[PLUG] NetAngel verses WebSafety...

Tom tgrom.automail at nuegia.net
Tue Aug 18 22:43:27 UTC 2020


> Any thoughts on how NetAngel does or doesn't work are appreciated
> from anyone who has used it. Thoughts on how to improve WebSafety and
> make it work better are also appreciated.
> 
>  -- Michael C. Robinson
Hello Michael

One thing that strikes me right away is that the method where your
using a local certificate authority introduces a very bad central point
of failure. In order for that method to work, you'd have to install
your own trusted certificate authority into all your machines, and then
sign a certificate that is valid for every site ever.

As you can imagine this 'god-certificate' is very dangerous. If it gets
into the wrong hands pretty much ALL TLS network encryption security
can be completely bypassed. One Ring To Rule Them All. If that one
private key is stolen, every single system is fully compromised.

The filtering should really be done on the endpoints themselves to
avoid this godkey scenario. As you may already have seen more and more
governments around the world have launched attacks and censorship
attempts against the internet. In response to this the technologies our
internet is based on has been getting more and more resilient to
censorship and attacks. There is a famous quote "The internet treats
censorship as damage to the net and routes around it".

If this is an office environment I'd suggest looking for an endpoint
solution, not attempting to filter on the network layer, unless your
going for a full whitelist-style network egress firewall.

While this solution is not completely un-bypassable, it is one of the
simplest. You could run a local Unbound recursive DNS server on your
office LAN. Set your machines to use it and filter egress traffic to
the internet from the LAN port 53. Then, configure unbound to return
SERV-REFUSED for domains unrelated to work, like facebook or something.

While this method is bypassable if an employee is to use some kind of
DNS tunneling mechanism, perhaps you could explore a people-centric
solution rather than a technical one.

The other method would be to completely firewall off all network
connections except to specific IP ranges related to work, but not
everybody can do this if you don't know all the ip ranges required for
doing a job beforehand.

-- 
 ________________________________________ 
/ Don't worry over what other people are \
| thinking about you. They're too busy   |
| worrying over what you are thinking    |
\ about them.                            /
 ---------------------------------------- 
\
 \
   /\   /\   
  //\\_//\\     ____
  \_     _/    /   /
   / * * \    /^^^]
   \_\O/_/    [   ]
    /   \_    [   /
    \     \_  /  /
     [ [ /  \/ _/
    _[ [ \  /_/



More information about the PLUG mailing list