Re: And yet another one from the mind of Lohkee!
From: Lohkee (Lohkee@worldnet.att.net)
Date: 01/21/03
- Next message: Benjamin Goldberg: "Re: Random"
- Previous message: Cwayd: "_Access Control"
- In reply to: Martin Ireland: "Re: And yet another one from the mind of Lohkee!"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
From: "Lohkee" <Lohkee@worldnet.att.net> Date: Tue, 21 Jan 2003 00:11:06 GMT
"Martin Ireland" <martin.ireland@gov.ab.ca> wrote in message
news:3E2C87BF.6040306@gov.ab.ca...
>
>
> Lohkee wrote:
> > Here is another one of my ramblings for your amusement. I am, as
always,
> > very interested in (and appreciative of) feedback. The rules are the
same
> > as before, i.e., I will only respond to serious comment on the paper:
> > questions/clarification regarding a particular point, technical
> > inaccuracies, things that should be added, things that should be
deleted,
> > etc. (just don't have the time to do indulge the trolls these days -
sorry
> > losers).
> >
> >
> > Internet Content Blocking Software (DRAFT FOR COMMENT)
> > Copyright (C) by Lohkee
> > All Rights Reserved
> >
> >
> > Just fifteen minutes of recreational surfing per day can cost a company
with
> > five hundred employees ($25.00/hour/employee) over $800,000 per year in
lost
> > productivity. Some organizations that allow employees to surf the net
have
> > learned the hard way that doing so greatly increases the risk of
unfavorable
> > litigation (hostile work environment, various types of discrimination,
> > sexual harassment, etc.). Others have discovered how much bandwidth can
be
> > diverted from critical business needs by a just few employees
downloading
> > their favorite MP3 files. Some have even seen their networks crash as a
> > result of an employee downloading hostile code and running it on their
> > workstation. And the list goes on. Personal use of the Internet
creates
> > numerous very serious problems for an organization. One of the more
popular
> > solutions within the professional security community is the use of
content
> > filtering software.
> >
> > Content filtering software attempts to block access to inappropriate
> > websites by matching the address of the website requested by a user
against
> > a database of websites that have been categorized by type of the content
> > they offer. Some add a dynamic component that attempts to categorize
> > requests "on the fly" in an effort to compensate for the dynamic nature
of
> > the Internet, i.e., the requested website has not yet been categorized
and
> > put into the database. Like many other so-called "state of the art"
> > solutions offered by the professional security community that do not
really
> > solve a problem, this is another idea that sounds fairly reasonable (the
> > absolutely ridiculous price of these products notwithstanding) until you
> > start taking it apart.
> >
> > Content filtering software is generally based on a negative database
model;
> > if the web site requested by a user is not in the product's database of
> > prohibited destinations the filtering software has no choice but to pass
it
> > through. Obviously then, the accuracy of the monitoring database is
> > paramount to the quality of the product. There is nothing wrong with
> > negative databases, per se, however they do not work at all well in
dynamic
> > environments, particularly in those that are as fluid as the Internet.
It
> > is virtually impossible to maintain any semblance of an accurate
database
> > when the data involved is subject to rapid and constant change. There
are
> > three reasons for this. The first involves the sheer volume of data and
is
> > self-explanatory. The second is that you have to first know about the
> > existence of a web site before you can categorize it. The third is
that,
> > once categorized, a given web site must continue to exist and remain
> > constant in terms of content to be relevant, i.e., a database of web
sites
> > that no longer exist is pretty much worthless.
> >
> > One of the more expensive products on the market claims to have
categorized
> > more than 900 million web pages. This sounds pretty impressive until
you
> > compare the size of the filter's monitoring database to the size of the
> > Internet which has been estimated by researches to contain over 550
billion
> > pages with 7.5 million new ones being added each day (no one really
knows
> > how many web sites change their names or are taken down each day).
>
> Most *negative* databases only provide domain name filtering (ie IP
> address approval) and as such do not need to categorise 550 billion
> individual pages. A brief visit to the home page will determine the
> class of website, in most cases.
>
At least one product categorizes **each** page. Google "surfcontrol" I
agree that this is, for the most part, unnecessary. Regardless, we are
still stuck with the fact that negative databases just do not work in highly
fluid environments.
>
> > Essentially, this product has categorized less than two tenths of one
> > percent of the content freely available to anyone on the Internet and
there
> > is no guarantee that all of the web sites in their monitoring database
even
> > still exist. With 99.8% of Internet content still available to the
employee
> > it is a pretty safe bet that you have not solved, or even addressed in
any
> > meaningful way, any of the problems enumerated in the first paragraph.
Not
> > bad for a product than can easily cost the organization cost over
$25,000!
> > And this is a good deal?
>
> I think your costing is very low if you consider large corporations, and
> vendor licensing by seat ($5-$10 per seat per year typical)
>
I agree completely. I was trying to give these products every possible
advantage to "make" a case for their existance.
> >
> > In addition to not working well in dynamic environments, negative models
are
> > more difficult to defend in terms of adverse actions for inappropriate
> > conduct. The organization blocks access to inappropriate sites,
therefore,
> > if a given site is not blocked it is reasonable to conclude that access
is
> > permitted. Any other line of reasoning burdens the employee with the
> > impossible task of being able to read management's mind at any given
point
> > in time with regard to a particular web site. This problem is further
> > compounded by a rather interesting conundrum inherent to the use of a
> > negative database; how can you hold someone accountable for attempting
to
> > access a prohibited web site when they have no way of knowing that it is
> > prohibited until after the fact? The typical response to this question
> > (albeit simple minded and technologically ignorant) is that the employee
> > should know a given site is inappropriate by its very name.
Unfortunately,
> > in many cases the content of a website is not readily apparent by its
URL
> > (name), for example: www.whitehouse.com is a very well known porn site,
> > whereas, www.whitehouse.gov is the home page for the United States
> > government. Another closely related issue is that web sites often mix
> > content, for example: The Register (www.theregister.co.uk) is an
excellent
> > source of industry related information that often also contains material
> > many would consider to be inappropriate. Let us not forget that
> > pornographers are famous for hijacking links to popular mainstream web
> > sites. The user clicks on what he thinks is a "legitimate" website and
> > then, without warning, twenty windows appear on his screen displaying
porn!
> > Unfortunately, the system's audit trail will show that the user
attempted to
> > access each of these sites. Perhaps the pertinent question is not
whether
> > you can make an adverse action stick, but how much it will have cost by
the
> > time your attorney advises you to settle out of court because you have
> > inadvertently accused an innocent person. While we are on the subject
of
> > being sued, how much will it cost you to settle a discrimination suit if
you
> > allow employees to access Christian web pages but prohibit access to
Wiccan
> > web pages? Both are, after all, legitimate established religions in the
> > United States.
> >
> > Connecting mission critical production systems to the Internet is a very
bad
> > idea. Allowing employees to surf the net at work is even worse. The
risks
> > are great with no tangible return on investment. That being said, the
above
> > issues can be easily addressed without spending a fortune, by simply
> > reversing the paradigm and using a positive database. This approach
works
> > by allowing only those requests that have been pre-authorized and is
> > therefore extremely effective in highly fluid environments such as the
> > Internet. Best of all, it is essentially FREE!
>
> I agree with this approach, but it becomes difficult to administer when
> different divisions within a corporation have differing business needs
> for accessing the 'Net. Maybe also there are differing personal usage
> policies within the business.
> So a centralised Web Proxy, or firewall set of rules, will be complex
> for the organisation to administer. Whereas the organisation can *buy* a
> solution using negative databases.
>
If a site has a legitimate business purpose it can be added to the list. I
have found that when a specific site requires management approval the **dire
need** tends to evaporate rather quickly. Even at that, maintaining a
database of a few hundred rules is a lot cheaper than paying tens of
thousands for a product that doesn't sove the problem. If the product is not
going to solve your problem why mess with it in the first place? Why not
just keep your money and call it a day?
>
> > operating systems, have the ability to block outbound traffic based on
> > predefined rules. Non-business (work-related) sites, such as banks,
etc.,
> > could be added to the "approved" list by request after they have been
> > reviewed for content thus enabling employees to conduct personal
business
> > such as banking, filling prescriptions, etc., while at work. This
process
> > is not as labor intensive as it might first appear, even for very large
> > organizations. Suppose, for example, that you want employees to have
access
> > to the daily news. You do not have to make a rule for every news site
on
> > the web. Simply make a rule for a few of the major networks such as
ABC,
> > NBC, CBS, CNN, etc. People will squawk and some will try to argue that
they
> > might be missing "critical" information when searching the net. As a
> > general rule this is simply not true. One does not need access to every
> > site dealing with a particular subject when access to one or two of the
> > major subject matter sites will suffice. There will also be the few who
> > need access to some obscure web site. No problem, have them submit the
> > site's address to the administrator through their manager. The point
here
> > is not to deny access to information, rather to ensure that the
information
> > is appropriate and does not put the organization at risk. True,
employees
> > will no longer be able to "surf at will" but so what? Contrary to
popular
> > opinion, Internet access at work is a privilege, not a right.
Protecting
> > your business, on the other hand, is! One method of making the
transition
> > relatively painless is to analyze your audit trails and build a list of
> > approved sites. Do not automatically add every site you find.
Categorize
> > them by content and then add only the major providers. When the rules
goes
> > into effect many, particularly those who do not abuse the Internet, will
> > never notice the difference. The initial setup will take about two
weeks,
> > however, that cost pales in comparison to spending several thousand
dollars
> > for products that will never work well (and take about a week to
install).
> > You will be surprised how small your database of approved sites is.
Even in
> > very large organizations it is unlike to exceed fifteen hundred items
and
> > can easily be less than one hundred.
> >
> >
> > Comparing the two methods side by side is a real eye-opener:
> >
> > Negative: Very expensive.
> > Positive: Essentially FREE
> >
> > Negative: Mandatory long term relationship with the vendor.
> > Positive: No external relationship required.
> >
> > Negative: Frequent updates to very large database.
> > Positive: Infrequent updates to a very small database.
> >
> > Negative: Low coverage, inherently inaccurate.
> > Positive: Complete coverage, extremely accurate.
> >
> > Negative: Does not save bandwidth.
> > Positive: Does save bandwidth.
> >
> > Negative: Inherently discriminatory.
> > Positive: Not discriminatory.
> >
> > Negative: Not effective in reducing lost productivity.
> > Positive: Enhances productivity.
> >
> > Negative: Creates enforcement problems.
> > Positive: Eliminates enforcement problems.
> >
> > Negative: Threat is not appreciably reduced.
> > Positive: Threat is greatly reduced.
> >
> > Negative: Method inconsistent with principal of “least privilege”
> > Positive: Method consistent with principal of “least privilege.
> >
> > Negative: Often requires additional hardware.
> > Positive: Does not require additional hardware.
> >
> > Negative: Does not promote security.
> > Positive: Promotes security.
> >
> > You can pay thousands of dollars for a so-called "solution" that does
not
> > really solve a problem, or you can save your money and implement one
that
> > does. The choice is yours.
> >
> > Lohkee!
> >
> >
> >
>
- Next message: Benjamin Goldberg: "Re: Random"
- Previous message: Cwayd: "_Access Control"
- In reply to: Martin Ireland: "Re: And yet another one from the mind of Lohkee!"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
|
