Christopher Barry on 22 May 2017 18:12:07 -0700


[Date Prev] [Date Next] [Thread Prev] [Thread Next] [Date Index] [Thread Index]

Re: [PLUG] iptables question on redirection & circumvention reporting


On Mon, 22 May 2017 15:41:24 -0400
Thomas Delrue <delrue.thomas@gmail.com> wrote:

>Hello,
>
>I have an internal network with a couple tens-to-hundred devices on it.
...snip...
>
>Thanks
>

Are you a concerned corporate citizen or a monetizing d-bag? If the
latter, piss off. If the former, read on...

You're tracking the folks on your network. They don't like that. They
will always find ways around whatever you do. iptables won't solve
this problem, sorry.

For instance, they'll use a USB wireless NIC and simply hotspot their
phone. Are you willing to crawl under their desks and verify no
USB NICs are plugged in while they're at lunch? They'll use a VPN or
simply an ssh tunnel. Are you willing to blanket block to those ports
outbound? If not, are you willing to try to figure out which are OK and
which are not OK? Are you willing to jam all wireless frequencies? Do
your users connect from home/road using some vpn or tunnel method? If
so, you've already completely lost control.

It's a losing battle. You aren't winning it, and you won't.
Is it /really/ a problem they don't want you to track them? (why are
you anyway?) Are they not doing their jobs? If not, fire them and be
done with it.

My advice: Either just let it go -OR- air-gap the place.

Air gap means no cell phones and no wireless devices of any kind
either, and prepare to jam cellular and wifi just in case, and you'll
probably want to scan for other non-standard frequencies too, and you'll
definitely want to disable USB ports in the password protected BIOSes,
and you'll want to install key-loggers, and of course you'll need metal
detectors and possibly some type of TSA-like full body scanners at the
Faraday vault entrance, and ...


It won't end. ever.

-- 
Regards,
Christopher

Attachment: pgpkOVx_3EdNH.pgp
Description: OpenPGP digital signature

___________________________________________________________________________
Philadelphia Linux Users Group         --        http://www.phillylinux.org
Announcements - http://lists.phillylinux.org/mailman/listinfo/plug-announce
General Discussion  --   http://lists.phillylinux.org/mailman/listinfo/plug