Re: [PLUG] Firewall/security philosophy [was: SSH Hardening : Request fo

Greg Helledy on 2 Aug 2017 12:43:33 -0700

[Date Prev] [Date Next] [Thread Prev] [Thread Next] [Date Index] [Thread Index]

Re: [PLUG] Firewall/security philosophy [was: SSH Hardening : Request for Best Practices]

From: Greg Helledy <gregsonh@gra-inc.com>
To: plug@lists.phillylinux.org
Subject: Re: [PLUG] Firewall/security philosophy [was: SSH Hardening : Request for Best Practices]
Date: Wed, 2 Aug 2017 15:43:27 -0400
Dkim-signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=gra-inc.com ; s=default; h=Content-Transfer-Encoding:Content-Type:In-Reply-To: MIME-Version:Date:Message-ID:From:References:To:Subject:Sender:Reply-To:Cc: Content-ID:Content-Description:Resent-Date:Resent-From:Resent-Sender: Resent-To:Resent-Cc:Resent-Message-ID:List-Id:List-Help:List-Unsubscribe: List-Subscribe:List-Post:List-Owner:List-Archive; bh=/+7jNEzx/XKf0pOMZWVAmVBMX+J27DLYlX8tzD72PC8=; b=CGRGgZATi9OC9DT38gtorKJeC/ syq26a5kU1ONYq+ZZ3iwSFbMt/MZpHNWBa2CiQklxeMWGxcG8iIWJz4FvN3YcCCmasYzge5oF58Ks 63OCevMVsN44DfsLQhOGD+ZfagFR5Ok0T+TtC0hzuj/lqYcLPSHwsl9N+ojdL3jIuFbvZm69W8Gsj ksZl50F5koil4gKtk4kbXF4mo/dgtEvT5R7Xnp4nvKJ2giJbXd54IfuRfERbozg1YQNHxasMUkang DQZTb4qas5IHiQqgzU1oEhphrCZgmGcTmdRQSt4EfTVQDdDbTZHLnAvD4mtTcfBkI3QuXitId9Z/a 8twZOXAw==;
Organization: GRA, Incorporated
Reply-to: Philadelphia Linux User's Group Discussion List <plug@lists.phillylinux.org>
Sender: "plug" <plug-bounces@lists.phillylinux.org>
User-agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:52.0) Gecko/20100101 Thunderbird/52.2.1

Do you simply not have any desktop web traffic on your network?
Whitelisting every domain you visit in a browser sounds like anything
but "hardly any maintenance."

Sure, I could see doing this on a firewall protecting a server farm
where you have no desktop traffic.  Doing it in general for outbound
desktop traffic seems like it would be an exercise in frustration for
admins and users alike.  I wouldn't want to deal with this and I'm the
only user on this network...

Exactly, I would love to do more to keep my users and their Windows PCssafe, and the one big hole is the traffic they originate with their webbrowsers. But any restriction I put in place is going to producecomplaints and frustration. For a while I had us using some of the"safe DNS" (Norton, Comodo) providers and even something that simple andseemingly foolproof caused problems, because they would either gooffline or slow down momentarily every once in a while, or they'd manageto get a domain on their banned list that the user was used to accessingfrom home or mobile without a problem, and the user would then come tome about "our internet is broken again, fix it."


--
Greg Helledy
GRA, Incorporated
P:  +1 215-884-7500
F:  +1 215-884-1385
www.gra.aero
___________________________________________________________________________
Philadelphia Linux Users Group         --        http://www.phillylinux.org
Announcements - http://lists.phillylinux.org/mailman/listinfo/plug-announce
General Discussion  --   http://lists.phillylinux.org/mailman/listinfo/plug

Prev by Date: Re: [PLUG] Firewall/security philosophy [was: SSH Hardening : Request for Best Practices]
Next by Date: [PLUG] [plug-announce] Free Fun in Philly: FOSSCON, Saturday August 26th!
Previous by thread: Re: [PLUG] Firewall/security philosophy [was: SSH Hardening : Request for Best Practices]
Next by thread: [PLUG] [plug-announce] Free Fun in Philly: FOSSCON, Saturday August 26th!
Index(es):
- Date
- Thread