[sclug] Personalised web content filtering

Alex Butcher lug at assursys.co.uk
Thu Jun 16 10:53:40 UTC 2011 

On Thu, 16 Jun 2011, Neil Haughton wrote:

> Tech problem here: My employers' main asset is the IP in their source code,
> and consequently they are very concerned about the risk of staff (especially
> new recruits, or disaffected staff) being able to walk off with it all and
> sell it in other markets where it would be impossible catch or stop.

At the risk of teaching you to suck eggs, the common term for what you're
describing is "Data Loss Prevention" (DLP). Hopefully that'll help you
quickly identify relevent products and tools.

Network-deployed tools of this nature generally focus on spotting certain
strings which are indicative of confidential data being passed in unexpected
ways.  For source code, this might be things like function, constant and/or
variable names that are proprietary to your employer's code.

Conceivably, you could cobble something together yourself using netfilter's
string matching extension
(<http://netfilter.org/documentation/HOWTO/netfilter-extensions-HOWTO-3.html#ss3.18>)
or Hogwash (a fork of the Snort Network IDS, repurposed as a packet
scrubber). Such approaches would be host-, rather than user-based.

Of course, even use of weak encryption/obfuscation (e.g. an unpassworded zip
file!) would thwart such approaches as long as it meant that none of the
strings you were looking for appeared in the clear!

> Other safeguards aside, they want to be able to stop certain individuals
> from being able to get the stuff out via the internet, specifically email,
> ftp, etc. At the same time those individuals need access to some websites
> such as msdn and so on, in order to do their job.
>
> So far they have been able to lock people down to a personal PC (they can
> only log in on their own PC) and remove or block the ability to move data
> out except over the ethernet connection (ie no DVD writer, blocked USB
> sockets, etc), and restrict the size of outgoing emails to limit what can be
> sent by attachment, but that still leaves a gap, and of course everyone
> needs some internet access to do their job.
>
> The first solution considered was to use the Windows 7 Firewall, set up
> appropriately on individual machines, but this doesn't allow web content
> filtering AFAIK, and anyway can all too easily be circumvented.

If your users have admin rights on their own machines, then any local
controls can be circumvented. Given they have physical access to their
machines, they can probably be assumed to have admin rights. :-(

> Can anyone suggest an open source solution that would allow the company to
> limit outward internet traffic on a person by person (or machine by machine)
> basis, such that *certain individuals* can access specific websites only,
> and cannot send stuff out by ftp?  I thought maybe IPCOP with the web
> content filtering addon, but that's as far as my knowledge goes and that
> doesn't appear to permit user-specific filtering. I've also
> considered hacking the local etc/HOSTS file to map restricted domains to
> 127.0.0.1, but even with a very long list of domains it's to open to
> unexpected holes and what we really need is a 'deny all allow the following'
> approach.

I suspect that if you want a custom policy for each user (or even host),
you're going to end up looking at commercial offerings like Websense,
MIMEsweeper etc, or building your own from raw components (rather than using
products like IPCop, which are only really intended for relatively
unsophisticated uses).

Disclosure: I used to work for a Websense and MIMEsweeper vendor. There are
other products in the same space available, but these are the ones I know
off the top of my head.

> Neil

HTH,
Alex

More information about the Sclug mailing list