I mean "impairing" the network in terms of false positives (blocking legitimate access to secured services), false negatives (not adequately blocking prurient material), and otherwise providing a crappy, inconsistent result, rather than slowing it down.
Especially with the profusion of cloud services, it is extremely hard to tie an IP address or block to the nature of services it provides... --Steve On Mon, Feb 13, 2012 at 12:55 AM, Andrew S. Baker <[email protected]> wrote: > There are plenty of devices that can inspect the traffic without impairing > performance. > > * * > > *ASB* *http://XeeMe.com/AndrewBaker* *Harnessing the Advantages of > Technology for the SMB market… > > * > > > > On Sun, Feb 12, 2012 at 10:58 PM, Steve Kradel <[email protected]>wrote: > >> They do have to traverse your network in a manageable way, anyway... >> up until the point that some wiseacre fires up a VPN or a >> tunnel/proxy, it's not so hard to grab port 53 traffic on its way out >> and quietly redirect it. >> >> However, the problem itself is extremely difficult to solve >> thoroughly. How can one possibly stay on top of the IPs that SSL is >> or isn't "safe" to, given that you cannot do any other meaningful >> inspection of the data (not even the hostname in the HTTPS request)? >> I know there are products that attempt to solve it without seriously >> impairing the network, but I can't imagine they're robust against a >> clever | determined kiddo. >> >> --Steve >> >> On Sun, Feb 12, 2012 at 10:22 PM, James Hill <[email protected]> wrote: >> > This assumes that the students have to use your DNS as well. >> > >> > >> > >> > From: Kennedy, Jim [mailto:[email protected]] >> > Sent: Saturday, 11 February 2012 1:45 AM >> > >> > >> > To: NT System Admin Issues >> > Subject: DNS Partial zone CNAMEs? >> > >> > >> > >> > Long story made somewhat short: We enforce safe search on google images >> > with our filter. If a clever student hits https://www.google.com and >> > searches for Excalibur Films images the safe search enforcement fails >> and >> > they are going to get more than they should. And since I now know this, >> I >> > will go to jail and my wife will be sad. >> > >> > >> > >> > So I need to do the below from Google: >> > >> > >> > >> > To utilize this solution, your school’s network administrator would >> modify >> > your DNS (Domain Name System) configuration to make Google domains, e.g. >> > www.google.com to be an alias or CNAME (canonical name) of >> nossl.google.com. >> > When we see search requests arriving over the nossl end point we will >> > redirect these to a non-SSL search session. HTTP traffic and other >> services >> > will not be affected. >> > >> > >> > >> > I am a bit puzzled on how to do this. If I toss up a zone for >> google.com and >> > put up a www.google.com CNAME nossl.google.com What happens when >> someone >> > tries to hit mail.google.com? My zone lookup will fail…will my DNS >> server >> > then hit my forwarders for mail.google.com >> > >> >> ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to [email protected] with the body: unsubscribe ntsysadmin
