My office has blocked access to all external websites. Only internal, self-hosted sites under our domain work.

P E A K. S E C U R I T Y.

Cheapest way to secure your network. Just dont take any ISP connection.

Why even have an isp

By outbound port or blocked the dns lookup? I knew of a place that just blocked the dns so we have a cross reference of ip to use. Can you ping 8.8.8.8 or 8.8.4.4?

@bkwilliams They have a proxy that they route all traffic through, and apparently it's either down or misconfigured.

Pinging IPs doesn't work

Can you ssh out? If you can connect to an external host, you can tunnel a socks proxy through it with a single command. If you're using windows you can do it with putty.

@bahua Pretty sure I'd get seriously in trouble for doing that. Can't subvert their proxies or firewalls. Policy here is law.

@obsecurity At least you won’t be interrupted by client emails

@bkwilliams Oh no, that's the best part. All our clients have internal email addresses, so emails work perfectly fine

(ノ°益°)ノ

@obsecurity

Maybe, but using a well documented feature of approved software that the company provides is hard to describe as being in violation of policy. If you leave a window open, you can only be angry at yourself when a bird flies through it.

OK... I'll be a tad mean here, but:

- Blocking sites outside of the network seems like a good way to prevent attacks from the wild, buuuuuut...

- One of the biggest threats today for companies and the military/government alike is the insider/disgruntled employee factor.

- Self-hosted websites? So, say, if a person self-hosts a vulnerable website? What could go wrong? Increasing the attack vector for an insider attack here.

- As for subverting... encapsulation is your friend. Unless they pulled the cord from the router, some info will go out one way or another. Might make a nice pet project, building a tool for it.

If clients from the OUTSIDE can send to you and receive from you, that might be the path.

So, the estimated path of attack (as I estimate it from that little I've read) is You --> Coworker (through vuln site) --> email encapsulation --> custom email server ---> internet

Might not be fast, and certainly not for streaming, but it can get the job done.

Also, the above is for educational purposes only, don't get fired over browsing facebook.

Sounds easy to get the coding job done. especially since you can't search the web for stuff...
vpn?

The police here does the same. Only internal websites and systems are allowed. Email only available through outlook, which gets configured automatically through the domain controller.

If you need to visit external websites, you can open a browser through a Citrix app (so a web browser on a server).

It’s pretty secure. If an employee accidentally clicks a spam link, you won’t introduce a virus anywhere, as your normal browser can’t access anything. The browser in critrix can’t download anything

@bkwilliams

@devdns to the rescue 😂

Wait no stackoverflow?