[sclug] Personalised web content filtering

Neil Haughton haughtonomous at googlemail.com
Thu Jun 16 10:29:42 UTC 2011 

Hi

Tech problem here: My employers' main asset is the IP in their source code,
and consequently they are very concerned about the risk of staff (especially
new recruits, or disaffected staff) being able to walk off with it all and
sell it in other markets where it would be impossible catch or stop.

Other safeguards aside, they want to be able to stop certain individuals
from being able to get the stuff out via the internet, specifically email,
ftp, etc. At the same time those individuals need access to some websites
such as msdn and so on, in order to do their job.

So far they have been able to lock people down to a personal PC (they can
only log in on their own PC) and remove or block the ability to move data
out except over the ethernet connection (ie no DVD writer, blocked USB
sockets, etc), and restrict the size of outgoing emails to limit what can be
sent by attachment, but that still leaves a gap, and of course everyone
needs some internet access to do their job.

The first solution considered was to use the Windows 7 Firewall, set up
appropriately on individual machines, but this doesn't allow web content
filtering AFAIK, and anyway can all too easily be circumvented.

Can anyone suggest an open source solution that would allow the company to
limit outward internet traffic on a person by person (or machine by machine)
basis, such that *certain individuals* can access specific websites only,
and cannot send stuff out by ftp?  I thought maybe IPCOP with the web
content filtering addon, but that's as far as my knowledge goes and that
doesn't appear to permit user-specific filtering. I've also
considered hacking the local etc/HOSTS file to map restricted domains to
127.0.0.1, but even with a very long list of domains it's to open to
unexpected holes and what we really need is a 'deny all allow the following'
approach.

(BTW I am already familar with the 'this is an HR issue not a technical one
and you shouldn't employ staff you don't trust' argument, but I need to
treat it as a technical issue and find a technical solution, if I can.   The
idea is to be safe rather than sorry, to shut the stable door before the
horse bolts, and quietly open the door when the company is confident that
the horse is not the bolting type. And then keep the horse happy enough not
to want to bolt in future.)

TIA

Neil

More information about the Sclug mailing list