Thats why you don't do it like this. Well, you do this, but only as part of the solution.
ideally you want your data security right down to the individual syscall level. Various products like what Cisco offer let you specify what access to what data various applications have, but i don't know how useful it is protecting people from copy/pasting data around. I know at least the "secure" versions of IRIX and Digital UNIX were doing useful things like tagging individual IPC data with security ACLs, preventing you from copy/pasting between high->low security contexts. That was fun to work inside. :) adrian On Mon, Feb 11, 2008, Jamie Wilkinson wrote: > This one time, at band camp, Ricky wrote: > >- first, you classify data Eg.engineering.doc is commercially sensitive or > >customer_creditcard.xls is personal privacy > >- setup rules in your DLP, likely to be an appliance box sitting behind the > >firewall > >- stops data from going out the LAN > > Application-aware firewalls are time consuming to develop, but I am > concocting in my mind a tool that scans signatures out of all your > documents, then has a tcpdump running on your firewall comparing traffic > signatures -- sort of like snort, but in reverse -- and sending TCP RST to > the sender if a violation was detected. > > I can also think of ways around it (SSL, for example, is a trivial > workaround, so you'll need to also MITM all your users... a wildcard > certificate ought to fool the client browsers). > > Do things like this really exist?? Well, I imagine Lotus Scrotes could, > because the document never really leaves the database, but how would you > build a system that reliably worked in a heterogenous environment like a > small-medium office, that actually worked, and you could sell to people and > still retain your soul? > -- > SLUG - Sydney Linux User's Group Mailing List - http://slug.org.au/ > Subscription info and FAQs: http://slug.org.au/faq/mailinglists.html -- - Xenion - http://www.xenion.com.au/ - VPS Hosting - Commercial Squid Support - - $25/pm entry-level VPSes w/ capped bandwidth charges available in WA - -- SLUG - Sydney Linux User's Group Mailing List - http://slug.org.au/ Subscription info and FAQs: http://slug.org.au/faq/mailinglists.html
