Re: And yet another one from the mind of Lohkee!
From: Karl Levinson [x y] mvp (jamescagney90210@excite.com)
Date: 01/18/03
- Next message: Paul Crowley: "Re: Random"
- Previous message: Nico Kadel-Garcia: "Re: telnet replacement - not ssh?"
- In reply to: Lohkee: "And yet another one from the mind of Lohkee!"
- Next in thread: Lohkee: "Re: And yet another one from the mind of Lohkee!"
- Reply: Lohkee: "Re: And yet another one from the mind of Lohkee!"
- Reply: DaveK: "Re: And yet another one from the mind of Lohkee!"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
From: "Karl Levinson [x y] mvp" <jamescagney90210@excite.com> Date: Sat, 18 Jan 2003 17:01:32 -0500
That's an interesting idea, and it might be very effective for some...
though I would think it would take a LOT of work to set it up, whether
you're a large corporation, government entity or a home user. Plus it would
be very frustrating, because when you do say a www.google.com search to find
information that you need to do your job, you can bet the sites that come up
won't be pre-approved, and you might have to go through 10 or 20 before you
find the answer.
Web browsing is permitted at companies because it has become an essential
tool for many people's jobs. Removing that tool would be about as effective
as trying to remove everyone's email software, e.g. not very.
The fact that web sites on the internet are constantly changing and
appearing is one reason why the current negative databases don't work, but
it's also a reason why a positive database like you propose would often
require a fair bit of work to maintain.
One big benefit of paying for third party content filtering is that they've
already done the work of setting up the database. Of course, if customers
wanted the option of choosing a positive database, those third party
products could easily be rewritten to do this.
"Lohkee" <Lohkee@worldnet.att.net> wrote in message
news:nohW9.1662$zF6.138164@bgtnsc04-news.ops.worldnet.att.net...
> Here is another one of my ramblings for your amusement. I am, as always,
> very interested in (and appreciative of) feedback. The rules are the same
> as before, i.e., I will only respond to serious comment on the paper:
> questions/clarification regarding a particular point, technical
> inaccuracies, things that should be added, things that should be deleted,
> etc. (just don't have the time to do indulge the trolls these days - sorry
> losers).
>
>
> Internet Content Blocking Software (DRAFT FOR COMMENT)
> Copyright (C) by Lohkee
> All Rights Reserved
>
>
> Just fifteen minutes of recreational surfing per day can cost a company
with
> five hundred employees ($25.00/hour/employee) over $800,000 per year in
lost
> productivity. Some organizations that allow employees to surf the net
have
> learned the hard way that doing so greatly increases the risk of
unfavorable
> litigation (hostile work environment, various types of discrimination,
> sexual harassment, etc.). Others have discovered how much bandwidth can
be
> diverted from critical business needs by a just few employees downloading
> their favorite MP3 files. Some have even seen their networks crash as a
> result of an employee downloading hostile code and running it on their
> workstation. And the list goes on. Personal use of the Internet creates
> numerous very serious problems for an organization. One of the more
popular
> solutions within the professional security community is the use of content
> filtering software.
>
> Content filtering software attempts to block access to inappropriate
> websites by matching the address of the website requested by a user
against
> a database of websites that have been categorized by type of the content
> they offer. Some add a dynamic component that attempts to categorize
> requests "on the fly" in an effort to compensate for the dynamic nature of
> the Internet, i.e., the requested website has not yet been categorized and
> put into the database. Like many other so-called "state of the art"
> solutions offered by the professional security community that do not
really
> solve a problem, this is another idea that sounds fairly reasonable (the
> absolutely ridiculous price of these products notwithstanding) until you
> start taking it apart.
>
> Content filtering software is generally based on a negative database
model;
> if the web site requested by a user is not in the product's database of
> prohibited destinations the filtering software has no choice but to pass
it
> through. Obviously then, the accuracy of the monitoring database is
> paramount to the quality of the product. There is nothing wrong with
> negative databases, per se, however they do not work at all well in
dynamic
> environments, particularly in those that are as fluid as the Internet. It
> is virtually impossible to maintain any semblance of an accurate database
> when the data involved is subject to rapid and constant change. There are
> three reasons for this. The first involves the sheer volume of data and
is
> self-explanatory. The second is that you have to first know about the
> existence of a web site before you can categorize it. The third is that,
> once categorized, a given web site must continue to exist and remain
> constant in terms of content to be relevant, i.e., a database of web sites
> that no longer exist is pretty much worthless.
>
> One of the more expensive products on the market claims to have
categorized
> more than 900 million web pages. This sounds pretty impressive until you
> compare the size of the filter's monitoring database to the size of the
> Internet which has been estimated by researches to contain over 550
billion
> pages with 7.5 million new ones being added each day (no one really knows
> how many web sites change their names or are taken down each day).
> Essentially, this product has categorized less than two tenths of one
> percent of the content freely available to anyone on the Internet and
there
> is no guarantee that all of the web sites in their monitoring database
even
> still exist. With 99.8% of Internet content still available to the
employee
> it is a pretty safe bet that you have not solved, or even addressed in any
> meaningful way, any of the problems enumerated in the first paragraph.
Not
> bad for a product than can easily cost the organization cost over $25,000!
> And this is a good deal?
>
> In addition to not working well in dynamic environments, negative models
are
> more difficult to defend in terms of adverse actions for inappropriate
> conduct. The organization blocks access to inappropriate sites,
therefore,
> if a given site is not blocked it is reasonable to conclude that access is
> permitted. Any other line of reasoning burdens the employee with the
> impossible task of being able to read management's mind at any given point
> in time with regard to a particular web site. This problem is further
> compounded by a rather interesting conundrum inherent to the use of a
> negative database; how can you hold someone accountable for attempting to
> access a prohibited web site when they have no way of knowing that it is
> prohibited until after the fact? The typical response to this question
> (albeit simple minded and technologically ignorant) is that the employee
> should know a given site is inappropriate by its very name.
Unfortunately,
> in many cases the content of a website is not readily apparent by its URL
> (name), for example: www.whitehouse.com is a very well known porn site,
> whereas, www.whitehouse.gov is the home page for the United States
> government. Another closely related issue is that web sites often mix
> content, for example: The Register (www.theregister.co.uk) is an excellent
> source of industry related information that often also contains material
> many would consider to be inappropriate. Let us not forget that
> pornographers are famous for hijacking links to popular mainstream web
> sites. The user clicks on what he thinks is a "legitimate" website and
> then, without warning, twenty windows appear on his screen displaying
porn!
> Unfortunately, the system's audit trail will show that the user attempted
to
> access each of these sites. Perhaps the pertinent question is not whether
> you can make an adverse action stick, but how much it will have cost by
the
> time your attorney advises you to settle out of court because you have
> inadvertently accused an innocent person. While we are on the subject of
> being sued, how much will it cost you to settle a discrimination suit if
you
> allow employees to access Christian web pages but prohibit access to
Wiccan
> web pages? Both are, after all, legitimate established religions in the
> United States.
>
> Connecting mission critical production systems to the Internet is a very
bad
> idea. Allowing employees to surf the net at work is even worse. The
risks
> are great with no tangible return on investment. That being said, the
above
> issues can be easily addressed without spending a fortune, by simply
> reversing the paradigm and using a positive database. This approach works
> by allowing only those requests that have been pre-authorized and is
> therefore extremely effective in highly fluid environments such as the
> Internet. Best of all, it is essentially FREE! Most firewalls, and many
> operating systems, have the ability to block outbound traffic based on
> predefined rules. Non-business (work-related) sites, such as banks, etc.,
> could be added to the "approved" list by request after they have been
> reviewed for content thus enabling employees to conduct personal business
> such as banking, filling prescriptions, etc., while at work. This process
> is not as labor intensive as it might first appear, even for very large
> organizations. Suppose, for example, that you want employees to have
access
> to the daily news. You do not have to make a rule for every news site on
> the web. Simply make a rule for a few of the major networks such as ABC,
> NBC, CBS, CNN, etc. People will squawk and some will try to argue that
they
> might be missing "critical" information when searching the net. As a
> general rule this is simply not true. One does not need access to every
> site dealing with a particular subject when access to one or two of the
> major subject matter sites will suffice. There will also be the few who
> need access to some obscure web site. No problem, have them submit the
> site's address to the administrator through their manager. The point here
> is not to deny access to information, rather to ensure that the
information
> is appropriate and does not put the organization at risk. True, employees
> will no longer be able to "surf at will" but so what? Contrary to popular
> opinion, Internet access at work is a privilege, not a right. Protecting
> your business, on the other hand, is! One method of making the transition
> relatively painless is to analyze your audit trails and build a list of
> approved sites. Do not automatically add every site you find. Categorize
> them by content and then add only the major providers. When the rules
goes
> into effect many, particularly those who do not abuse the Internet, will
> never notice the difference. The initial setup will take about two weeks,
> however, that cost pales in comparison to spending several thousand
dollars
> for products that will never work well (and take about a week to install).
> You will be surprised how small your database of approved sites is. Even
in
> very large organizations it is unlike to exceed fifteen hundred items and
> can easily be less than one hundred.
>
>
> Comparing the two methods side by side is a real eye-opener:
>
> Negative: Very expensive.
> Positive: Essentially FREE
>
> Negative: Mandatory long term relationship with the vendor.
> Positive: No external relationship required.
>
> Negative: Frequent updates to very large database.
> Positive: Infrequent updates to a very small database.
>
> Negative: Low coverage, inherently inaccurate.
> Positive: Complete coverage, extremely accurate.
>
> Negative: Does not save bandwidth.
> Positive: Does save bandwidth.
>
> Negative: Inherently discriminatory.
> Positive: Not discriminatory.
>
> Negative: Not effective in reducing lost productivity.
> Positive: Enhances productivity.
>
> Negative: Creates enforcement problems.
> Positive: Eliminates enforcement problems.
>
> Negative: Threat is not appreciably reduced.
> Positive: Threat is greatly reduced.
>
> Negative: Method inconsistent with principal of "least privilege"
> Positive: Method consistent with principal of "least privilege.
>
> Negative: Often requires additional hardware.
> Positive: Does not require additional hardware.
>
> Negative: Does not promote security.
> Positive: Promotes security.
>
> You can pay thousands of dollars for a so-called "solution" that does not
> really solve a problem, or you can save your money and implement one that
> does. The choice is yours.
>
> Lohkee!
>
>
>
--- Outgoing mail is certified Virus Free. Checked by AVG anti-virus system (http://www.grisoft.com). Version: 6.0.443 / Virus Database: 248 - Release Date: 1/10/2003
- Next message: Paul Crowley: "Re: Random"
- Previous message: Nico Kadel-Garcia: "Re: telnet replacement - not ssh?"
- In reply to: Lohkee: "And yet another one from the mind of Lohkee!"
- Next in thread: Lohkee: "Re: And yet another one from the mind of Lohkee!"
- Reply: Lohkee: "Re: And yet another one from the mind of Lohkee!"
- Reply: DaveK: "Re: And yet another one from the mind of Lohkee!"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
