3

I have a network of about 10 computers and I want to prevent sensitive data and source code leaks. To achieve that, I would like to block all file uploading / attaching.

  • What are the options available to me?
  • Are there hardware firewalls that allow me to do this?
Joyce Babu
  • 133
  • 1
  • 5

6 Answers6

9

I was asked about your problem several times in several occasions. What makes it really difficult to answer is, that this in fact isn’t really a tech-problem. It's much more a social/human problem.

There are many great firewall-systems like SonicWall/FortiGate/etc. (also VM-Based solutions) which will cost you maybe only 500$. They are all able to block protocols / ports / sites / etc for you but... in my opinion you would need to block every site and every connection between your source control network and the internet, because there is always a way to use an established connection to get the source-code out of your business-place. Even if one uses something simple like putty to establish an ssh-connection over port 80 and tunnel ports trough it for all kind of protocols like FTP/SMTP/whatever.

My advice to you is, don't try to get to an expensive technical solution when this really is a human, social problem. There will always be a way to get your source-code out of your place. (usb, cd's, photo via mobile phone? If someone wants to do so they will succeed...)

Riscie
  • 222
  • 2
  • 4
  • 3
    this isn't actually true. There are very effective Data Loss Prevention tools on the market now, and the big-name vendors all have products in this space. – Rory Alsop Sep 18 '12 at 15:07
  • 2
    a) Arguable. B) Arguable. C) Certain. Travel any further down this path risks theological debates... – adric Sep 18 '12 at 18:00
  • @RoryAlsop Could you please name a few? (EDIT: Just saw your answer below.) – Joyce Babu Sep 19 '12 at 04:35
3

A lot of organisations have this challenge, not just for source code, but for personal data, intellectual property etc - so a lot of work has been done developing solutions.

McAfee, Symantec and various others have very effective products on the market which can be tailored from very simple (looking for signatures in a similar way to how an antivirus scanner works and blocking on hits) all the way up to full data management by classification and access controls at every network egress point, including printers, USB devices, email, web connectivity etc.

Depending on the value of the data, and its type, you will need to look at your approach. For data which is structured like social security numbers, credit card numbers etc a signature approach may well work just fine, however source code isn't usually this simple.

A full solution allows you to classify every file, document, application or in fact anything on your systems, and then place controls at database, OS, network and storage levels which will allow/disallow/alert when an attempt is made to move them.

As has been pointed out, you would also want to restrict mobile phones with cameras (but this would be a really cumbersome way to steal large quantities of source code) and have your USB devices locked down, but those are already standard in many organisations.

Rory Alsop
  • 61,367
  • 12
  • 115
  • 320
2

Once you give someone access to the data, it is insecure.

You can do many things to make it more secure, such as multiple networks, locking down the internet, etc. But there will always be a way to get the data out. Since the source code is text, there are an immeasurable number of ways to get the code out. Email, cutting and pasting it into websites, etc...

Even if you were to cut off the internet itself, the data can still be photographed on a phone and sent out.

Keltari
  • 261
  • 2
  • 8
2

To add to some of the answers so far, I'd suggest that how easy it would be to achieve this largely depends on the level of access that you provide to your users.

If you provide web browsing without restrictions, then you're in real trouble as there's a huge number of sites that provide information transfer, both obvious ones (e-mail) and less obvious (anything which allows user input like forums or pastebin style sites)

Beyond that each and every outbound connection you allow your users to make (including unobvious ones like DNS and ICMP) can be used to exfiltrate data. Of course it depends on how motivated and knowledgeable your "attackers" (in this case staff members) are.

So from a technical standpoint I'd be inclined to agree with @Riscie , technical solutions are unlikely to be cast iron. They can help prevent accidental leaks and unsophisticated attackers but beyond that I wouldn't depend on them.

All that said if you want an idea to think about, what about only providing Internet access via a remote desktop session and blocking all information transfer beyond actual keyboard input (e.g. no copy-paste, no mapped drives etc). Then you could put key-logging software on the RDP'd machine and review the logs regularly. you'd also need to lock down their PC's completely (logically and physically) to ensure that no other egress was possible.

It's a draconian solution and would seriously impact the productivity of the workers but it might address your problem :)

Rory McCune
  • 60,923
  • 14
  • 136
  • 217
0

The only way to go is legal. If someone wants to leak some of your code, preventing attachment won't do. It will still be possible to copy paste it, or copy the files to some removable media, opening a remote connection through port 80 to some private server, or whatever the people coding will find. And if they are programmers, they WILL find a way.

m4573r
  • 109
  • 2
0

If that is really a concern , try data leak prevention products , there are open source alternatives like openDLP , i have not tried though firewalls are not the place to do such things

sashank
  • 511
  • 5
  • 17