Back in October, Walled Culture wrote about the grandly-named “Piracy Shield”. This is Italy’s new Internet blocking system, which assumes people are guilty until innocent, and gives the copyright industry a disproportionate power to control what is available online, no court orders required. Piracy Shield went live in December, and has just issued its first …
The systems im used to are used in hospitals and banks as well, they are rather a setup of closed off Mashines that can only communicate internally and a second system that gets necessary data outside, the inner circles don’t get internet at all in these setups and they aren’t connected to the outside circle, they are closed off completely. The outside communication builds on a VPN (or sometimes a physical fiber cable) to get to the necessary network (outside databases, or servers that stand in another building/facility for example) where they do their business, the computers in that circle aren’t standalone Mashines, they just start a Virtual Mashine on a server. Incoming traffic goes through a filter that is strictly white-list for all traffic, but you can’t do that as a isp (you cant do your method as a isp either) outgoing traffic is also white-list only. (yes we are assholes and block people from using Facebook at work)
Its just impossible to even start a VPN from these systems unless you have administrator privileges, so im not used to your way of doing it. Maybe some day i need to learn about that more, as things get more and more connected the systems im used too aren’t up to standard anymore it seems. I still like the airgap for safety.
That’s also the policy for the majority of the machines/users but there are a few that do have admin privileges like IT teams and whatnot and even if they manage to install a VPN solution (the app would most likely get blocked by endpoint security either way) they couldn’t communicate to the outside because the firewalls, as I described, are all set to block VPN traffic. Except for those situations I specified above.
The bottom line is: distrust everything, everyone and anything. Even if you can ensure nobody can install a VPN application on their computers, assume someone might get around that and add proper firewall checks and blocks as well.