Link to home
Start Free TrialLog in
Avatar of JayMulkey
JayMulkey

asked on

Is MY SPACE safe?

Several users here at work have asked my if it is safe to use the popular new site called MY SPACE.  Our concern is if it has any of the P2P vulnerabilities.  What do you think?
ASKER CERTIFIED SOLUTION
Avatar of dmcoop
dmcoop
Flag of United States of America image

Link to home
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial
Avatar of JayMulkey
JayMulkey

ASKER

I agree.  May I know how you blocked it at the firewall?  Is it an IP address or what?
What kind of firewall do you have?

We use WatchGuard firewalls and they have a product called WebBlocker.  I just put myspace.com in the blocked list.

There are other ways though depending on your firewall or proxy server.
The other thing to consider id data leakage - any of these type of applications make it that much more likely that corporate/customer data will end up in the wrong hands either by intentional employee action or due to a vulnerability in the application being exploited.

Another application to watch out for is google desktop and it's search anywhere facility.

there are various options for blocking web sites depending on you set-up at work -

via the firewall - either if you have a way of filtering by url as above, or by blocking all IP's associated with the site - a router can likely perform the IP blocking function as well.

Block the url(s) on a proxy server if you use one

If none of these options are available you can point all the sites IP's to 127.0.0.1 on machines hosts files although this is hardly and enterprise level solution!

SOLUTION
Link to home
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial
The answer for that question is: it is as safe as any other site like it. I do not get why do you need to block users from accessing it when they can access websites that are much more harmful. Why disconnect one when you are going to leave the other one available to everyone. As for your P2P question it cannot have those vulnerabilities as it woks on another type of protocol. But having said that I don't see why emplyees have to go to My Space from their office pc. You should monitor the connection for this kind of behavior.
I work in a networked environment where we have 300+ pc's and own only about 100 of them.  The majority are independent contractors who pay us for Internet access.  Lots of them have laptops that go home with them and - as you know - stuff happens at home.

As the Administrator for the network I have only so much authority in dictating what the users can do while they are here in the building.  Most are very respectful of the fact that their behavior (good or bad) affects all of us.

My desire is to prevent users from accessing ANY site that would be dangerous to our network.  I've spoken to them about P2P sites and let them know that I monitor what shows up at the firewall and can talk with them directly if they choose to do this stuff.

Today a user asked if it was okay to visit MY SPACE while on her breaks.  I said I did not know (thus, my question to all of you).

Thank you ... those who have said I can block this site at the firewall.  I think I will.
You are better off to block by URL than IP if your firewall allows it.  That is why I ask what kind of firewall you have.

If you block by IP range or specific IPs that can create some problems.

We use a FortiGate 200 (by Fortinet).  It has tons of controls on what is allowed and what is not.  It also alerts me (by email) when suspecious activity takes place.  Recently it noticed one user using Skype and let me know it is potentially dangerous since the packets are encrypted and might allow a virus to get past the firewall.
SOLUTION
Link to home
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial
If you are paranoid about sites people are looking at, you may want to consider websense or a similar product.  They monitor thousands of websites and maintain a database that an ISA firewall server can update.  It's kind of pricey and I wouldn't consider it unless you have at least 50 nodes(minimum).

Cheaper solution would be to limit web sites people can view to only a few safe sites.  But, that takes all of the fun out of the office's Internet connection ;)
SOLUTION
Avatar of Rich Rumble
Rich Rumble
Flag of United States of America image

Link to home
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial
I don't think encrypted packets justify a security concern necessarily.  A virus scanner on all of your computers will handle the "might allow a virus to get past the firewall."  The firewall's job is to control traffic, not to monitor viruses.  Get a virus scanner for that.

Generally speaking, my policy on security is to deny access to everything except for what I think people should have access to.  I think Richrumble is working with the same basis that I was above with the proxy.  You need to channel all traffic through your servers, if you don't already.  Don't allow anyone to access the Internet without going through you first as mentioned above on my post, block port 53 and configure an internal dns server.  As mentioned by Richrumble, block the other ports he mentioned.  Configure the firewall so that your proxy is the only computer that can make these outgoing connections and configure all other computers to use your server as the proxy.  

One side note, the ports that have been mention by Richrumble, were mentioned because those or the types of traffic that most proxies are developed to handle: http, shttp, smtp, ftp.  Other types of traffic may not be handled by your proxy properly.  That will just require a little bit of research into your proxy.

Websense is a great product, but you don't have to have it.  If it is relatively small company and you can have a reasonable level of trust with your users, don't spend the money.  If you have a medium to large company and you can't trust the users, definitely get something like Websense.

Has any of this helped?
I don't see myspace as a security risk, just somewhere that staff can easily waste an entire day.  Also, some of the photos that people upload to their myspace pages can be a little risque.
There are risks.  It's personal postings with various types of mixed content (some of which may be dangerous to a computer if downloaded).  
SOLUTION
Link to home
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial
Hi

Following on from other users posts if you don't already have one in place a proxy server of some sort behind a firewall that only allows the proxy server web access thus forcing your users to connect via the proxy server sounds like the way you need to go.

There are many proxy products on the market - some appliances you buy (e.g. Bluecoat, Websense etc) some free software - e.g. Squid.

This would allow you to have some measure of control over the browsing habits of users on your network.  Another advantage of the proxy is that it will provide you with a nice audit trail - e.g. if there is a complaint about a user accessing inappropriate sites you have a nice centralized record of this access.

In addition there are bold on products such as 'smartfilter' that provide a database of sites split into categories making it easy to block all known p2p sites or all dating sites etc.  These lists while obviously not infallible are not bad, cover most sites in any category and are usually updated daily with new sites.

The other thing not to overlook is policy - it sounds like a web use policy may be required this should cover obvious stuff like no porn etc, but can also specify no VOIP, not p2p, no remote storage etc.  Get the buy in from a CIO or similar and distribute the policy to all users.  Then even if they are able to circumvent any technical solutions you put in place to manage access you have the policy to fall back on if users are caught accessing sites they shouldn't.

A specific site such as MySpace shouldn't really be your primary focus, more categories of sites you think pose an unacceptable risk.

cheers

K
SOLUTION
Link to home
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial
Lately also the "no-such-agencies" think myspace is a great place to stay, well they rather collect all data, relationships and connections these users are absolutly freely offering to them...

Tolomir
Thanks.