MISSION: Block troublesome websites with minimal effort
EXECUTION TIME: 90 seconds
TOOLS: Requires use of OpenDNS.com name servers

This is Jason, the new guy at Special Ops Security, and I'll be posting blog items that are more of your "basic training" type than the other guys. In light of the recent DoD blocking prominent websites, I wanted to post a very quick and easy way to block sites on your corporate network. Now, this is definitely not a 100% solution; for that, you need to blacklist the URL in your firewall, router, WebSense device, or other content filtering technology.

Even then, your users can use proxy server to get around the blocking. Think of this as an 80% solution that takes seconds versus opening up your firewall and needing more skilled engineers to change rulesets.

OpenDNS provides these really fast DNS resolvers that have really large caches. These guys are great and you should definitely use them for your corporate network's DNS resolver instead of your ISP's. I guarantee they are faster. More on that in another posting.

If you're a current OpenDNS user, the graphic above should confirm that by saying "Sweet!" If the graphic above says "Get Started" then your network does not use OpenDNS yet and that is a pre-requisite for this great feature to work.

Once you've signed up with OpenDNS (it's free and takes just a couple of minutes), you can login to your account and add sites to the "blocked" list. If you block craigslist.org then you’ll also be blocking la.craigslist.org (Craigslist Los Angeles) and sfbay.craigslist.org (Craigslist San Francisco), etc. If, instead, you just blocked newyork.craigslist.org then the rest of the Craigslist properties would load just fine.

When you try to visit a domain that is blocked you’ll see a page that looks like the one to the left. The nice part about this is that it lets the user know the site is blocked and gives them the feedback that they shouldn't be accessing it. You can even replace the OpenDNS logo with your company's own. This feedback page is much better than a browser error ("web server not responding") that would result from firewall or router blocking.

This feature can be used to steer employees away from social networking sites at work or to preemptively block malicious malware sites. Hopefully I haven't alienated all of the really technical subscribers to our blog--just want to have content for the experts as well as the beginners.

Just yesterday, U.S. Army General Bell announced that eleven popular websites were being blocked across the entire DoD NIPRNET by May 14th:

• Social Networking Sites



• myspace.com
• hi5.com
• blackplanet.com


• Video/Photo Sharing


• photobucket.com
• youtube.com
  
• ifilm.com
• stupidvideos.com
• filecabi.com
  


• Streaming Music



• 1.fm
• pandora.com
• live365.com
  
• mtv.com

No sooner did the announcement come out was there reaction in the press that this was an attempt to squelch unfavorable portrayals of the current war from the soldier's point of view. In light of the fact that the U.S. Army has itself produced promotional videos and posted them on YouTube to encourage recruitment, this seems rather odd.

Now, our intention is not to turn this into a political ideology blog--there are plenty available if that is what you desire. Instead, we want to tackle the assertion from General Bell that these sites are taking away valuable bandwidth from military networks for recreational use. We see this argument used a lot in large corporations that install website blocking systems. We believe this is wholeheartedly a knee-jerk reaction and extremely poorly executed.

If the intentions are genuine and are merely intended to conserve bandwidth, the correct way to address this from an IT perspective is to QoS the network and place these "recreational websites" in a priority class such that it does not take up more than... 25% or 10% of the available pipe.

By blocking the sites, morale suffers. As the Associated Press article points out, many soldiers use these social network services and photo sharing sites to keep in touch with their families and friends stateside. Cutting off that important link is a poorly executed plan to reduce bandwidth consumption.

By deliberately blocking the sites, it's a bit of using a chain saw to perform a root canal. The result is achieved, but with high levels of discomfort to the patient (or the soldier, or the corporate network employee). When the performance of these recreational sites becomes less than stellar, employees (or soldiers) will naturally make their own decision to either have more patience for the site to load, learn how to use an anonymous proxy server, or simply find another form of recreation. The important part is that the decision will be left up to the soldier or the employee, therefore empowering the workforce.

Some of our blog subscribers have .mil email addresses -- we'd love to hear your thoughts on this issue. If you are unable or uncomfortable posting to the blog from that address (and do not have a personal email account), please contact us and we will post your response anonymously.

MISSION: Gather global security intelligence
EXECUTION TIME: 15 minutes
TOOLS: RSS feed aggregator of choice or customizable home page

Situational awareness is a key element of deploying and maintaining effective security measures. Part of that recurring effort should be intelligence gathering. Putting together a comprehensive list of security-related RSS feeds can be a great alternative to hitting numerous sites each day or trying to sift through busy “dashboard” pages. There are many great security related sites out there that support RSS; the key is not to add as many as you can, but rather to identify dependable sources of information that focus on issues pertinent to your mission. Here are some of our favorites:

Special Ops, of course! (Security how-to’s and news items)
URL: http://feeds.feedburner.com/SpecialOpsSecurity

SecuriTeam (Various security advisories and vulnerabilities)
URL: http://www.securiteam.com/securiteam.rss

TaoSecurity (Network Security Monitoring-centric postings by Richard Bejtlich)
URL: http://taosecurity.blogspot.com/feeds/posts/default

SANS Internet Storm Center (ISC Handlers diary, security items of note)
URL: http://isc.sans.org/rssfeed.xml

GeeKool (Another NSM-centric blog with an emphasis on technical information and how-to’s)
URL: http://geek00l.blogspot.com/feeds/posts/default

Zone-H (Emerging threats, defacements, items of note - Global)
URL: http://www.zone-h.org/index2.php?option=com_rss&no_html=1

Security Fix (Security news)
URL: http://blog.washingtonpost.com/securityfix/index.xml

Of course, there are many, many more, including several vendor blogs that actually have some pretty good info. Please add a comment with your favorites!