[squid-users] Need advice on some crazy access control requirements

Eliezer Croitoru eliezer at ngtech.co.il
Fri Mar 11 05:33:43 UTC 2016 

Hey Victor,

I do not think it's too crazy.
It is a very common statement in the Law of Pharmacy to not operate 
"heavy" tools when taking a specific medicine. In most cases it is there 
since the operation of such tools(light\heavy) requires the 
worker\operator a specific amount of concentration and attention and 
since the desire of the usage is a change this is the right phrase.

I think that it depends also on the target of the ACL\policy in many cases.
For example there are many places that do allow Apple(which includes 
music, videos, books and many more) but do not allow YouTube or in some 
places even Google or Bing. If for example in a medical operating room 
there would be Internet available it can be potentially hacked and in 
many places the common policy is that VOIP(over the Internet) in these 
cases is in use. It's one of the tools for the room. The staff in the 
room tends to be very trusted but you cannot rely on specific tools to 
replace the soul which decides on the right thing to do "mid-flight" 
when there are tiny saws and scalpel on the stand.(and vice versa mind 
cannot replace specific tools).

The first thing that you can do in such a scenario is to analyze the 
network traffic using squid.
It can give lots of output and feedback even if used only as a simple 
logging tool.
When you do have a clear view with what you are handling you can see 
what are the realistic option about this specific group of Internet 
users. For example if they are trying to use a proxy service that is on 
other ports then 443 and 80 your goal would be to use a strict policy 
rather then simply monitoring the HTTP and HTTPS connections.

I do not have experience with psychology but I do think that if most of 
the undesired sites will be blocked it would fit most ACLs\policy ideas.
I think it's a really good idea to somehow find the right tactic so that 
the request for such a crazy ACL requirement would be understood by the 
requester.

I do not remember if squid can "stop" a download after a specific amount 
of KB\MB for one file but again eventually it is possible to download 
them in chunks...
So it's not really impossible but indeed it's not an easy task to 
implement. Also I know that there are couple products that does in a way 
what you just described. The issue with them in most cases is that they 
do cost more then a dime and sometimes the request for such a 
requirement being dropped by hearing only part of the costs.

Eliezer

On 11/03/2016 05:31, Victor Sudakov wrote:
> Dear Colleagues,
>
> New Internet access rules are being introduced in our company, among
> them there is a requirement to have special groups of Internet users
> who are permitted to:
>
> 1. Download files from the Internet.
>
> 2. Use Web forums.
>
> 3. Use streaming audio/video.
>
> By default users should have no access to the above facilities.
>
> These requirements may sound stupid and vague to some, but is there a
> way to accomodate them at least partially, without keeping long lists
> of prohibited file extensions and domains, which is very
> counterproductive?
>
> I am perfectly aware that an advanced Internet user will be able to
> circumvent those prohibitions, but still, any recipes? I have looked
> in http://wiki.squid-cache.org/SquidFaq/SquidAcl but found nothing
> very useful.
>
>

More information about the squid-users mailing list