I recommend a two-part approach.
First off, there's a security problem you need to address.
Force everyone through an http proxy --- e.g. http-gw from fwtk
--- that can do content filtering on the http stream. Configure it
to disable Active-X, Java, and Javascript. If people claim that
there are sites they have to get to that can only be accessed using
those botches, insist on finding out what they are. If you can't
find anyway to navigate them without the active content, then
try mirroring the site into an in-house replica; I've done that
successfully on some sites. If that fails, then make a (short)
whitelist of exceptions, including only those that really aren't
otherwise navigable and that really are necessary for business.
Since this will only be sites created by total morons, there won't
be many of them that really are business critical.
Next, for the user behavior problem of visiting places they
shouldn't, write a little script to do daily digesting of the web
logs, and make them all visible by a CGI accessible to anybody in
the company. Make it easy to see every site that a given employee
has visited, to do a keyword search on the list of all sites anybody
visited and pull up a list of matches, each of which takes you to a
list of everybody who visited that site, etc. Advertise this widely.
If someone accidentally chases a link embedded in a porno spam
and hits a porno site once, that's no problem. But if people are
racking up the hits they need to be talked to, fired if they don't
straighten out.
Any protocol people can use to get at arbitrary resources needs
whatever level of logging or filtering proxy is necessary to enforce
whatever security policy you want to try and implement.
But I wouldn't try and get in the business of enumerating all legal
sites, or of enumerating all illegal ones.
One other issue is filtering on content-type and matches for goo in
the bodies of MIME components; this is a valuable tool to have in
the kit for both http and smtp. You can make it ever so slightly
harder to download executables, you can attempt to stop worms once
you've identified them, you can try to add rules to block exploits
for browser bugs, etc. I've not yet looked into this bit; anybody
have any good open source recommendations for such screening?
-Bennett
PGP signature
