It hardly needs to be a sleazy one. But yeah. You can easily set fire to IPSEC operations, as they’re predictable. Most OpenVPN / SSLVPN solutions focus on sitting at 443, so you can’t easily block; it’s indistinguishable from general secure web browsing.
If you want serious control, you need to do it at the endpoint. Or embrace the whack-a-mole as a learning exercise for your tots.
So you can create a VPN server on pfSense. When outside your network, your device will connect to your firewall even when you’re away from home. Then you can control the internet on the devices even outside of your network.
Sounds right… I got a cell phone when I was in high school… as a punishment.
This guy could be trolling.
Sigh. You were doing so well. Then you had to dive in with all the others and make assumptions about what I have and have not done in the past and what I am and am not currently doing. I realize that I’m not going to convince you or anyone else in a simple Reddit comment that I’m not an idiot parent. So I’m not going to try. I was asking a technical question and tried to provide a little context. Oh well.
You’re encouraging communication and gamifying it. Op comes across as trying to delegate their parental duties to technology while trying to rule with an iron fist.
It’s very simple.
I either do my work or I don’t. And the IT guys leave me alone because they understand this point.
The rest: I don’t care. It goes back to I either do the work or I don’t. Accept it or train your staff up to understand and provision for the needs of the company - but that costs them too much money on resources and actual competent staff.
I take my IT security very seriously - and actually have tighter systems at home and on my own machine than they do there. They’ve only recently implemented MFA - which is a joke.
And my situation is very unlikely to be what you think it is. Treason. lol. It’s not high stakes (a quick comment history check will show you what I do). And the world’s bigger than the US. And quite frankly, if it were, I wouldn’t give a fuck. You assume too much.
The point is though, porn I do not.
In the rare occasions I contract out, they accept that or get someone else. And I’m a busy man.
Downvote away! I don’t need your explaining - I’m not a fucking retard and well aware of all this.
Cool kids be using Kali Linux soon
Actually they more or less have. It’s just whether they want to enforce.
That is in no way relevant to OP’s question/problem.
Does this includes proxy servers? Also, can we provide the GitHub link to pfblockerng and it updates the list automatically?
Sigh. You were doing so well.
And I’m afraid you just don’t seem to get it.
If we pull out to a business context, you are trying to deal with a personel/HR problem with technology. You can’t really separate the tech question from the context with this, so you are going to get answer that cover everything. Fundamentally you are pushing this towards being an X-Y problem.
Then you had to dive in with all the others and make assumptions about what I have and have not done in the past and what I am and am not currently doing
I am not making any assumptions about what you have and have not done, only that your current approach is inapropriate and unsustainable.
This is not an attack on your parenting skills or a suggestion that you are an idiot parent, merely an observation that your approach is fundamentally flawed because of your naive technical understanding.
I’d suggest you take a step back and lose the slight victim complex as you have had a lot of advice from other parents about better approaches to achieve your goals. Very few people in this thread have been rude in any way.
I didn’t downvote you. I was just saying I see both sides of the argument, but depending on what you do there are liabilities or serious laws that apply. If in the EU, putting customer data on a personal device probably violates GDPR. Lawyers are another good example, where depending on their focus, there are real (and potentially criminal) liabilities tied up in going outside the system. Not that I can’t name law firms and courthouses that decided meeting legally mandated data controls was too expensive.
Edit: I’ve I’m pulled in to investigate a data breach and I find a pile of unofficial tunneled traffic, I’m going to flag it. Because I can’t prove you weren’t uploading company data. Just saying, there are liabilities to “you can’t track me while I’m working”.
No. They have tried for a long time, it’s a constant arms race. Last time I went I had 2 commercial and one private vpn option. During my stay I had to flip back and forth a couple times between the commercial options as one would work and then not, etc
Please read that last line in my last post again.
Stop explaining rather basic stuff - this is the equivalent of mansplaining. I know it already. I’m the GDPR go to person at work. You assume too much.
Not every occupation using a computer requires the handling of personal information or trade secrets.
What I do though does require constant switching of compilers, updates to firmware, and consistently changing settings in otherwise locked down software, in order to interface with a wide variety of industrial machines running different versions of firmware - where it’s not possible to update them for wider compatibility reasons. I also need the mobility, and if my main employer was to be serious on workable security, they’d invest. The current IT department are happy with the compromise.
It is literally that employer you cite with the locked down nanny-PC mentality. I’d imaging over 90% of staff have no problem. For most staff, their use doesn’t go much further than PowerPoint and word. But I’m an engineer, and the finer needs and problems that occur are beyond the resource budget of the IT department - so that’s that. Ironically, and dangerously, all our customer data (ALL of it, every nitty gritty bit), is available via a web based portal that is simply a user name and password login - no MFA here. And the number of times staff have fallen for social engineered emails is ridiculous.
Quite frankly when I remember back, I wanted separation to ensure I wouldn’t be a problem. It’s that bad.
But going back to your original assertion: not all VPN traffic is porn.
Like I said, it’s whether they want to enforce and to what extent. Try using VPN during any politically sensitive periods like politburo meetings.
I understand some of it may not apply to you, and approved BYOD tends to be a bit of a “throw our hands in the air, securing the endpoints is pointless” move. However, your comments read like a recommendation to bypass company security on your own judgement. That is why I’m arguing with you, and probably why others downvoted you.
If you are the “GPDR go to person”, you should be championing something like I’m talking about: light-touch controls and focusing on reducing people bypassing the security perimeter.
Good example? I believe both one of the major Ubiquiti hacks and one of the LastPass compromises were traced back to a dev that established an unofficial tunnel to their home environment for whatever reason. I know a lot more small businesses where shit got fucked after somebody purposely overrode the draconian security. And yes, I have a habit of pissing off both the “security team” and the “security is in our way” crowd. Though in the small shops, it’s usually one guy that both setup all the draconian shit, then bypassed it all on the domain controller he’s using as a visual studio workstation. But I’ve been the “bad guy” just for showing that a goddamn VPN client on a DC is at the core of their network issues. A simpler issue? Dev’s MacBook dies, and it’s a fucking emergency, because it held the codebase and wasn’t in the backup plan.
Personally, I’m the mad squid-lord of the tunnels. But that’s for consultancy work. For the extreme clients, all work interfacing with their systems is done on dedicated hardware. And yes, flying with 4 laptops is a pain in the ass.
Edit: you also missed that my original post was just an excuse for a philosophy joke/recommendation.