>>>> >>>>>>> behavior and not the sites themselves. If you simply ban >>>>>> Facebook and >>>>>> >>>>>>> Youtube, your staff will find something else to waste their >>>>>> time on. >>>>>> >>>>>>> It's >>>>>> >>>>>>> better to focus your efforts on finding ways to inspire a >>>>>> strong >>>>>> >>>>>>> work-ethic >>>>>> >>>>>>> in your staff -- ideally through an atmosphere of trust (see >>>>>> items #1, >>>>>> >>>>>>> #2, >>>>>> >>>>>>> and #3). >>>>>> >>>>>>> >>>>>> >>>>>>> Regards, >>>>>> >>>>>>> Kyle Spencer >>>>>> >>>>>>> >>>>>> >>>>>>> >>>>>> >>>>>>> >>>>>> >>>>>>> On Tue, May 22, 2012 at 11:28 AM, KIYINI JOSEPH < >>>>>> [email protected]> >>>>>> >>>>>>> wrote: >>>>>> >>>>>>>> >>>>>> >>>>>>>> I Dont think we all use these but,...................... >>>>>> >>>>>>>> >>>>>> >>>>>>>> >>>>>> >>>>>>>> >>>>>> >>>>>>>> >>>>>> http://www.techrepublic.com/blog/10things/the-top-10-apps-being-blacklisted-in-the-enterprise/3228?tag=mantle_skin;content >>>>>> >>>>>>>> -- >>>>>> >>>>>>>> KyaiJoe >>>>>> >>>>>>>> _______________________________________________ >>>>>> >>>>>>>> The Uganda Linux User Group: http://linux.or.ug >>>>>> >>>>>>>> >>>>>> >>>>>>>> Send messages to this mailing list by addressing e-mails to: >>>>>> >>>>>>>> [email protected] >>>>>> >>>>>>>> Mailing list archives: >>>>>> http://www.mail-archive.com/[email protected]/ >>>>>> >>>>>>>> Mailing list settings: http://kym.net/mailman/listinfo/lug >>>>>> >>>>>>>> To unsubscribe: http://kym.net/mailman/options/lug >>>>>> >>>>>>>> >>>>>> >>>>>>>> The Uganda LUG mailing list is generously hosted by INFOCOM: >>>>>> >>>>>>>> http://www.infocom.co.ug/ >>>>>> >>>>>>>> >>>>>> >>>>>>>> The above comments and data are owned by whoever posted them >>>>>> >>>>>>>> (including >>>>>> >>>>>>>> attachments if any). The mailing list host is not >>>>>> responsible for >>>>>> >>>>>>>> them >>>>>> >>>>>>>> in >>>>>> >>>>>>>> any way. >>>>>> >>>>>>> >>>>>> >>>>>>> >>>>>> >>>>>>> >>>>>> >>>>>>> _______________________________________________ >>>>>> >>>>>>> The Uganda Linux User Group: http://linux.or.ug >>>>>> >>>>>>> >>>>>> >>>>>>> Send messages to this mailing list by addressing e-mails to: >>>>>> >>>>>>> [email protected] >>>>>> >>>>>>> Mailing list archives: >>>>>> http://www.mail-archive.com/[email protected]/ >>>>>> >>>>>>> Mailing list settings: http://kym.net/mailman/listinfo/lug >>>>>> >>>>>>> To unsubscribe: http://kym.net/mailman/options/lug >>>>>> >>>>>>> >>>>>> >>>>>>> The Uganda LUG mailing list is generously hosted by INFOCOM: >>>>>> >>>>>>> http://www.infocom.co.ug/ >>>>>> >>>>>>> >>>>>> >>>>>>> The above comments and data are owned by whoever posted them >>>>>> >>>>>>> (including >>>>>> >>>>>>> attachments if any). The mailing list host is not responsible >>>>>> for them >>>>>> >>>>>>> in >>>>>> >>>>>>> any way. >>>>>> >>>>>> _______________________________________________ >>>>>> >>>>>> The Uganda Linux User Group: http://linux.or.ug >>>>>> >>>>>> >>>>>> >>>>>> Send messages to this mailing list by addressing e-mails to: >>>>>> >>>>>> [email protected] >>>>>> >>>>>> Mailing list archives: >>>>>> http://www.mail-archive.com/[email protected]/ >>>>>> >>>>>> Mailing list settings: http://kym.net/mailman/listinfo/lug >>>>>> >>>>>> To unsubscribe: http://kym.net/mailman/options/lug >>>>>> >>>>>> >>>>>> >>>>>> The Uganda LUG mailing list is generously hosted by INFOCOM: >>>>>> >>>>>> http://www.infocom.co.ug/ >>>>>> >>>>>> >>>>>> >>>>>> The above comments and data are owned by whoever posted them >>>>>> (including >>>>>> >>>>>> attachments if any). The mailing list host is not responsible >>>>>> for them >>>>>> >>>>>> in >>>>>> >>>>>> any way. >>>>>> >>>>>> >>>>>> >>>>> _______________________________________________ >>>>>> >>>>> The Uganda Linux User Group: http://linux.or.ug >>>>>> >>>>> >>>>>> >>>>> Send messages to this mailing list by addressing e-mails to: >>>>>> >>>>> [email protected] >>>>>> >>>>> Mailing list archives: >>>>>> http://www.mail-archive.com/[email protected]/ >>>>>> >>>>> Mailing list settings: http://kym.net/mailman/listinfo/lug >>>>>> >>>>> To unsubscribe: http://kym.net/mailman/options/lug >>>>>> >>>>> >>>>>> >>>>> The Uganda LUG mailing list is generously hosted by INFOCOM: >>>>>> >>>>> http://www.infocom.co.ug/ >>>>>> >>>>> >>>>>> >>>>> The above comments and data are owned by whoever posted them >>>>>> (including >>>>>> >>>>> attachments if any). The mailing list host is not responsible >>>>>> for them in >>>>>> >>>>> any way. >>>>>> >>>> _______________________________________________ >>>>>> >>>> The Uganda Linux User Group: http://linux.or.ug >>>>>> >>>> >>>>>> >>>> Send messages to this mailing list by addressing e-mails to: >>>>>> >>>> [email protected] >>>>>> >>>> Mailing list archives: >>>>>> http://www.mail-archive.com/[email protected]/ >>>>>> >>>> Mailing list settings: http://kym.net/mailman/listinfo/lug >>>>>> >>>> To unsubscribe: http://kym.net/mailman/options/lug >>>>>> >>>> >>>>>> >>>> The Uganda LUG mailing list is generously hosted by INFOCOM: >>>>>> >>>> http://www.infocom.co.ug/ >>>>>> >>>> >>>>>> >>>> The above comments and data are owned by whoever posted them >>>>>> (including >>>>>> >>>> attachments if any). The mailing list host is not responsible >>>>>> for them in >>>>>> >>>> any way. >>>>>> >>> >>>>>> >>> >>>>>> >>> >>>>>> >>> _______________________________________________ >>>>>> >>> The Uganda Linux User Group: http://linux.or.ug >>>>>> >>> >>>>>> >>> Send messages to this mailing list by addressing e-mails to: >>>>>> [email protected] >>>>>> >>> Mailing list archives: >>>>>> http://www.mail-archive.com/[email protected]/ >>>>>> >>> Mailing list settings: http://kym.net/mailman/listinfo/lug >>>>>> >>> To unsubscribe: http://kym.net/mailman/options/lug >>>>>> >>> >>>>>> >>> The Uganda LUG mailing list is generously hosted by INFOCOM: >>>>>> >>> http://www.infocom.co.ug/ >>>>>> >>> >>>>>> >>> The above comments and data are owned by whoever posted them >>>>>> (including >>>>>> >>> attachments if any). The mailing list host is not responsible for >>>>>> them in >>>>>> >>> any way. >>>>>> >> _______________________________________________ >>>>>> >> The Uganda Linux User Group: http://linux.or.ug >>>>>> >> >>>>>> >> Send messages to this mailing list by addressing e-mails to: >>>>>> [email protected] >>>>>> >> Mailing list archives: >>>>>> http://www.mail-archive.com/[email protected]/ >>>>>> >> Mailing list settings: http://kym.net/mailman/listinfo/lug >>>>>> >> To unsubscribe: http://kym.net/mailman/options/lug >>>>>> >> >>>>>> >> The Uganda LUG mailing list is generously hosted by INFOCOM: >>>>>> http://www.infocom.co.ug/ >>>>>> >> >>>>>> >> The above comments and data are owned by whoever posted them >>>>>> (including attachments if any). The mailing list host is not responsible >>>>>> for them in any way. >>>>>> > _______________________________________________ >>>>>> > The Uganda Linux User Group: http://linux.or.ug >>>>>> > >>>>>> > Send messages to this mailing list by addressing e-mails to: >>>>>> [email protected] >>>>>> > Mailing list archives: http://www.mail-archive.com/[email protected]/ >>>>>> > Mailing list settings: http://kym.net/mailman/listinfo/lug >>>>>> > To unsubscribe: http://kym.net/mailman/options/lug >>>>>> > >>>>>> > The Uganda LUG mailing list is generously hosted by INFOCOM: >>>>>> http://www.infocom.co.ug/ >>>>>> > >>>>>> > The above comments and data are owned by whoever posted them >>>>>> (including attachments if any). The mailing list host is not responsible >>>>>> for them in any way. >>>>>> _______________________________________________ >>>>>> The Uganda Linux User Group: http://linux.or.ug >>>>>> >>>>>> Send messages to this mailing list by addressing e-mails to: >>>>>> [email protected] >>>>>> Mailing list archives: http://www.mail-archive.com/[email protected]/ >>>>>> Mailing list settings: http://kym.net/mailman/listinfo/lug >>>>>> To unsubscribe: http://kym.net/mailman/options/lug >>>>>> >>>>>> The Uganda LUG mailing list is generously hosted by INFOCOM: >>>>>> http://www.infocom.co.ug/ >>>>>> >>>>>> The above comments and data are owned by whoever posted them >>>>>> (including attachments if any). The mailing list host is not responsible >>>>>> for them in any way. >>>>>> >>>>> >>>>> >>>>> >>>>> -- >>>>> Sanga M. Collins >>>>> Network Engineering >>>>> ~~~~~~~~~~~~~~~~~~~~~~~ >>>>> Google Voice: (954) 324-1365 >>>>> E- fax: (435) 578 7411 >>>>> >>>>> _______________________________________________ >>>>> The Uganda Linux User Group: http://linux.or.ug >>>>> >>>>> Send messages to this mailing list by addressing e-mails to: >>>>> [email protected] >>>>> Mailing list archives: http://www.mail-archive.com/[email protected]/ >>>>> Mailing list settings: http://kym.net/mailman/listinfo/lug >>>>> To unsubscribe: http://kym.net/mailman/options/lug >>>>> >>>>> The Uganda LUG mailing list is generously hosted by INFOCOM: >>>>> http://www.infocom.co.ug/ >>>>> >>>>> The above comments and data are owned by whoever posted them >>>>> (including attachments if any). The mailing list host is not responsible >>>>> for them in any way. >>>>> >>>> >>>> >>>> _______________________________________________ >>>> The Uganda Linux User Group: http://linux.or.ug >>>> >>>> Send messages to this mailing list by addressing e-mails to: >>>> [email protected] >>>> Mailing list archives: http://www.mail-archive.com/[email protected]/ >>>> Mailing list settings: http://kym.net/mailman/listinfo/lug >>>> To unsubscribe: http://kym.net/mailman/options/lug >>>> >>>> The Uganda LUG mailing list is generously hosted by INFOCOM: >>>> http://www.infocom.co.ug/ >>>> >>>> The above comments and data are owned by whoever posted them (including >>>> attachments if any). The mailing list host is not responsible for them in >>>> any way. >>>> >>> >>> >>> >>> -- >>> Sanga M. Collins >>> Network Engineering >>> ~~~~~~~~~~~~~~~~~~~~~~~ >>> Google Voice: (954) 324-1365 >>> E- fax: (435) 578 7411 >>> >>> _______________________________________________ >>> The Uganda Linux User Group: http://linux.or.ug >>> >>> Send messages to this mailing list by addressing e-mails to: >>> [email protected] >>> Mailing list archives: http://www.mail-archive.com/[email protected]/ >>> Mailing list settings: http://kym.net/mailman/listinfo/lug >>> To unsubscribe: http://kym.net/mailman/options/lug >>> >>> The Uganda LUG mailing list is generously hosted by INFOCOM: >>> http://www.infocom.co.ug/ >>> >>> The above comments and data are owned by whoever posted them (including >>> attachments if any). The mailing list host is not responsible for them in >>> any way. >>> >> >> >> _______________________________________________ >> The Uganda Linux User Group: http://linux.or.ug >> >> Send messages to this mailing list by addressing e-mails to: >> [email protected] >> Mailing list archives: http://www.mail-archive.com/[email protected]/ >> Mailing list settings: http://kym.net/mailman/listinfo/lug >> To unsubscribe: http://kym.net/mailman/options/lug >> >> The Uganda LUG mailing list is generously hosted by INFOCOM: >> http://www.infocom.co.ug/ >> >> The above comments and data are owned by whoever posted them (including >> attachments if any). The mailing list host is not responsible for them in >> any way. >> > > > > -- > Sanga M. Collins > Network Engineering > ~~~~~~~~~~~~~~~~~~~~~~~ > Google Voice: (954) 324-1365 > E- fax: (435) 578 7411 > > _______________________________________________ > The Uganda Linux User Group: http://linux.or.ug > > Send messages to this mailing list by addressing e-mails to: > [email protected] > Mailing list archives: http://www.mail-archive.com/[email protected]/ > Mailing list settings: http://kym.net/mailman/listinfo/lug > To unsubscribe: http://kym.net/mailman/options/lug > > The Uganda LUG mailing list is generously hosted by INFOCOM: > http://www.infocom.co.ug/ > > The above comments and data are owned by whoever posted them (including > attachments if any). The mailing list host is not responsible for them in > any way. >
_______________________________________________ The Uganda Linux User Group: http://linux.or.ug Send messages to this mailing list by addressing e-mails to: [email protected] Mailing list archives: http://www.mail-archive.com/[email protected]/ Mailing list settings: http://kym.net/mailman/listinfo/lug To unsubscribe: http://kym.net/mailman/options/lug The Uganda LUG mailing list is generously hosted by INFOCOM: http://www.infocom.co.ug/ The above comments and data are owned by whoever posted them (including attachments if any). The mailing list host is not responsible for them in any way.
