Re: March 29, 2006 total eclipse - IT admin's WORST NIGHTMARE

From: Charles Newman (charlesnewman1_at_comcast.spamkiller.net)
Date: 10/14/05 

Date: Thu, 13 Oct 2005 15:14:22 -0700

"Moe Trin" <ibuprofin@painkiller.example.tld> wrote in message
news:slrndkteos.etb.ibuprofin@compton.phx.az.us...
> In the Usenet newsgroup comp.security.firewalls, in article
> <57udnRhxu6g5nNPenZ2dnUVZ_sydnZ2d@comcast.com>, Charles Newman wrote:
>
> >If you have 92,000 groups available on your news server, then you
> >need to be able to filter out what you groups you dont want your
> >people looking it, and NewsProxy is the answer for that. You can
> >configure it where content from entire groups is dropped.
>
> Charles, tell me - you are using a toy browser to read the news from the
> Comcast news server. When you start your toy browser, does it show you
> all 80-100 thousand news groups available from the server every time

   Outlook Express in the number one news browser in ht world, becuase
Windows runs around 90 percent of the computers in the world.

> you start it - or have you figured out how to make it only show you
> the ones you have subscribed to? I know these 'concept' things are hard
> to get your mind around - but honestly setting up a news server is quite
> similar - you make a list of those groups that you want to carry (and
> one presumes that are available from the peers), and how long you want
> articles within those individual groups to remain on your server.
>
> >All you need is a server on your network running Windows 95 or later,
> >and you can run NewsProxy.
>
> Oh, so you think that win95 can handle the spool. You keep forgetting
> that we don't have any windoze boxes here, and see no need for any. On
> our server, we're now using ATA-over-Ethernet to get the drives out of
> server box. It's a 3U sized unit with only 2 TB of diskspace right now
> (capacity is 4 TB). but for some reason, there is no drivers for any
> microsoft O/S. Yet another example of microsoft being behind the times?
> The protocol allows 16 Petabyte disk farms - ask your sales monkey how
> big that is. We installed a couple of the small 20 TB drives for our
> document servers - they're kinda neat.
>
> >tells NewsProxy to drop every article coming in from the alt.sex
> >hierarchy.
>
> Why did you put the 'alt.sex.*' hierarchy on your server in the first
place?

Because all the incoming news comes from Comcast's servers. NewsProxy
just intercepts and drops what I dont want on the network, coming in from
Comcast's
Usenet servers. It's a Giganews service that comes with Comcast. My proxy
program
simply filters out what I dont want on the network. Comcast handles the
Usenet
traffic, and NewsProxy filters out what I dont want on the network. Also,
there
could be items cross-posted between alt.sex.*, or any group you dont want,
and another group in your server. With NewsProxy, it can scan for such
x-posted articles and intercept them.

 My network gateway machine has:

NewsProxy - Network level killfile and content filter for Usenet.
SpamBam - Network level spam filter
WebWasher - HTTP filteirng proxy server
AllegroSurf - DHCP server and Socks Proxy
Tiny Personal Firewall - network firewall security
Avast Anti-virus - An anti-virus software that runs at the network level and
scans
                            all incoming traffic for viruses, trojans, etc,
in real time.

> Could it be because you don't know anything about how the servers work,
and
> are making some rather wild guesses? 'inn-2.4.2' isn't that big - about 2
> megabyte, and more than half of that is documentation - you ought to look
> for it. In the mean time, a little clue for you - and this also pertains
> to firewall configurations. You don't set crap up to block things like
> 'alt.sex' or 200.0.0.0/6. You _ALLOW_ what you want, and by not allowing

You shuold really consider a Windows box, and putting CyBlock, SurfControl,
WebSense, Bess, or some other network-level Web filter. Just select that
categories
you want to block, and you are done. The updated filteirng lists can be
downloaded daily, if you wish. These programs only run on Windows-based
systems, however, but they are worth having a Windows box on your network.

> what you don't want, the rest does not exist. Wow - what a concept.
>
> >They would see the group in their newsreader, but they would never see
> >any articles, becuase NewsProxy would be dropping them.
>
> But if the server doesn't carry the group - they won't see the group in
> their news reader. Why don't you sit down over a cup of coffee and think
> about _that_ concept. Didn't have to buy all that extra crap that the
> sales monkeys at CompUSA claim you couldn't live without - don't have to
> waste CPU cycles, power, space, air conditioning... Amazing. Think what
> you could do with the money you'd save.
>
> >If you really do have that many newsgroups,
>
> [compton ~]$ wc -l .newsrc
> 104963 .newsrc

That means you must have every group, including alt.sex, and other
pornographic
newsgroups, if you have that many groups. Better get NewsProxy on your
network
ASAP to start controlling what your users read. With that many groups, you
really may not be aware of what you have, and could be setting yourselves up
for some serious criminal and civil liabilty. With NewsProxy, and this setup
in the nfilter.dat file

alt.sex.* drop from:*
soc.sexuality.* drop from:*
alt.binaries.* drop from:*
alt.mp3.* drop from:*
alt.music.mp3.* drop from:*
alt.2600.* drop from:*
alt.2600 drop from:*
alt.fan.tonya* drop from:*
alt.beer* drop from:*
alt.drinks.* drop from:*
alt.mmmmm.* drop from:*
alt.politics.radical.right drop from:*
alt.crackz.* drop from:*
alt.religion.* drop from:*
talk.religion.* drop from:*
alt.fan.britney* drop from:*
alt.fan.prince drop from:*
alt.music.prince* drop from:*
alt.music.eminem drop from:*
alt.rap.* drop from:*
alt.politics.* drop from:*
12hr.sex.* drop from:*
alt.cartoonsex* drop from:*
* drop from:*@nym.alias.net*
* drop from:*@blackhole.riot.eu.org*
* drop form:*@.xg.nu*
* drop from:*@dizum.com*
* drop from:*@mixmaster.it*

You would get rid of potential liability by using NewsProxy, and filtering
material using
the options mentioned above

>
> Just like cable/satellite TV - hundreds of channels, nothing interesting.
>
> >you should really take a lot at what is there
>
> I'm sure you were trying to same something intelligent there. Perhaps if
> you actually learned how the Internet works instead of believing all the
> advertising literature, you could save a bunch of money wasted on your
> toy server setups. Also remember, what works on your four computer one
> user setup isn't likely to work as well with a dozen users - never mind
> several thousand.

    Well, CyBlock and WebWasher are designed to work with a lot of
users. CyBlock advertises having some large companies, some with up
to 100 thousand users on their networks, using their product. WebWasher,
CyBlock, Bess, Sentian, and WebSense can all handle very large networks
like that. The government of Saudi Arabia is using Bess to filter out what
they dont want into thier country, and that is probably around several
million users, so what you would call "toys", are used on very large levels
around the world.

Relevant Pages

  • Re: March 29, 2006 total eclipse - IT admins WORST NIGHTMARE
    ... NewsProxy is acting as a news server for my network. ... Since you are coming from Giganews, ...
    (comp.security.firewalls)
  • Re: Packet filter just wont work.
    ... You use packet filters to provide access to the ISA Server itself, ... DMZ network. ... delete the packet filter and try creating a Server Publishing rule ...
    (microsoft.public.isa.configuration)
  • Re: Network Infrastructure
    ... AD Server with DNS Server - is this a good practice? ... I want my network to have access limitations. ... wireless using MAC Address filter from the routers. ...
    (microsoft.public.windows.server.active_directory)
  • Re: Setting up IPSec on a webserver
    ... IPsec in windows 2000 has I believe two main functions: ... encrypt network traffic and deciding when to filter or block network ... Using packet filters to block certain ports on a web server can be ...
    (microsoft.public.win2000.security)
  • Re: Network Infrastructure
    ... "I want to restrict rogue systems to have access to servers on my network, only systems that I allow to have access should be able to 'logon to the network'." ... DHCP would do it for them. ... DHCP Server with ISA Server - is this a good practice? ... Address filter from the routers. ...
    (microsoft.public.windows.server.general)