Fighting social networks in a single society
Probably, before many of the system administrators, their exuberant leadership at least once in their life had the task "so that no one would climb a classmate!"
For my part, I fully adhere to the idea that “a ban cannot be ONLY technical”, since any tricky ban sooner or later finds a tricky workaround. 100% technical solution will be, perhaps, only the complete closure of Internet access.
Nevertheless, it was interesting to tinker with what I did at my leisure. and by the results wrote this post.
Immediately a reservation: my environment is Windows workstations, Windows server OS and corresponding software. In the * nix environment, everything can probably be done the same way \ otherwise, better \ worse, more graceful \ clumsy (underline the necessary).
In addition, by default we accept that we have
')
We create banlist on the gateway, and we bring in the classmates' domains, my world, VKontakte (not forgetting vk.com), my circle and others like it, depending on what your users are messing about. For especially confused ones, we also add IP addresses, or even subnets, that correspond to these sites to the banlists. We use our banlist and enjoy life, but not for long. because even the most recent secretary needs to type in the phrase anonymizer on VKontakte in Yandex and get dozens or even hundreds of open web proxies at the output, which are also updated almost several times a week. It is clear that the struggle with them with the help of ban lists will be meaningless, because it will take a lot of time, and the result will not be achieved anyway. To a fair objection about a distant secretary, I will answer that she may have a knowledgeable friend who will teach her this magic phrase.
By agreeing with the management (it is not difficult in this situation), we issue an order \ law \ ruling, which says that employees are threatened with punishment \ public punishment for visiting social networks. This immediately cuts off the morally weak, insecure offenders, but inveterate fans will still remain. For them, you can apply a mental impact: do a simple response modifier, i.e. a filter that will analyze what comes to us from the Internet and substitute in this answer, for example, the word "VKontakte" with the phrase "I am sure that no one will know about it?" As a result, even through a new, unknown anonymizer, a person will see just such a picture.
This should cool down a certain number of users. Well and, varying the replaced templates, it is possible to achieve the most different effects.
This method is the most effective, but also the most controversial in terms of applicability. The essence is simple: we make a simple copy of the social network login page, and on the gateway we create a rule that redirects a specific user request (for example, a request for a fresh anonymizer, or a specially unbanned anonymizer ) to this page. Then the user enters his login password and either enters the social network or not (it depends on how you made the fake page). It is important that you have the login password of a specific user.
In fact, this is pure phishing, which of course is wrong, illegal, not gentlemanly, etc. however, the effectiveness of this method is beyond all expectations. When a person loses his precious account (albeit not forever, even for a while, let you return it in exchange for the promise not to go to social networks at work) - this has a stunning effect even on hardened “classmates” fans, because using anonymizers of unknown origin, they actually risk their accounts themselves, perhaps without thinking about it.
Requires work with leadership, and the ability to convince.
The main and most important thing here is to understand WHY in general you need to restrict people from accessing the Internet.
Offhand, there are two main options:
the second option is very easy to solve by entering traffic quotas, and further increasing them, if necessary (as evidenced by the printout of visiting statistics).
On this my senseless struggle methods are exhausted. According to the results, I remained an ardent supporter of the “do not deny access, quota traffic” method, which is not without difficulty - but I was able to convince my management.
If you have any other interesting ways that are not described above, I’ll be happy to read about it in the comments.
PS It certainly was not about information security, because in case of protection of any confidential data, the methods described above are ridiculous and ridiculous.
PPS You can also arrange interesting games for yourself with catching and modifying / removing HTTP traffic headers, and searching for signatures. This will allow to cut off the various programs that create tunnels via HTTP \ HTTPS, but this is already a topic for a separate post.
PPPS The third method is very, very controversial, including in terms of legislation. At the request in the comments, let me remind you once again: think for the sake of you and your children three times before doing so.
For my part, I fully adhere to the idea that “a ban cannot be ONLY technical”, since any tricky ban sooner or later finds a tricky workaround. 100% technical solution will be, perhaps, only the complete closure of Internet access.
Nevertheless, it was interesting to tinker with what I did at my leisure. and by the results wrote this post.
Immediately a reservation: my environment is Windows workstations, Windows server OS and corresponding software. In the * nix environment, everything can probably be done the same way \ otherwise, better \ worse, more graceful \ clumsy (underline the necessary).
In addition, by default we accept that we have
- - traffic control point, i.e. gateway-proxy through which all internal clients will go to the Internet.
- - control of administrator rights on workstations, (yet they understand that if every second user has admin rights on a workstation, or does he work on a personal laptop, does it become pointless to deal with anything?).
- - on the gateway, users are allowed to go outside exclusively via HTTP and HTTPS (we do not consider special cases, such as client-banks, special software, etc.), and not All outbound Traffic , as I have repeatedly met with various friends.
- - we have a tool for analyzing the logs and statistics of our gateway. He needs to
- understand the impact of the measures taken;
- track traffic statistics in the future.
')
Method One (clumsy).
We create banlist on the gateway, and we bring in the classmates' domains, my world, VKontakte (not forgetting vk.com), my circle and others like it, depending on what your users are messing about. For especially confused ones, we also add IP addresses, or even subnets, that correspond to these sites to the banlists. We use our banlist and enjoy life, but not for long. because even the most recent secretary needs to type in the phrase anonymizer on VKontakte in Yandex and get dozens or even hundreds of open web proxies at the output, which are also updated almost several times a week. It is clear that the struggle with them with the help of ban lists will be meaningless, because it will take a lot of time, and the result will not be achieved anyway. To a fair objection about a distant secretary, I will answer that she may have a knowledgeable friend who will teach her this magic phrase.
Method Two (administrative-mental).
By agreeing with the management (it is not difficult in this situation), we issue an order \ law \ ruling, which says that employees are threatened with punishment \ public punishment for visiting social networks. This immediately cuts off the morally weak, insecure offenders, but inveterate fans will still remain. For them, you can apply a mental impact: do a simple response modifier, i.e. a filter that will analyze what comes to us from the Internet and substitute in this answer, for example, the word "VKontakte" with the phrase "I am sure that no one will know about it?" As a result, even through a new, unknown anonymizer, a person will see just such a picture.
This should cool down a certain number of users. Well and, varying the replaced templates, it is possible to achieve the most different effects.
Method three (very hard and dishonest)
This method is the most effective, but also the most controversial in terms of applicability. The essence is simple: we make a simple copy of the social network login page, and on the gateway we create a rule that redirects a specific user request (for example, a request for a fresh anonymizer, or a specially unbanned anonymizer ) to this page. Then the user enters his login password and either enters the social network or not (it depends on how you made the fake page). It is important that you have the login password of a specific user.
In fact, this is pure phishing, which of course is wrong, illegal, not gentlemanly, etc. however, the effectiveness of this method is beyond all expectations. When a person loses his precious account (albeit not forever, even for a while, let you return it in exchange for the promise not to go to social networks at work) - this has a stunning effect even on hardened “classmates” fans, because using anonymizers of unknown origin, they actually risk their accounts themselves, perhaps without thinking about it.
Method Four (simple and effective)
Requires work with leadership, and the ability to convince.
The main and most important thing here is to understand WHY in general you need to restrict people from accessing the Internet.
Offhand, there are two main options:
- a) because I want to, because I have to work and not have fun, because they are my employees, and I am their king and god.
- b) because you need to save traffic.
the second option is very easy to solve by entering traffic quotas, and further increasing them, if necessary (as evidenced by the printout of visiting statistics).
On this my senseless struggle methods are exhausted. According to the results, I remained an ardent supporter of the “do not deny access, quota traffic” method, which is not without difficulty - but I was able to convince my management.
If you have any other interesting ways that are not described above, I’ll be happy to read about it in the comments.
PS It certainly was not about information security, because in case of protection of any confidential data, the methods described above are ridiculous and ridiculous.
PPS You can also arrange interesting games for yourself with catching and modifying / removing HTTP traffic headers, and searching for signatures. This will allow to cut off the various programs that create tunnels via HTTP \ HTTPS, but this is already a topic for a separate post.
PPPS The third method is very, very controversial, including in terms of legislation. At the request in the comments, let me remind you once again: think for the sake of you and your children three times before doing so.
Source: https://habr.com/ru/post/120991/
All Articles