Re: Surf and Spyware Protection on OpenBSD

From: +Alan Hicks+ (alan_at_lizella.netWORK)
Date: 09/23/05 

Date: Fri, 23 Sep 2005 14:06:12 -0500

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

In comp.unix.bsd.openbsd.misc, Lars Bonnesen dared to utter,
> I want to set up a firewall box running some sort of *NIX. Clients on the
> lokal net are mostly Windows. It is these boxes I would like to protect with
> the OpenBSD thing.
>
> Astaro claims to have what I want:
> http://www.astaro.com/
>
> But I find OpenBSD to be more secure (?) than Astaro, and... Astaro is not
> free of charge.
>
> Can anyone tell me if there are any OpenBSD solutions with the above
> possibillities?

No solution is going to be 100% effective, but I think with careful
planning you can achieve something much more secure than your current
setup. The key things to do here I think are:

1) Default deny. You've got to limit what your Windows PCs can do. If
they can simply connect out to any and all hosts on the internet on
any ports, you've already lost.
2) Identify what websites, mail servers, etc your clients need to
connect to, and allow your clients access only to those.

This will eliminate quite a lot of problems with spyware, but might
introduce quite a lot of complaints. Workers like to check up on the
weather or news at work and if company policy doesn't prevent that,
they'll probably scream.

The easiest answer to that problem is a local proxy server than can
filter out extensions from websites. You could prevent users from
downloading archive files, executable files, etc through the use of
squid and dansguardian for example. If your ruleset is sufficiently
tight, allowing only your filtering proxy server to access "hostile"
websites, then you'll achieve a much more secure LAN (though of course,
not completely secure) than what you currently have.

Additionally, you would need to impliment virus scanning on your mail
server, or perhaps as a POP3 proxy for your clients. Remember,
security is proactive. You'll need to be constantly looking at new
avenues that malware can take to enter your LAN.

- --
It is better to hear the rebuke of the wise,
Than for a man to hear the song of fools.
Ecclesiastes 7:5
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.7 (GNU/Linux)

iD8DBQFDNFHzzLTO1iU1uO4RAm37AKDbhhQfkl3VQ9PgHZCfd/Ssd+zegQCdEU/I
BCaYFvGffZxfeGVaAScHf2A=
=2spH
-----END PGP SIGNATURE-----

Relevant Pages

  • RE: PTError: 0x80244017
    ... But, how could I explain that 65 clients, which are ... behind the same proxy server, ... been updated without troubles. ... Targeting Cookie: 0x80244017 ...
    (microsoft.public.windowsupdate)
  • Re: SBS 2000 + Linksys Modem/Router
    ... It is normal to point your browser to the proxy server. ... All of your clients have to go out through the proxy server (ISA) for security reasons. ... Keep in mind that you may need to port forward if the FTGate is not running on ...
    (microsoft.public.windows.server.sbs)
  • Re: Anonymous access
    ... I'm looking at the log file. ... I see the following requests ... :> I meant: Is there a proxy server between the clients and the server? ...
    (microsoft.public.inetserver.iis.security)
  • ISA issues accessing a sharepoint
    ... I am having issues with clients computers accessing a local sharepoint ... site due to an ISA error. ... If I uncheck the Bypasss proxy server for local addresses box, ...
    (microsoft.public.isa)
  • Re: Remote User & IP Address...
    ... Do you go through a proxy server to connect to your intranet site? ... then the web server is seeing the proxy's address, not the clients. ... > information one of wich being the Remote User. ...
    (microsoft.public.frontpage.extensions.windowsnt)