Slashdot Mirror

← Back to Domains

Domain: dansguardian.org

Stories and comments across the archive that link to dansguardian.org.

Comments · 52

  1. Re:Other avenues of attack . . . by fuzzybunny · · Score: 1 · on Network Hacking


    While this will stop the 99% of people harmlessly using webmail, it will not touch the 1% who're technically clued and determined to get around it, be it to just read their mail, or to do malicious damage.

    I have admin'ed several websense boxes (as well as multiple other proxies.) I am a network/security consultant, and the first point I make to any of my customers who want to use an internet control mechanism (i.e. filtering proxy) is that anyone sufficiently determined will get around it--don't try to solve non-technical problems with technology.

    In short, websense makes managers feel good, but it does not work. It doesn't work for SSH port forwarders, it'll work even less once distributed proxy avoidance toys like Triangle Boy gain widespread use, and it'll completely break down once .NET and friends get spinning (read the part where proxy avoidance is explicitly mentioned in .NET docs.)

    At this point, I should probably mention that almost all filtering software works very similarly, that is, it draws from combinations of blacklists meticulously compiled by cat-eyed librarian types trolling for smut, keyword lists, file extensions and content signatures (breaks down with encrypted files, unless you just want to block everything you don't recognize) and sometimes some sort of gymcrackery involving content pattern matching (such as the company claiming to be able to detect porn pictures from the amount of flesh.) The latter rarely work correctly.

    That said, you're just as well off using something free, like DansGuardian or SquidGuard with one of the myriad of free filter lists they link to--assuming you can give your management the same feelgood effect from something free or cheap that they'd normally get from forking out $30k upwards to a company like WebSense.

    By the way, did I mention that there is no IDS product which can consistently and reliably detect HTTPS-tunneled SSH traffic based on packet (or even stream) signatures?

    In short, your idea for blocking webmail sites works, as long as your only goal is to prevent the casual user from getting at viruses and other Bad Things (tm) by means other than the corporate sanctioned means, like your local Exchange server. Good Luck! :-)

  2. Save some money schools by Anonymous Coward · · Score: 0 · on Email (and Filters) for all Australian schools

    If you want Free Open Source web content filtering try this:

    http://dansguardian.org