Re: [PLUG] iptables question on redirection & circumvention reporting

Christopher Barry on 22 May 2017 18:12:07 -0700

[Date Prev] [Date Next] [Thread Prev] [Thread Next] [Date Index] [Thread Index]

Re: [PLUG] iptables question on redirection & circumvention reporting

From: Christopher Barry <christopher.r.barry@gmail.com>
To: plug@lists.phillylinux.org
Subject: Re: [PLUG] iptables question on redirection & circumvention reporting
Date: Mon, 22 May 2017 21:11:28 -0400
Dkim-signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=date:from:to:subject:message-id:in-reply-to:references:organization :mime-version; bh=BqTMwKeRSz9S0K6+1hDTOuHxY1itMUfKh2VrM7kvP04=; b=S456uws/h9ZrOgyNL5c+i2zyxyWGC3IrDjvHS/tho32KJIM5pLbCkkZ3SIbnf87jZ4 9Bl8NP+zt9ZktvGQDzygDEDEWIKgBpA1rZayIbNu4Ue9crpE2DdC7+b6UTWDm8cX3LCf vPvagxRsv56ZhBsTL39kk0w0ui/jkCf+CyWndeZxZdwK6tFy5WnsHPI722YY/TtagMWh miOzxptQDtmt0Gb00Sv5Gi1MyBFV83Fz7nNowuAMcaUyDzmUBCNChGuYMiqRRzo78WCD pMoQR0ZwpiU5U6UkuPRjiB64PXkPKfEJk28bkchDEPhzZFai+jcjasLvAjEOKIqQ3Cbn OUfQ==
Organization: Personal
Reply-to: Philadelphia Linux User's Group Discussion List <plug@lists.phillylinux.org>
Sender: "plug" <plug-bounces@lists.phillylinux.org>

On Mon, 22 May 2017 15:41:24 -0400
Thomas Delrue <delrue.thomas@gmail.com> wrote:

>Hello,
>
>I have an internal network with a couple tens-to-hundred devices on it.
...snip...
>
>Thanks
>

Are you a concerned corporate citizen or a monetizing d-bag? If the
latter, piss off. If the former, read on...

You're tracking the folks on your network. They don't like that. They
will always find ways around whatever you do. iptables won't solve
this problem, sorry.

For instance, they'll use a USB wireless NIC and simply hotspot their
phone. Are you willing to crawl under their desks and verify no
USB NICs are plugged in while they're at lunch? They'll use a VPN or
simply an ssh tunnel. Are you willing to blanket block to those ports
outbound? If not, are you willing to try to figure out which are OK and
which are not OK? Are you willing to jam all wireless frequencies? Do
your users connect from home/road using some vpn or tunnel method? If
so, you've already completely lost control.

It's a losing battle. You aren't winning it, and you won't.
Is it /really/ a problem they don't want you to track them? (why are
you anyway?) Are they not doing their jobs? If not, fire them and be
done with it.

My advice: Either just let it go -OR- air-gap the place.

Air gap means no cell phones and no wireless devices of any kind
either, and prepare to jam cellular and wifi just in case, and you'll
probably want to scan for other non-standard frequencies too, and you'll
definitely want to disable USB ports in the password protected BIOSes,
and you'll want to install key-loggers, and of course you'll need metal
detectors and possibly some type of TSA-like full body scanners at the
Faraday vault entrance, and ...

It won't end. ever.

-- 
Regards,
Christopher

Attachment: pgpkOVx_3EdNH.pgp
Description: OpenPGP digital signature

___________________________________________________________________________
Philadelphia Linux Users Group         --        http://www.phillylinux.org
Announcements - http://lists.phillylinux.org/mailman/listinfo/plug-announce
General Discussion  --   http://lists.phillylinux.org/mailman/listinfo/plug

Follow-Ups:
- Re: [PLUG] iptables question on redirection & circumvention reporting
  - From: brent timothy saner <brent.saner@gmail.com>

References:
- [PLUG] iptables question on redirection & circumvention reporting
  - From: Thomas Delrue <delrue.thomas@gmail.com>

Prev by Date: Re: [PLUG] iptables question on redirection & circumvention reporting
Next by Date: Re: [PLUG] iptables question on redirection & circumvention reporting
Previous by thread: Re: [PLUG] iptables question on redirection & circumvention reporting
Next by thread: Re: [PLUG] iptables question on redirection & circumvention reporting
Index(es):
- Date
- Thread