In a complex organization ( complex not meaning size or number of departments, but in the way people need to work ) one might consider third party applications such as Web Sense.
A couple of comments below: -- TANSTAAFL "there ain't no such thing as a free lunch" ""Roberts, Larry"" wrote in message [EMAIL PROTECTED]">news:[EMAIL PROTECTED]... > Try my approach.. > > Tell people no and put it in your security policy. They violate the policy > they get fired.. CL: that assumes that 1) the policy will be acceptable to management 2) the policy will be enforced by management and 3) you have the luxury of being able to fire people for whatever reason you deem fit, trivial or otherwise. Even in today's bad economy, companies may not have this luxury. > > Oh wait a minute, I think that goes along with cut-off desktop internet > access I guess. CL: like it or not, internet access at the desktop has become one of those intangible fringe benefits, right up there with using the photocopier for personal business, using the telephone for personal business, using the fax machine for personal business. When was the last time someone got fired for making persoanl phone calls at work? Or photocopying their tax returns at work? > > Its is a VERY effective deterrent though don't you think .... CL: sure - IF management enforces it, or even agrees to it > > Or I guess you could also just route your home subnet ( not just your single > home IP ) to Null0. > I have found that effective of blocking sites when I don't have the ability > to walk around and see what people are doing... > > Trust me, for every way you can find out, I can find a way to block it. We > may play cat and mouse for a while, but I never tire of it... CL: works really well until the person you block is some Senior vice President, or one of the top sales people ( read - revenue producers ) in the company, and makes the claim that the service is absolutely necessary for success on the job. That's why this stuff has to work at a policy level, and cannot nor should be considered a matter for firewall administrators to deal with. CL You gots to know your organization. > > > Thanks > > Larry > > > -----Original Message----- > From: mike greenberg [mailto:[EMAIL PROTECTED]] > Sent: Friday, August 30, 2002 2:18 PM > To: [EMAIL PROTECTED] > Subject: RE: ICQ and blocking the thing-PIX [7:52285] > > > If port 80 is open for outbound, I can change the ssh port on my linux > firewall to listen on port 80 as well.... As I've said before, the only to > stop me from IM is to cut off Internet access to my desktop completely. > Isn't Unix a wonderful thing? > > Creighton Bill-BCREIGH1 wrote:>There is no way for you to stop me because > unless you cut off Internet > >access on my desktop completely. > > Or until SSH port 22 is closed on the firewall > > Bill Creighton CCNP > Senior System Engineer > Motorola > iDEN CNRC Packet Data > > > -----Original Message----- > From: mike greenberg [mailto:[EMAIL PROTECTED]] > Sent: Thursday, August 29, 2002 7:50 PM > To: [EMAIL PROTECTED] > Subject: Re: ICQ and blocking the thing-PIX [7:52285] > > Here is how I get around ICQ, AOL, MSN and Yahoo IM blocking: > From work, I Secure Shell (SSH) back to my Linux Firewall. On my work > desktop, I am running X-server (X-Win32 or Xceed) and just tunnel the SSH > encryption > from my Linux firewall back to the corporate desktop. I can fire up any X > application to my heart desire (Netscape, AIM, Yahoo) that supports on Linux > platform. > I can > pretty much do whatever I want without being spied by anyone at work because > > the SSH tunnel is encrypted. I can go online shopping, chat with my friends > without having to worry about having my conversation being recorded. There > is no way for you to stop me because unless you cut off Internet access on > my desktop > completely. > > "Mears, Rob" wrote:Hi Cisco gods, > > I have successfully blocked all chat services at the PIX firewall, I think. > As I walk around and find people using MSN or Messenger I find that public > proxy they are using and kill it too. BUT, I am having a hell of a time with > ICQ. I do have all the ports UDP and TCP blocked so it does not work UNLESS > they use port 80. This is where I am stuck, I cant block port 80 as you know > so how do I kill this monster? Has any one had luck with this and has anyone > found a way to stop the public proxy usage? I really feel as if I am > fighting a losing battle, cuss for every block I am countered with a way > around it. > > My inside ACL in the pix is quite impressive and all just for blocking this > crap, if anyone would like it for theirs I will provide as it is proven and > works, with exception to ICQ. > > > HELP WANTED > > Thanks > Rob Mears III, CCNP, MCSE, CNE, NNCDS, NNCSS, NNCPS, MCP+I, A+ Technical > Mercenary Do You Yahoo!? Yahoo! Finance - Get real-time stock quotes Do You > Yahoo!? Yahoo! Finance - Get real-time stock quotes Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=52401&t=52285 -------------------------------------------------- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
