Greg Helledy on 2 Aug 2017 12:43:33 -0700


[Date Prev] [Date Next] [Thread Prev] [Thread Next] [Date Index] [Thread Index]

Re: [PLUG] Firewall/security philosophy [was: SSH Hardening : Request for Best Practices]




Do you simply not have any desktop web traffic on your network?
Whitelisting every domain you visit in a browser sounds like anything
but "hardly any maintenance."

Sure, I could see doing this on a firewall protecting a server farm
where you have no desktop traffic.  Doing it in general for outbound
desktop traffic seems like it would be an exercise in frustration for
admins and users alike.  I wouldn't want to deal with this and I'm the
only user on this network...

Exactly, I would love to do more to keep my users and their Windows PCs safe, and the one big hole is the traffic they originate with their web browsers. But any restriction I put in place is going to produce complaints and frustration. For a while I had us using some of the "safe DNS" (Norton, Comodo) providers and even something that simple and seemingly foolproof caused problems, because they would either go offline or slow down momentarily every once in a while, or they'd manage to get a domain on their banned list that the user was used to accessing from home or mobile without a problem, and the user would then come to me about "our internet is broken again, fix it."

--
Greg Helledy
GRA, Incorporated
P:  +1 215-884-7500
F:  +1 215-884-1385
www.gra.aero
___________________________________________________________________________
Philadelphia Linux Users Group         --        http://www.phillylinux.org
Announcements - http://lists.phillylinux.org/mailman/listinfo/plug-announce
General Discussion  --   http://lists.phillylinux.org/mailman/listinfo/plug