[sclug] Personalised web content filtering

Jeremy Hooks jeremyhooks at googlemail.com
Wed Jul 6 14:25:01 UTC 2011


I'm new to this mailing list, although I've been subscribed for a couple of
years and occasionally lurking. I thought I would chime in with my tuppence.

With regard to IPCop, I have some experience (albeit rusty).  It is
worth looking
into the addons available for it.  It's been a while, but I seem to recall
that there is one add on, "Block Out-going Traffic" (IIRC) which might be
useful in addition to (say) whitelisting allowed sites.  With just web filter-
ing, obviously everything else is left open.  Block out-going traffic will let
you block everything else (probably using IPTables).  I seem to recall that
you are right about IPCop not being able to do user based access control.
However, it may be able to control access based on IP address - and if you
use BOOTP that will also be machine address too (there is a DHCP server in
IPCop, though it may be an addon).  Another option might be to setup VLANs (if
your network allows) and force untrusted users' PCs to go via IPCop and allow
full access for the others.

Another option (though expensive) might be to give the employees two machines.
One with full access and another with access only to the sourcecode and the
secured internal network.  I imagine this would also require two
separate networks (or virtual networks).

One of the legitimate uses you mentioned was MSDN access, presumably so that
they will be to download resources to install on the development machine.  You
could run (say) an FTP server which bridges the secure and insecure networks to
allow developers to download files to the insecure machine, upload to the FTP
server, then download to their development machine (perhaps after the file has
been authorised).  Admittedly it is rather convoluted, but it is one option
which you may not have considered.

Obviously you can never be 100% secure and as you mentioned, this is largely
an HR issue (in that you shouldn't be employing people you don't trust).  That
said, you wouldn't give everyone full access to the personnel or finance data,
nor the companies bank account and it is only sensible that when you give
access, you do all you can to prevent abuse.


More information about the Sclug mailing list