On Wed, 09 Nov 2011 08:00:01 CST, Joe Greco said:
On Wed, Nov 09, 2011 at 03:32:45PM +0300, Alex Nderitu wrote:
An important feature lacking for now as far as I know is content/web filtering especially for corporates wishing to block inappropriate/time wasting content like facebook.
1. That's not a firewall function. That's a censorship function.
Is it "censorship" not to want unwanted connection attempts to our gear, and block unsolicited TCP connections inbound?
Is it "censorship" not to want unwanted exploit attempts to our gear, and run everything through ClamAV, and use blocklists to prevent users inadvertently pulling content from known malware sites?
I do believe that Alex was saying "blocking outbound access to time wasters like Facebook" is a censorship function, not a firewall function.
Of course he was. My point is that that's irrelevant. There are plenty of good policy reasons for wanting to block application layer stuff. The statement Alex made appeared to characterize blocking facebook as a "bad policy". As a result, one might infer that Alex's conclusion is that "firewalls shouldn't do this type of blocking." The merits of policies such as "blocking facebook" are largely beyond the scope of NANOG; I don't propose to debate that point. There are other forums to debate such censorship. However, the point I made should be easily understood: a firewall that offers tools to prevent users from visiting a certain website (via URL, let's say) is really not any different than a firewall that offers tools to prevent users from visiting a certain website (via packet firewall rules, let's say). Do you really want your users connecting to websites known to be operated by RBN, or virus infected stuff, or spyware? The difference between "we want to protect our gear against known harmful sites" and "we want to block our employees from visiting dating sites" is probably indistinguishable at a technical implementation level. So, in clearer response to Alex: who cares? That's not a NANOG issue. ... JG -- Joe Greco - sol.net Network Services - Milwaukee, WI - http://www.sol.net "We call it the 'one bite at the apple' rule. Give me one chance [and] then I won't contact you again." - Direct Marketing Ass'n position on e-mail spam(CNN) With 24 million small businesses in the US alone, that's way too many apples.