Want to read Slashdot from your mobile device? Point it at m.slashdot.org and keep reading!

 



Forgot your password?
typodupeerror
×
Security Networking IT

Ask Slashdot: Giving Users Extra-Firewall Access For Sites Normally Blocked? 267

An anonymous reader writes: My boss and I were having a discussion about our users accessing the internet. He wants the users to be able to log in to the firewall to be able to access external websites that they are normally blocked from accessing. They would get a 45-minute window to do this, and then if they need more time, they need to re-login. (SonicWall does this). I told him that this type of procedure scares the crap out of me, as some users will just keep logging in and doing what we are trying to block them from doing, and they will also be able to access infected websites as well. I think it is in our (the IT staff's) best interest if we continue to allow access to users on a case-by-case basis -- and then turn it off when they have completed their task. I am just curious as to where others stand on this topic. If you are your workplace's BOFH, how much slack do you cut? If you're an employee with unreasonable restrictions, do you bother to get around them?
This discussion has been archived. No new comments can be posted.

Ask Slashdot: Giving Users Extra-Firewall Access For Sites Normally Blocked?

Comments Filter:
  • Correct (Score:5, Insightful)

    by Spazmania ( 174582 ) on Sunday July 12, 2015 @01:28PM (#50093905) Homepage

    The boss's plan of allowing users to override the web page filter is absolutely the CORRECT plan. You have a rare boss who understands that the most important thing is that workers be able to work without interference from know-it-alls. Please get with the program!

    • Re:Correct (Score:5, Insightful)

      by khasim ( 1285 ) <brandioch.conner@gmail.com> on Sunday July 12, 2015 @01:38PM (#50093969)

      You have a rare boss who understands that the most important thing is that workers be able to work without interference from know-it-alls.

      Well the question would then be why-is-the-firewall-there-in-the-first-place.

      Is it because it was seen as the cost effective solution to workstations being infected by malicious sites/ads/whatever?

      Was there a different reason?

      Web blockers usually require a subscription fee. Why pay the fee and then let users bypass it?

      Wouldn't you want to be notified if a work-related site suddenly got blocked?

      • by gl4ss ( 559668 )

        it's there because it's the job for the asker of the question. if the override system goes through his job is meaningless.

        and if he fears his network for this reason, his network is already fuxored, so there's that. most likely it's just a whitelist anyways(if he thinks that a disconnected network for connected workers is more beneficial than workers working) or a kickback commercial "bad sites" list(which is as useless as an inhouse developed blacklist - its going to be out of date every day anyways).

    • Re:Correct (Score:5, Interesting)

      by Lesrahpem ( 687242 ) <jason,thistlethwaite&gmail,com> on Sunday July 12, 2015 @01:39PM (#50093977)

      The boss's plan of allowing users to override the web page filter is absolutely the CORRECT plan. You have a rare boss who understands that the most important thing is that workers be able to work without interference from know-it-alls. Please get with the program!

      This plan is a good one. To curb your concerns you could follow this plan:

      1. 1) Allow users to login to unblock sites on an as-needed basis. Keep the process simple so workflow isn't encumbered.
      2. 2) Keep a log of every time a user logs in to request access. Possibly keep a log of what sites users are visiting with this access, but do not log the traffic. Just the sites.
      3. 3) Pair this log with your issue tracking system and possibly employee performance reviews.

      If an employee's support tickets seem to be linked to the sites they are requesting, the employee can be approached and possible restrictions can be put in place if the problem isn't solved with a conversation. The same goes for browsing habits that might be linked to downturns in performance.

      This way, you are allowing your employees/users their freedom to browse/work, and only restricting the people who keep presenting problems.

    • Re:Correct (Score:4, Interesting)

      by Anonymous Coward on Sunday July 12, 2015 @03:25PM (#50094425)

      I'm with you on the issue that IT is a function of a business to enable business. I think however there are some real issues with what's going on here.

      1) There is a firewall in place which appears to be impeding business from operating
      2) The IT guy is trying to get justification from outside to continue impeding business instead of taking the opportunity to identify why the firewall is blocking sites which facilitate their business.
      3) He is concerned about malware and other traditional security breeches
      4) The sites being blocked are probably black-listed based on the type of site they are as opposed to blocking malicious content from the site.
      5) The boss seems to believe the users need to access these sites.
      6) He wants to handle this on a case by case basis which seems to impede business enough that this has become an issue.
      7) It sounds like he is using some sort of web filtering system which categorizes site types.

      I can go on for a while... I may be way off base, but it strikes me that this guy lacks the skills or business knowledge to properly secure the business while also facilitating its operation. I completely disagree with the boss's assessment to allow a timed override. This apparently is a solution which doesn't do anything other than impede the workflow of the users. It sounds like the correct solution is for the boss and IT guy to simply decide :
        Do we permit users to access these categories of websites or don't we?

      As for viruses and malware, the entire current generation of firewalls and IPSes on the market are designed to perform deep inspection and most of the good ones implement Snort, ClamAV and more at the edge. They also can retroactively identify that a machine has finished downloading a malicious object before the firewall could identify what it was and then require the machine is remediated until it has been cleared to be on the network again.

      I think the boss also has to choose whether to send this guy to proper training and spend money on real firewalls or whether he should just use a service instead.

      • Re:Correct (Score:5, Insightful)

        by gbjbaanb ( 229885 ) on Sunday July 12, 2015 @04:47PM (#50094749)

        amen. The number of time I've been searching for answers to technical problems, find a site that seems to have the answer from the Google summary, only to click it and be told "denied, reason: personal blog", where i get home and find that someone has hd the same problem I had, blogged about it to help others solve it.

        So,... I waste loads of company time re-solving that problem because the IT guys think they know best. Sorry - when IT stops being a service to enable the users and starts being their own fiefdom, its failed.

    • by epyT-R ( 613989 )

      Yeah, then when one of those users infects the network, the know it all is blamed for allowing it.

      • If the user can infect the network, you designed the network wrong.

        • by epyT-R ( 613989 )

          Do you not see the loop here? "Give us at-will unfettered access so we can 'get work done'" -- > infection --> "WTF if you did your job we wouldn't have this mess" --> locked down access (repeat until admin is fired for the incompetence of those above him)

          If I am held accountable for security, it's my rules. If I'm not accountable, then I ask for it in writing and assume they'll still try when someone/thing finally does get in. Otherwise, I'll quit before the in-charge idiot's insane expectations c

  • Reasonable Access (Score:5, Interesting)

    by FrozenGeek ( 1219968 ) on Sunday July 12, 2015 @01:29PM (#50093911)
    What do you consider "reasonable" access? I tend to be very conservative about it. If I can do my job, I consider that reasonable access. Anything not strictly required to do my job is simply a bonus. Under those definitions, I've never had a job that did not afford me reasonable access to the internet. I know that many people will consider "reasonable" access to include things like access to Facebook and twitter and their bank accounts, etc. I disagree. When I'm at work, I'm working. When I'm not at work, I'm not at work. I try very hard to keep the boundary distinct. the more I blur the line, the easier it is for my employer to want me to be always available.
    • by beelsebob ( 529313 ) on Sunday July 12, 2015 @01:33PM (#50093941)

      It's entirely reasonable to expect employees to take short brain breaks during the working day. It's entirely reasonable for those brain breaks to be spent on random web pages.

      All this comes down to is simply trusting your employees. If you can trust them to get on and do their job, and only take reasonable breaks, then you don't need a filter. If you can't trust them, then 1) your culture is fucked up, fix that, and 2) why the hell are you employing someone so untrustworthy that they don't do their job.

      • Re:Reasonable Access (Score:5, Interesting)

        by Bert64 ( 520050 ) <bertNO@SPAMslashdot.firenzee.com> on Sunday July 12, 2015 @01:43PM (#50094011) Homepage

        People these days have portable devices, you can allow them to take breaks using an isolated wifi network and their own portable devices...

        The average corporate desktop is extremely vulnerable to attacks from websites (against the browser, the plugins, other applications etc), and trying to defend against such attacks is a huge pain and/or huge cost.

    • Re: (Score:2, Interesting)

      by Anonymous Coward

      There are exceptions, but as a rule, I don't use web filters and firewalls to "restrict" users from using non-threatening websites. Productivity standards and issues should be handled between users and their managers. The web filter exists to protect the network from viruses/malware, and from objectionable content that could reflect poorly on the company (gambling, porn, etc.). Otherwise, I have pretty steadfastly refused to block sites because "Joe shouldn't be on that during work hours.". If Joe isn't get

    • The last 2 places I worked facebook and YouTube have been required for my job. One was working on firmware for a networking appliance, the other was an Internet security application. When a user calls in with a problem I need to be able to reproduce without jumping through some idiotic IT hoops, otherwise I'm wasting my time and the user's. Oh, and 1 of those companies was a company with over 100k employees, I very much doubt IT knew about every product the company created. Are you certain no one in your co
  • by drasfr ( 219085 ) <revedemoi AT gmail DOT com> on Sunday July 12, 2015 @01:30PM (#50093917)

    Outside of spam, dangerous websites with known trojan, and maybe obvious porn. Why would you want to block your employees? I've worked once for a big company like this. I left. A lot of websites were blocked. Even craigslist. Led to workarounds and other hacks. It was also quite counter-productive in many ways.

    Honestly if you don't trust your employees don't hire them. If you have employees that aren't productive because they are doing things they shouldn't be doing then let them go.

    I wouldn't work for you.

    • Yep, I don't understand how companies don't get this. If you observe that your employees are spending all day dicking around, and they don't get their assigned work done, you fire them. If you don't observe that, then you have no reason to block their access to anything.

      • by ShanghaiBill ( 739463 ) on Sunday July 12, 2015 @02:29PM (#50094223)

        If you observe that your employees are spending all day dicking around, and they don't get their assigned work done, you fire them.

        Then you go out of business. Responsible self-directed employees who get the job done without close supervision are WAY more expensive than less responsible workers that need some managing. If you hire only the former, you will be crushed by competitors with a much lower cost structure and a much wider hiring pool.

        • by guruevi ( 827432 )

          1 good employee is cheaper than 3 bad ones. Bad employees cause your company to go under due to bad service and reputation. Even McDonalds doesn't let you slack off that bad and they have probably the worst hiring pool imaginable to a company.

      • by steak ( 145650 )

        a firewall appliance costs a few thousand dollars a year; while a labor lawyer to defend a justifiable firing of an incompetent worker in a protected class is many tens of thousands of dollars.

    • Because you never had to clean up after other people's shit? The larger the company, the larger the number of know-it-alls who think they know everything. These are the people who are the leading causes of a virus infection.

      This has nothing to do with trust. This has everything to do with stopping stupid things from happening.

  • People get granted access to a specific machine only for that work and it is kept isolated off all network connections.

    • by khasim ( 1285 )

      Why hasn't this been mod'ed up?

      This is my preferred solution. A machine that sits outside the main firewall that just runs browsers for remote connections.

      The internal machines stay clean and the external machine(s) get wiped/reloaded on a regular schedule.

      Also, everyone logged in gets a daily/weekly report of what sites they've been visiting and when. And a list of people who can request a copy of that list (their boss, their boss' boss, HR, etc). Judge for yourself whether you'd be able to explain your ha

  • by beelsebob ( 529313 ) on Sunday July 12, 2015 @01:31PM (#50093925)

    Stop blocking access at all.

    Just fucking trust your employees. An environment in which people are overtly not trusted to do their jobs just breeds resentment and in fact employees that can't be trusted. People who feel like they're being treated unreasonably tend to act unreasonably in return.

    • by Bert64 ( 520050 )

      Exactly, if you block things then employees will find ways round it...
      I went to a company that blocked "software download sites", so the users couldn't download things like firefox from mozilla.com etc, so they found alternative sites where they could download firefox - and these sites contained malware infested versions instead of legitimate firefox.

      • And when the employer figures you get fired.
        Even in germany with eployee friendly laws that is a reason to get fored without any grace period or warning.
        It is plain stupid to circumvent blocks like that ... I would get rid of employees that dumb immediatly.

    • by gweihir ( 88907 )

      I second that. And if you really have highly sensitive systems, isolate them completely from the Internet and give the people working with them additional computers with unrestricted Internet access. Anything else causes far, far more problems than it solves.

    • You can not trust your employee not to infect a machine by surfing a random website like facebook.

      After all every image can have a troyan/virus embedded exploiting the jpg library of your browser/OS.

      It has nothing to do with the employees, its the sites that are the problem, so you block everything except a white list.

  • by gweihir ( 88907 ) on Sunday July 12, 2015 @01:42PM (#50094007)

    The thing is, if the users need/want access to those sites, they will find a way. You are kidding yourself if you believe otherwise. The only thing you can do is channel it to ensure some level of security and for that you _must_ prevent it from being exceedingly inconvenient, like your 45 minutes idea. Everything else leads to insecurity caused by security measures, which is a well-known problem causes by paranoid (and hence incompetent) system isolation. In the worst case, you have to provide additional computers to your users that have less Internet access restrictions.

  • by bool2 ( 1782642 ) on Sunday July 12, 2015 @01:42PM (#50094009) Homepage
    On face value...

    It sounds like you're trying to achieve two separate goals here :

    1. 1. To limit time spent on websites that are potentially not work-related / time wasting / etc
    2. 2. To block websites that are potentially dangerous to your network (infected)

    To implement the bosses suggestion you need a different system to handle each and a way to categorise the blocked sites - or a system that allows more fine grained control.

    Stepping back a bit...

    More importantly though, your boss should want to demonstrate that he trusts his employees to use their work time sensibly. By blocking websites for reasons other than network security and creating little bureaucratic procedures to unblock them you send a clear signal to the employee that they are not to be trusted with a basic resource like web browsing. Expect them to respond in kind.

  • Reasonable Access (Score:5, Insightful)

    by GeekBoy ( 10877 ) on Sunday July 12, 2015 @01:46PM (#50094033)

    I've been an IT manager and an IT director so I'll make a few points from that perspective.
    1) IT is there to serve the needs of the business and one of the needs of the business is to create / facilitate a productive and encouraging work environment. Now, this doesn't need to mean that you give people everything they ask for, but it does mean that you need to trust people. If there are legitimate reasons for concern then get a firewall product that can measure the amount of time someone is spending surfing the net; however, this is really a business concern and this capability is not for IT to worry about its for the different LOB managers to worry about. If they have that as a general concern then pursue it, otherwise it's not IT's concern.

    2) What is IT's concern is the security, availability, and integrity of the computing environment and business data and that does mean taking reasonable measures to protect the assets under your control. That means that perhaps you need AV / Anti-Malware / etc. protections. Perhaps also a webfilter that blocks sites that are known for producing malware with the intent to exploit the visitors to that site. Those sites should come from security vendor watchlists and not some arbitrary list put together by the sysadmins.

    3) Doing this is about finding an appropriate balance. That balance can only be maintained through constant communication and feedback with the business leaders (i.e. you need a governance process.) The business leadership / executive will need to decide what that balance is. IT's job is to appropriately communicate the risks, consequences and options and let the executive make the decision on how much risk they are willing to take on. This is why communication is crucial, especially in IT, and why often managers who are non-technical or barely technical, get those positions instead of the very technical people who "know better."

  • by ruir ( 2709173 ) on Sunday July 12, 2015 @01:46PM (#50094039)
    Whilst most of the firewall products nowadays do provide proxies or web interfaces for users (for instance WebVPN in Cisco products), I do find it is a terrible idea to open up services and use up resources from the firewall. Just look at the long list of the security advices from WebVPN in Cisco for instance. I do follow the policy of minimum services that i have as a baggage as a Unix admin, and webvpn/proxy/VPN services are all provided by external servers. For instance, pfSense is quite nifty for that, or squid+dansguardian. Why not provide access or provide unrestrictive access in a wifi network for BYOD? They can as well pierce your firewall with personal VPN services, they are very cheap nowadays. As for the corporate network, many people do not understand how a culture of unrestricted access to social networks and allowing adverts is a covert channel to infect personal computers. Also if you want to invest in security and money is not a problem, have a look at the Capsule concept from Checkpoint.
    • While I agree on your view about access policy one thing struck me:

      > They can as well pierce your firewall with personal VPN services, they are very cheap nowadays.

      In a network structured properly (routers than IPS/security appliaces than filtering proxy) how could users pierce that with VPN services? If users can pierce your "firewall" (meaning just oubound Internet access) with cheap VPNs that you mean malware could just as easy transfer data out of your network? Something is wrong with what you are s

  • by drolli ( 522659 )

    I think the reasonable way to handle such things is: donâ(TM)t allow the user to go to additional websites, but give them pixels-and-mouse only access to VMs in some cloud, the sate of which is thrown away after the session (and important data explicitly saved to an temporary drive, where you can run all the checks which you like.)

  • by pegdhcp ( 1158827 ) on Sunday July 12, 2015 @01:50PM (#50094063)
    If the block is really worth the CPU time, then you should be in a position that requires it, so do not punch holes in it.

    If the block is not that much necessary, remove it and make life easier for yourself, and the users if you care about them...

    If there are really two kind of users, one that should have access to the outside and another, that should not, then split your user network, especially assuming that a network that has blocks for outbound connections, probably should have a (preferably two) DMZs that houses servers already in place...

  • by o_ferguson ( 836655 ) on Sunday July 12, 2015 @01:54PM (#50094085)
    You just need one b0xen on an ethernet cable to the one unblocked port on a hardware firewall, and ideally onto a separate line from your ISP. Put glue in all the usb ports and legacy ports, or just remove them. Remove the wifi chip from the board, lock the case and and set it up with a basic install of your primary OS that re-flashed to a known state at midnight every night. Put this box in a visible, public area where users who have to leave your cordon are forced to do it in front of everyone else and through a secure separate pipe. Scale up with more dumb terminals as needed - old tech that's folding out of regular use in production is a good, cheap source for these boxes.
  • I work as an IT consultant / implementer.
    I tend to work in Big Corporations doing infrastructural software projects. This includes introducing new procedures of how IT staff is going to administer their servers in the future (e.g.: how to use SSH in the future) both by technical as well as organisational means.
    This also means that the IT staff and I are not often on good terms which in turn again means I don't get cut any slack wrt. accessing the internet or getting software installed on my assigned corpora

    • I work as an IT consultant / implementer.

      I also work as a consultant (though programming, not IT).

      You've hit the nail on the head as to how to deal with overly restrictive IT people - work hourly. Now it's not so annoying when you have to go through some lame workaround to do something, it's a direct financial benefit to yourself for the extra hours needed to get work done...

  • I have a similar policy at work: there are a number of intranet and whitelisted internet sites and for the rest you use credentials. Intranet also contains a socialisation portal for mostly professional purposes. Also, every time you enter the credentials you see a notification that traffic is monitored. They have also blacklisted known malware sites and some potentially dangerous sites (such as the infamous sourceforge.com). In principle this is a reasonable policy, as a lot of attacks/infections come from
  • by ledow ( 319597 ) on Sunday July 12, 2015 @02:14PM (#50094155) Homepage

    "This website is blocked.

    Category: Whatever.

    If you wish to unblock, please contact Administrator."

    Anything else is just open to abuse and you may as well not have a web filter at all (P.S. This has NOTHING to do with your firewall).

  • Wrong solution (Score:5, Insightful)

    by dskoll ( 99328 ) on Sunday July 12, 2015 @02:18PM (#50094167) Homepage

    Trying to solve HR problems with technology is doomed to futility.

    At my company, I don't block web sites. If I walked by someone's desk and saw him[1] looking at porn, I'd say "don't do that." If it got out of hand, I'd discipline the person.

    Sometimes I walk past the desks of the tech support guys and I see them on Facebook or playing solitaire. Well, what else are they supposed to be doing if there are no support tickets open or support calls coming in? I don't care if they take breaks every now and then as long as they get their work done.

    ____________________________________________________________

    [1] I suspect it's almost all guys who look at online porn.

  • So far it seems everyone is trying to bring "open internet" to the users computer... why?

    It sounds as if this is intended to be on an "infrequent" and "exception" basis.

    Deploy a terminal server in a DMZ, users can then remote in and browse from there. If you want to allow open downloading, provide a restricted AV protected share to retrieve downloaded files, if you do not want to allow open downloading, provide one anyways but require an IT person to review it manually.
    Reimage nightly if paranoid.

    • > If you want to allow open downloading, provide a restricted AV protected share
      > to retrieve downloaded files, if you do not want to allow open downloading,

      You DO realise that AV usually fails?

      > provide one anyways but require an IT person to review it manually.

      OK so from now on exept from your usuall duties as an IT administrator (I like them) now you also need to review files downloaded by 1000 users. Expect calls when urging you to review downloaded files. Expect angry people. And how you will

  • My perspective is from working as a contractor to banks and other companies in the banking sector in the UK and Europe, and occasionally to companies working in Defence contracting, where there is no issue with foreign nationals providing such services. The ultimate goal is, where possible, to prevent data breaches. However, when budgets are limited and business requirements mandate access to external services, IT security becomes about (0.9) Establishing ownership of the IT security policy and firewall man

  • If you require access to a restricted site, you ask IT to give you access. we also pass that request to their boss.

    Access is good for 24 hours only unless they have a real need to have access permanently.

    This is trivial to do with any commercial firewall.

  • Comment removed based on user account deletion
  • We have always used VMs/jumpboxes that are segregated from the rest of the network to allow for accessing potentially dangerous or unapproved external sites.

    Downloads are enabled, but to get the files from system requires submitting a ticket to have the files downloaded, scanned, and burned to a DVD or placed on an file server.

    While nothing is 100% safe, this sure beats the hell out of compromising your firewall rules and allowing semi-retarded users to fuck shit up.

  • I'm not sure about your specific legal jurisdiction, but as I understand it, some places have rules that are basically, "If you have a policy and do not technically enforce that policy, then the policy does not exist, and you liable for anything done over that connection." So, if you are making it easy for employees to go to any sites they want and then you get busted for someone accessing kiddie porn, you had better hope you have good logs - although that might not be enough. The sad thing is that the be
  • Claiming security issues is a cop out and excuse to be controlling. If you are running insecure systems, and you are if you are running Windows, then set up a separate wifi network for personal / misc. Internet access. Users can then use their personal devices, phones, tablets, etc., or you could provide Chromebooks which are cheap, secure, easily wipeable, etc. Set up web printing for tickets or similar. If you need to solve attention problems, it needs to be done at the personal level, perhaps suggesting an easy way to insert frequent short breaks. For most types of work, frequent breaks improves productivity. In the past, people took many smoke breaks and similar, so it's not necessarily the case that a Facebook break is a huge new problem. Losing track of time, keeping things in proportion, those can be an issue. A little structure or hinting of some kind is probably all that is needed there.

  • isn't this a bit redundant? There're LAWS which cover this shit. Personally identifiable data is subject to legal protections, violations of which in a privately owned company can and do result in jail time for directors. Data pertaining to infrastructure or financial transactions are subject to varying degrees of protection under national security legislation up to and including the Official Secrets Act. Violation of THAT can lead to charges of treason.

    As a data administrator in a legal practice, personall

  • Some users can be trusted with access. They've got NOD32 installed because your corporate AV is crap, run malware and rootkit scanners regularly, are running with UBlock and Noscript on, no Flash or Java (not even installed). It's probably good to still have a warning for known bad sites for them, but in general they're probably more paranoid than IT is.

    Other people will click on anything. If they get two emails in a row saying 'DO NOT CLICK ON ANY EMAIL LINKS' then the next email has 'CLICK HERE FOR MALWA

  • Why are you blocking access to anything? As an IT administrator it is _not_your_job_ to block anything for users and otherwise disturb them while using your network. Your job as an IT administrator is to allow your users to do their job without any unnecessary obstacles. Also keep in mind that usually (if you are not an IT service company) the users do their jobs so the company earns for your sallary - business wise - you don't earn shit, they do.

    So with that in mind the structure of Internet access policy

  • First, what are you protecting? Is your corporate data that precious and attractive that you fear being compromised and the whole of it being taken and sold? Do you store PII? If data such as credentials for banking and financials being stored on your internal network? If so, then you have a substantial liability, and some data loss prevention and malware detection and disablement is necessary.

    Second, do you have any regulatory, legal, or contractual requirements to prevent data loss? If so, prevention

    • > Don't listen to the amateurs. Block by default, require business justification

      So your boss emals you and asks you to implement a policy (read the post) - in my opinion it is business justifiend enough, at least his (boss) responsibility. Just doing your job is not amateur in my opinion. If it is extremely stupid you should go on and warn him but nevertheless don't object and do your job.

      > and offer a risk assessment for all exception requests,

      This is fair - given boss request you reply - OK I'll do

      • The amateurs I was referring to were the many previous posters railing against block by default, as if they need Facebook, Twitter, and Slashdot to do any work.

        The standard 'my idiot boss told me to...' Is a convenient rhetorical device to dilute meaningful discussion. Bleagh.

        "Don't trust your internal users" means exactly what it says. Your users are a potential threat. Anti-malware tactics need to face both outwards and inwards.

  • by iamacat ( 583406 ) on Sunday July 12, 2015 @04:18PM (#50094631)

    If it's security, a 45 minute window is no improvement over unrestricted access. In fact, firewall login page is an extra chance for password snooping. Ideally, users would be able to open a remote desktop session to an unrestricted VM and the later can be rolled back to initial state once the session is over.

    If you just don't want them to slack off, consider the battle lost. Everyone has smartphones perfectly suited to watch movies or chat with friends for the whole day. Find ways to measure and reward actual productivity rather than hoping to make people work out of boredom.

  • It is the Company's network connection, block whatever you like.

    But, and this is important, have an easy mechanism where a user can submit an url, an admin can verify it is a legitimate business related site, and have the site whitelisted immediately. That way you can block "Big Butt Russian Teens" or whatever, but when the SmartFilter(tm) randomly decides that Fairchildsemi.com contains "adult content, sports, gambling and lotteries" (happened to me) the legit business use is not impeded.

    • > It is the Company's network connection, block whatever you like.

      If you are the owner of course.

      > But, and this is important, have an easy mechanism where a user
      > can submit an url,

      Browsers adress bar easy enough?

      > an admin can verify it is a legitimate business related site, and have the
      > site whitelisted immediately. That way you can block "Big Butt Russian
      > Teens" or whatever, but when the SmartFilter(tm) randomly decides
      > that Fairchildsemi.com contains "adult content, sports, gamb

  • If you have important data it absolutely should not be stored on the same machines used to watch porn and browse Facebook. I know we are supposed to be entering the Internet Of Things revolution where even your fridge has direct access to the internet, but there is no reason to use the same machine to both access random web pages and store sensitive client financial data. Just install an open wifi router, completely disconnected from your business network, and allow the employees to research/goof-off at th
  • If we are rightly scared of browser-borne infections and intrusions, then why are we still running browsers on our machines? Why not designate a machine, outside the firewall / in the DMZ, that runs ALL the browsers. The user logs into that machine, and the browser display events are sent back to the client machine. The safe client machine never runs a single snippet of plugin, or gobbles a single byte of untrusted network traffic. The client machine does not even -know- how to get to the internet

It's a naive, domestic operating system without any breeding, but I think you'll be amused by its presumption.

Working...