On Mon, 2021-08-23 at 09:32 +0100, tim@pelican.org wrote:
That's my reading of it - the web admin team are not trusted, and Pirawat / the network team are being asked to police them and make sure they're not running some kind of side business off the company equipment.
Which is going to need some kind of WAF, reverse proxy, load- balancer, or similar in front of the web stuff, operated by the network team. Tech fix for an org problem.
Maybe I missed something (the subject line makes me suspect I did) but I shall press on regardless, in the best traditions of the Internet :-) There is no technical difference between a web server being misused as described and a web server being used correctly. WAF, reverse proxies, load balancers and so on are really for protecting a web server against clients, not for preventing a web server from serving whatever content it has. Trying to use the tools mentioned to control outbound content would be a very frustrating game of whack-a-mole. You could block inappropriate inbound requests, but not knowing what is on the web servers makes that an infinite set of possibilities. So you would really have to permit only appropriate inbound requests. On anything but a trivial server the set of appropriate inbound requests could be very, very large. Not to mention that rewrite rules and suchlike could be blurring the difference between appropriate and inappropriate on a web server where the configuration is possibly in the hands of the bad guys. If the web admin team is not trusted to properly control what content is *on the web servers*, then no amount of tech can help you. You need a trusted team inserted between them and the web servers, and that team needs to inspect the content, curate it, and vet anything new. That team will VERY quickly detect malfeasance. Bear in mind also that there are quite a few attacks that end up leaving cuckoos in the nest; warez or worse being quietly served up alongside legitimate info. What I'm saying is that misuse as described can sometimes be more about incompetence and underfunding than about malfeasance. Hope I didn't completely miss the point :-) Regards, K. -- ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Karl Auer (kauer@biplane.com.au) http://www.biplane.com.au/kauer GPG fingerprint: 61A0 99A9 8823 3A75 871E 5D90 BADB B237 260C 9C58 Old fingerprint: 2561 E9EC D868 E73C 8AF1 49CF EE50 4B1D CCA1 5170