Ask Slashdot: Giving Users Extra-Firewall Access For Sites Normally Blocked? 267
An anonymous reader writes: My boss and I were having a discussion about our users accessing the internet. He wants the users to be able to log in to the firewall to be able to access external websites that they are normally blocked from accessing. They would get a 45-minute window to do this, and then if they need more time, they need to re-login. (SonicWall does this). I told him that this type of procedure scares the crap out of me, as some users will just keep logging in and doing what we are trying to block them from doing, and they will also be able to access infected websites as well. I think it is in our (the IT staff's) best interest if we continue to allow access to users on a case-by-case basis -- and then turn it off when they have completed their task. I am just curious as to where others stand on this topic. If you are your workplace's BOFH, how much slack do you cut? If you're an employee with unreasonable restrictions, do you bother to get around them?
Correct (Score:5, Insightful)
The boss's plan of allowing users to override the web page filter is absolutely the CORRECT plan. You have a rare boss who understands that the most important thing is that workers be able to work without interference from know-it-alls. Please get with the program!
Re:Correct (Score:5, Insightful)
Well the question would then be why-is-the-firewall-there-in-the-first-place.
Is it because it was seen as the cost effective solution to workstations being infected by malicious sites/ads/whatever?
Was there a different reason?
Web blockers usually require a subscription fee. Why pay the fee and then let users bypass it?
Wouldn't you want to be notified if a work-related site suddenly got blocked?
Re: (Score:3)
it's there because it's the job for the asker of the question. if the override system goes through his job is meaningless.
and if he fears his network for this reason, his network is already fuxored, so there's that. most likely it's just a whitelist anyways(if he thinks that a disconnected network for connected workers is more beneficial than workers working) or a kickback commercial "bad sites" list(which is as useless as an inhouse developed blacklist - its going to be out of date every day anyways).
Re: Accidental Upmod (Score:5, Insightful)
Meanwhile, your post is not insightful at all.
Re:Correct (Score:5, Interesting)
The boss's plan of allowing users to override the web page filter is absolutely the CORRECT plan. You have a rare boss who understands that the most important thing is that workers be able to work without interference from know-it-alls. Please get with the program!
This plan is a good one. To curb your concerns you could follow this plan:
If an employee's support tickets seem to be linked to the sites they are requesting, the employee can be approached and possible restrictions can be put in place if the problem isn't solved with a conversation. The same goes for browsing habits that might be linked to downturns in performance.
This way, you are allowing your employees/users their freedom to browse/work, and only restricting the people who keep presenting problems.
Re:Correct (Score:4, Interesting)
I'm with you on the issue that IT is a function of a business to enable business. I think however there are some real issues with what's going on here.
1) There is a firewall in place which appears to be impeding business from operating
2) The IT guy is trying to get justification from outside to continue impeding business instead of taking the opportunity to identify why the firewall is blocking sites which facilitate their business.
3) He is concerned about malware and other traditional security breeches
4) The sites being blocked are probably black-listed based on the type of site they are as opposed to blocking malicious content from the site.
5) The boss seems to believe the users need to access these sites.
6) He wants to handle this on a case by case basis which seems to impede business enough that this has become an issue.
7) It sounds like he is using some sort of web filtering system which categorizes site types.
I can go on for a while... I may be way off base, but it strikes me that this guy lacks the skills or business knowledge to properly secure the business while also facilitating its operation. I completely disagree with the boss's assessment to allow a timed override. This apparently is a solution which doesn't do anything other than impede the workflow of the users. It sounds like the correct solution is for the boss and IT guy to simply decide :
Do we permit users to access these categories of websites or don't we?
As for viruses and malware, the entire current generation of firewalls and IPSes on the market are designed to perform deep inspection and most of the good ones implement Snort, ClamAV and more at the edge. They also can retroactively identify that a machine has finished downloading a malicious object before the firewall could identify what it was and then require the machine is remediated until it has been cleared to be on the network again.
I think the boss also has to choose whether to send this guy to proper training and spend money on real firewalls or whether he should just use a service instead.
Re:Correct (Score:5, Insightful)
amen. The number of time I've been searching for answers to technical problems, find a site that seems to have the answer from the Google summary, only to click it and be told "denied, reason: personal blog", where i get home and find that someone has hd the same problem I had, blogged about it to help others solve it.
So,... I waste loads of company time re-solving that problem because the IT guys think they know best. Sorry - when IT stops being a service to enable the users and starts being their own fiefdom, its failed.
Re: (Score:2)
Yeah, then when one of those users infects the network, the know it all is blamed for allowing it.
Re: (Score:2)
If the user can infect the network, you designed the network wrong.
Re: (Score:2)
Do you not see the loop here? "Give us at-will unfettered access so we can 'get work done'" -- > infection --> "WTF if you did your job we wouldn't have this mess" --> locked down access (repeat until admin is fired for the incompetence of those above him)
If I am held accountable for security, it's my rules. If I'm not accountable, then I ask for it in writing and assume they'll still try when someone/thing finally does get in. Otherwise, I'll quit before the in-charge idiot's insane expectations c
Re: (Score:3)
The point is, you can't really stop an informed employee/network user from getting around your firewalls. Worst case scenario they just chain off the phone. The downside to this is you still need a firewall to block malware sites. Informed users can still end up on those so that is a potential vulnerability but non informed users have a much higher chance without some type of web blocker. So I'd say just keep a blackli
Reasonable Access (Score:5, Interesting)
Re:Reasonable Access (Score:5, Insightful)
It's entirely reasonable to expect employees to take short brain breaks during the working day. It's entirely reasonable for those brain breaks to be spent on random web pages.
All this comes down to is simply trusting your employees. If you can trust them to get on and do their job, and only take reasonable breaks, then you don't need a filter. If you can't trust them, then 1) your culture is fucked up, fix that, and 2) why the hell are you employing someone so untrustworthy that they don't do their job.
Re:Reasonable Access (Score:5, Interesting)
People these days have portable devices, you can allow them to take breaks using an isolated wifi network and their own portable devices...
The average corporate desktop is extremely vulnerable to attacks from websites (against the browser, the plugins, other applications etc), and trying to defend against such attacks is a huge pain and/or huge cost.
Re: (Score:2)
I've been using Linux since 1995, and even I see this as a worthless suggestion. To start - there has been a number of 0 days against Linux
Re: (Score:2)
Its entirely reasonable for them to use the wired and wireless networks not connected to the servers.
I agree. The problem comes when an employer refuses to provide "wired and wireless networks not connected to the servers." Instead, the employer requires each employee to subscribe to cellular Internet access to use while on break. Is it worth giving each employee a $600 per year raise to pay for this subscription?
Re:Reasonable Access (Score:5, Informative)
What kind of person doesn't already have internet on their phone plan?
Me. I carry a flip phone for urgent calls and use my roommate's land line for longer calls.
Re: (Score:2)
Was free unfettered Internet use one of the benefits in your compensation package? If not, why do you think you should have the company pay for it?
Balance of benefits (Score:2)
Was free unfettered Internet use one of the benefits in your compensation package?
Are you asking about my own personal employment situation or about what compensation package provides the best balance of benefits to the employer and employee? I was intending to discuss the latter. I imagine it's cheaper for an employer to offer segregated Wi-Fi in the break room than to increase all employees' salaries by the amount needed to subscribe to comparable individual cellular data service.
Re: (Score:2)
You must be the 4 or 5 percent, or over 65...
Re: (Score:2)
Me also.
Daytime: I sit in front of a desktop with relatively unencumbered internet access.
Evenings: If I choose to use the internet (and I usually do), my desktop has full internet access.
Commute: I cycle to and from work, no chance to use the internet
My Nokia brick is on a pre-paid plan, mostly just texting my wife, costs about $5 per month. There is zero requirement for me to check work emails out of office hours, and anything other than a full keyboard drives me crazy. For my use case a smart phone and
Re: (Score:2, Interesting)
There are exceptions, but as a rule, I don't use web filters and firewalls to "restrict" users from using non-threatening websites. Productivity standards and issues should be handled between users and their managers. The web filter exists to protect the network from viruses/malware, and from objectionable content that could reflect poorly on the company (gambling, porn, etc.). Otherwise, I have pretty steadfastly refused to block sites because "Joe shouldn't be on that during work hours.". If Joe isn't get
Re: (Score:2)
http://dilbert.com/strip/1996-... [dilbert.com]
Re: (Score:2)
Not my type of company (Score:4, Informative)
Outside of spam, dangerous websites with known trojan, and maybe obvious porn. Why would you want to block your employees? I've worked once for a big company like this. I left. A lot of websites were blocked. Even craigslist. Led to workarounds and other hacks. It was also quite counter-productive in many ways.
Honestly if you don't trust your employees don't hire them. If you have employees that aren't productive because they are doing things they shouldn't be doing then let them go.
I wouldn't work for you.
Re: (Score:3)
Yep, I don't understand how companies don't get this. If you observe that your employees are spending all day dicking around, and they don't get their assigned work done, you fire them. If you don't observe that, then you have no reason to block their access to anything.
Re:Not my type of company (Score:5, Insightful)
If you observe that your employees are spending all day dicking around, and they don't get their assigned work done, you fire them.
Then you go out of business. Responsible self-directed employees who get the job done without close supervision are WAY more expensive than less responsible workers that need some managing. If you hire only the former, you will be crushed by competitors with a much lower cost structure and a much wider hiring pool.
Re: (Score:2)
1 good employee is cheaper than 3 bad ones. Bad employees cause your company to go under due to bad service and reputation. Even McDonalds doesn't let you slack off that bad and they have probably the worst hiring pool imaginable to a company.
Re: (Score:3)
a firewall appliance costs a few thousand dollars a year; while a labor lawyer to defend a justifiable firing of an incompetent worker in a protected class is many tens of thousands of dollars.
Re: (Score:2)
Because you never had to clean up after other people's shit? The larger the company, the larger the number of know-it-alls who think they know everything. These are the people who are the leading causes of a virus infection.
This has nothing to do with trust. This has everything to do with stopping stupid things from happening.
Not all cell phones support data (Score:2)
Finally, everyone has a cell phone now days.
An Audiovox 8610 flip phone cannot connect to the Internet.
Cellular data - use that.
I'd be glad to do so in exchange for a reasonable cellular data stipend. Consider these choices:
I imagine that of the three, option A
Re: (Score:2)
Re: (Score:2)
Why can't both states coexist?
Re: (Score:3)
I'd image that :
D. No internet access at work outside of sites deemed acceptable by IT.
Would be the most affordable. Nobody gives a shit about your flip phone and your request for a stipend so that you can browse your websites on work time.
Re: (Score:2)
Nobody gives a shit about your flip phone and your request for a stipend so that you can browse your websites on work time.
It appears either you or I have a misunderstanding of what "break time" and "retention of talent" are supposed to mean.
Re: (Score:2)
If you are such a damned diva, I don't want you working for me.
Separate Internet line off the company network! (Score:3)
People get granted access to a specific machine only for that work and it is kept isolated off all network connections.
Re: (Score:2)
Why hasn't this been mod'ed up?
This is my preferred solution. A machine that sits outside the main firewall that just runs browsers for remote connections.
The internal machines stay clean and the external machine(s) get wiped/reloaded on a regular schedule.
Also, everyone logged in gets a daily/weekly report of what sites they've been visiting and when. And a list of people who can request a copy of that list (their boss, their boss' boss, HR, etc). Judge for yourself whether you'd be able to explain your ha
This is really simple... (Score:3)
Stop blocking access at all.
Just fucking trust your employees. An environment in which people are overtly not trusted to do their jobs just breeds resentment and in fact employees that can't be trusted. People who feel like they're being treated unreasonably tend to act unreasonably in return.
Re: (Score:2)
Exactly, if you block things then employees will find ways round it...
I went to a company that blocked "software download sites", so the users couldn't download things like firefox from mozilla.com etc, so they found alternative sites where they could download firefox - and these sites contained malware infested versions instead of legitimate firefox.
Re: (Score:2)
And when the employer figures you get fired. ... I would get rid of employees that dumb immediatly.
Even in germany with eployee friendly laws that is a reason to get fored without any grace period or warning.
It is plain stupid to circumvent blocks like that
Re: (Score:2)
I second that. And if you really have highly sensitive systems, isolate them completely from the Internet and give the people working with them additional computers with unrestricted Internet access. Anything else causes far, far more problems than it solves.
Re:This is really simple... (Score:5, Interesting)
You can not trust your employee not to infect a machine by surfing a random website like facebook.
After all every image can have a troyan/virus embedded exploiting the jpg library of your browser/OS.
It has nothing to do with the employees, its the sites that are the problem, so you block everything except a white list.
Re: (Score:2)
Why on earth would not blocking internet access lead to sexual harassment charges?
Re: (Score:3)
says the moron who has never been at a company where an employee sued for tens of thousands of dollars because one employee decided to look at porn and another employee was "offended".
That's trivial to deal with - you explicitly write it in the company hand book that looking at porn is banned. When the other person is offended, you quickly nip it in the bud by disciplining the person looking at porn.
As I said - if you don't trust the employees, don't employ them.
For reference, there are some enormous companies out there that don't filter the internet (I work for one). They survive just fine simply by saying "don't be idiots and look at porn at work".
Re: (Score:2)
It is straight forward if you are defending against and obvious breach such as watching porn on work systems. What becomes more challenging is if you have to manage people doing menial or crap jobs. People in those jobs tend to be less motivated and hence it is more of a case of forcing people rather than allowing them to just get on with it.
The type of thing I am talking about is a call centre or something like that. You are looking at low paid, high turnover jobs. No one ever said "when I grow up I wa
Re: (Score:2)
Re: (Score:2)
Summarily fire the twit who, rather than doing his job, was peering at what someone else was doing, trolling to see something "offensive" to his mama's little angel's eyes. At least then that piece of shit will have to find some other place to be offended by what other people are doing that is zero concern of theirs.
Re: (Score:2)
Great. Another wrongful termination lawsuit.
Not a good idea to nanny users (Score:3)
The thing is, if the users need/want access to those sites, they will find a way. You are kidding yourself if you believe otherwise. The only thing you can do is channel it to ensure some level of security and for that you _must_ prevent it from being exceedingly inconvenient, like your 45 minutes idea. Everything else leads to insecurity caused by security measures, which is a well-known problem causes by paranoid (and hence incompetent) system isolation. In the worst case, you have to provide additional computers to your users that have less Internet access restrictions.
Break down the problem (Score:3)
It sounds like you're trying to achieve two separate goals here :
To implement the bosses suggestion you need a different system to handle each and a way to categorise the blocked sites - or a system that allows more fine grained control.
Stepping back a bit...
More importantly though, your boss should want to demonstrate that he trusts his employees to use their work time sensibly. By blocking websites for reasons other than network security and creating little bureaucratic procedures to unblock them you send a clear signal to the employee that they are not to be trusted with a basic resource like web browsing. Expect them to respond in kind.
Reasonable Access (Score:5, Insightful)
I've been an IT manager and an IT director so I'll make a few points from that perspective.
1) IT is there to serve the needs of the business and one of the needs of the business is to create / facilitate a productive and encouraging work environment. Now, this doesn't need to mean that you give people everything they ask for, but it does mean that you need to trust people. If there are legitimate reasons for concern then get a firewall product that can measure the amount of time someone is spending surfing the net; however, this is really a business concern and this capability is not for IT to worry about its for the different LOB managers to worry about. If they have that as a general concern then pursue it, otherwise it's not IT's concern.
2) What is IT's concern is the security, availability, and integrity of the computing environment and business data and that does mean taking reasonable measures to protect the assets under your control. That means that perhaps you need AV / Anti-Malware / etc. protections. Perhaps also a webfilter that blocks sites that are known for producing malware with the intent to exploit the visitors to that site. Those sites should come from security vendor watchlists and not some arbitrary list put together by the sysadmins.
3) Doing this is about finding an appropriate balance. That balance can only be maintained through constant communication and feedback with the business leaders (i.e. you need a governance process.) The business leadership / executive will need to decide what that balance is. IT's job is to appropriately communicate the risks, consequences and options and let the executive make the decision on how much risk they are willing to take on. This is why communication is crucial, especially in IT, and why often managers who are non-technical or barely technical, get those positions instead of the very technical people who "know better."
Why firewall? (Score:3)
Re: (Score:2)
While I agree on your view about access policy one thing struck me:
> They can as well pierce your firewall with personal VPN services, they are very cheap nowadays.
In a network structured properly (routers than IPS/security appliaces than filtering proxy) how could users pierce that with VPN services? If users can pierce your "firewall" (meaning just oubound Internet access) with cheap VPNs that you mean malware could just as easy transfer data out of your network? Something is wrong with what you are s
VMs? (Score:2)
I think the reasonable way to handle such things is: donâ(TM)t allow the user to go to additional websites, but give them pixels-and-mouse only access to VMs in some cloud, the sate of which is thrown away after the session (and important data explicitly saved to an temporary drive, where you can run all the checks which you like.)
Why is there a block in place? (Score:3)
If the block is not that much necessary, remove it and make life easier for yourself, and the users if you care about them...
If there are really two kind of users, one that should have access to the outside and another, that should not, then split your user network, especially assuming that a network that has blocks for outbound connections, probably should have a (preferably two) DMZs that houses servers already in place...
That's not where your solution lies. (Score:3)
Re: That's not where your solution lies. (Score:4, Insightful)
B0xen? Seriously?
Re: (Score:3)
Re: That's not where your solution lies. (Score:5, Informative)
Not only that, but only one b0xen.
Need to get around IT (Score:2)
I work as an IT consultant / implementer.
I tend to work in Big Corporations doing infrastructural software projects. This includes introducing new procedures of how IT staff is going to administer their servers in the future (e.g.: how to use SSH in the future) both by technical as well as organisational means.
This also means that the IT staff and I are not often on good terms which in turn again means I don't get cut any slack wrt. accessing the internet or getting software installed on my assigned corpora
Turning Problems to Benefits (Score:2)
I work as an IT consultant / implementer.
I also work as a consultant (though programming, not IT).
You've hit the nail on the head as to how to deal with overly restrictive IT people - work hourly. Now it's not so annoying when you have to go through some lame workaround to do something, it's a direct financial benefit to yourself for the extra hours needed to get work done...
Blacklisting and whitelisting (Score:2)
What the hell is wrong with... (Score:5, Insightful)
"This website is blocked.
Category: Whatever.
If you wish to unblock, please contact Administrator."
Anything else is just open to abuse and you may as well not have a web filter at all (P.S. This has NOTHING to do with your firewall).
Wrong solution (Score:5, Insightful)
Trying to solve HR problems with technology is doomed to futility.
At my company, I don't block web sites. If I walked by someone's desk and saw him[1] looking at porn, I'd say "don't do that." If it got out of hand, I'd discipline the person.
Sometimes I walk past the desks of the tech support guys and I see them on Facebook or playing solitaire. Well, what else are they supposed to be doing if there are no support tickets open or support calls coming in? I don't care if they take breaks every now and then as long as they get their work done.
____________________________________________________________
[1] I suspect it's almost all guys who look at online porn.
Re: (Score:2)
I didn't say only. I said "almost all".
One overlooked option... (Score:2)
So far it seems everyone is trying to bring "open internet" to the users computer... why?
It sounds as if this is intended to be on an "infrequent" and "exception" basis.
Deploy a terminal server in a DMZ, users can then remote in and browse from there. If you want to allow open downloading, provide a restricted AV protected share to retrieve downloaded files, if you do not want to allow open downloading, provide one anyways but require an IT person to review it manually.
Reimage nightly if paranoid.
Re: (Score:2)
> If you want to allow open downloading, provide a restricted AV protected share
> to retrieve downloaded files, if you do not want to allow open downloading,
You DO realise that AV usually fails?
> provide one anyways but require an IT person to review it manually.
OK so from now on exept from your usuall duties as an IT administrator (I like them) now you also need to review files downloaded by 1000 users. Expect calls when urging you to review downloaded files. Expect angry people. And how you will
BOFH says "none" (Score:2)
My perspective is from working as a contractor to banks and other companies in the banking sector in the UK and Europe, and occasionally to companies working in Defence contracting, where there is no issue with foreign nationals providing such services. The ultimate goal is, where possible, to prevent data breaches. However, when budgets are limited and business requirements mandate access to external services, IT security becomes about (0.9) Establishing ownership of the IT security policy and firewall man
Re: (Score:2)
Perhaps you should read up what a DMZ actually is (in firewall speaking).
Easy as pie (Score:2)
If you require access to a restricted site, you ask IT to give you access. we also pass that request to their boss.
Access is good for 24 hours only unless they have a real need to have access permanently.
This is trivial to do with any commercial firewall.
Re: (Score:2)
VM/jumpbox (Score:2)
We have always used VMs/jumpboxes that are segregated from the rest of the network to allow for accessing potentially dangerous or unapproved external sites.
Downloads are enabled, but to get the files from system requires submitting a ticket to have the files downloaded, scanned, and burned to a DVD or placed on an file server.
While nothing is 100% safe, this sure beats the hell out of compromising your firewall rules and allowing semi-retarded users to fuck shit up.
Legal issues might be a problem... (Score:2)
It's déjà vu all over again .. (Score:3)
Trust employees, Solve Security, Easy Efficiency (Score:3)
Claiming security issues is a cop out and excuse to be controlling. If you are running insecure systems, and you are if you are running Windows, then set up a separate wifi network for personal / misc. Internet access. Users can then use their personal devices, phones, tablets, etc., or you could provide Chromebooks which are cheap, secure, easily wipeable, etc. Set up web printing for tickets or similar. If you need to solve attention problems, it needs to be done at the personal level, perhaps suggesting an easy way to insert frequent short breaks. For most types of work, frequent breaks improves productivity. In the past, people took many smoke breaks and similar, so it's not necessarily the case that a Facebook break is a huge new problem. Losing track of time, keeping things in proportion, those can be an issue. A little structure or hinting of some kind is probably all that is needed there.
Data security in a company that relies on data (Score:2)
isn't this a bit redundant? There're LAWS which cover this shit. Personally identifiable data is subject to legal protections, violations of which in a privately owned company can and do result in jail time for directors. Data pertaining to infrastructure or financial transactions are subject to varying degrees of protection under national security legislation up to and including the Official Secrets Act. Violation of THAT can lead to charges of treason.
As a data administrator in a legal practice, personall
Do it by the person (Score:2)
Some users can be trusted with access. They've got NOD32 installed because your corporate AV is crap, run malware and rootkit scanners regularly, are running with UBlock and Noscript on, no Flash or Java (not even installed). It's probably good to still have a warning for known bad sites for them, but in general they're probably more paranoid than IT is.
Other people will click on anything. If they get two emails in a row saying 'DO NOT CLICK ON ANY EMAIL LINKS' then the next email has 'CLICK HERE FOR MALWA
Why? (Score:2)
Why are you blocking access to anything? As an IT administrator it is _not_your_job_ to block anything for users and otherwise disturb them while using your network. Your job as an IT administrator is to allow your users to do their job without any unnecessary obstacles. Also keep in mind that usually (if you are not an IT service company) the users do their jobs so the company earns for your sallary - business wise - you don't earn shit, they do.
So with that in mind the structure of Internet access policy
So what is your goal? (Score:2)
First, what are you protecting? Is your corporate data that precious and attractive that you fear being compromised and the whole of it being taken and sold? Do you store PII? If data such as credentials for banking and financials being stored on your internal network? If so, then you have a substantial liability, and some data loss prevention and malware detection and disablement is necessary.
Second, do you have any regulatory, legal, or contractual requirements to prevent data loss? If so, prevention
Re: (Score:2)
> Don't listen to the amateurs. Block by default, require business justification
So your boss emals you and asks you to implement a policy (read the post) - in my opinion it is business justifiend enough, at least his (boss) responsibility. Just doing your job is not amateur in my opinion. If it is extremely stupid you should go on and warn him but nevertheless don't object and do your job.
> and offer a risk assessment for all exception requests,
This is fair - given boss request you reply - OK I'll do
Re: So what is your goal? (Score:2)
The amateurs I was referring to were the many previous posters railing against block by default, as if they need Facebook, Twitter, and Slashdot to do any work.
The standard 'my idiot boss told me to...' Is a convenient rhetorical device to dilute meaningful discussion. Bleagh.
"Don't trust your internal users" means exactly what it says. Your users are a potential threat. Anti-malware tactics need to face both outwards and inwards.
What is the motivation to block access? (Score:3)
If it's security, a 45 minute window is no improvement over unrestricted access. In fact, firewall login page is an extra chance for password snooping. Ideally, users would be able to open a remote desktop session to an unrestricted VM and the later can be rolled back to initial state once the session is over.
If you just don't want them to slack off, consider the battle lost. Everyone has smartphones perfectly suited to watch movies or chat with friends for the whole day. Find ways to measure and reward actual productivity rather than hoping to make people work out of boredom.
User Perspective. (Score:2)
It is the Company's network connection, block whatever you like.
But, and this is important, have an easy mechanism where a user can submit an url, an admin can verify it is a legitimate business related site, and have the site whitelisted immediately. That way you can block "Big Butt Russian Teens" or whatever, but when the SmartFilter(tm) randomly decides that Fairchildsemi.com contains "adult content, sports, gambling and lotteries" (happened to me) the legit business use is not impeded.
Re: (Score:2)
> It is the Company's network connection, block whatever you like.
If you are the owner of course.
> But, and this is important, have an easy mechanism where a user
> can submit an url,
Browsers adress bar easy enough?
> an admin can verify it is a legitimate business related site, and have the
> site whitelisted immediately. That way you can block "Big Butt Russian
> Teens" or whatever, but when the SmartFilter(tm) randomly decides
> that Fairchildsemi.com contains "adult content, sports, gamb
Separate your Networks. (Score:2)
Why run the browser behind the firewall at all? (Score:2)
If we are rightly scared of browser-borne infections and intrusions, then why are we still running browsers on our machines? Why not designate a machine, outside the firewall / in the DMZ, that runs ALL the browsers. The user logs into that machine, and the browser display events are sent back to the client machine. The safe client machine never runs a single snippet of plugin, or gobbles a single byte of untrusted network traffic. The client machine does not even -know- how to get to the internet
Re: (Score:2)
That would also prompt the question of whether you are just on a personal power trip here?
It's simple (Score:4, Interesting)
1) Pornography (leave that stuff at home, and also to prevent hostile work environment claims)
2) Known spyware/malware/command & control sites (should be pretty self-explanatory)
3) Ads (optional, but could save significantly on bandwidth and potential spyware/malware infection sources; may break certain crappy sites, however)
That's it. Don't block anything else. Treat your employees like responsible adults. If they act irresponsibly, then that's a management issue that needs to be addressed between the employee and the employee's manager. I'm so fucking sick of companies treating employees like little kids and instituting draconian policies blanketly across the entire workforce because they can't/won't address personnel issues at the employee/manager level. The more sites/categories that get blocked, the harder it is for employees to research and do their jobs, and the more likely it makes them to circumvent controls.
Re:If you gotta ask... (Score:5, Insightful)
The question is "Why block at all?" not "Should we block at all?" In other words, "What is the specific goal of blocking?" If it's to prevent malware, it requires a different approach than if it's to prevent watching porn. If it's to protect sensitive information, it requires a very different approach, and may well involve blocking in both directions.
So, no, it isn't that idiots as "why block at all" so much as only idiots don't distinguish between "why" and "should we".
Re: (Score:3)
The more accurate question is 'What if anything should we block, and why?'
Re:If you gotta ask... (Score:5, Interesting)
The answer to "What, if anything, should we block" versus "What, if anything, should we allow" is "it varies":
Scenario 1: Receiving. Give the guy a Citrix or App-V console into a machine that can browse the Internet unfettered, but doesn't allow files to be transferred to the internal machine. Now the user has access to websites, there is something substantial keeping the actual machine from being compromised.
Scenario 2: Finance. Again, these machines are touching sensitive data, so they, by themselves, don't see the outside world, but the user can always use a VDI implement to browse the web, making the isolation a non-issue.
Scenario 3: General company (dev, QA, sales) use. The above in reverse. Allow traffic out, have a good IDS/IPS in place (this should be in place everywhere, but especially with this), and stick the real sensitive stuff behind a RDP firewall, or a "hop box". The user can manipulate the data, but malware on their machine will have a hard time (though not impossible) to grab the entire database for upload to a blackhat's site.
Scenario 4: Point of sale registers. These have no reason to be connected to the outside Internet, other than through a server for credit card validation.
Of course, these are generic, off-the-top-of-my-head scenarios, but there is no one size fits all solution, other than that it helps to have some type of VDI for separation of data.
Re: (Score:2)
Re: (Score:3)
I had two sites i used to administer that were constantly getting infected with something. They hired kids to work the night shift and they would get bored and surf anywhere you could imagine.
At one site, instituting a computer use policy, proxy, and a blacklist like dan's guardian along with fetching the mail to an internal server and scanning before delivery was enough to curb it to 1 minor infection in 5 years. At the other site, this didn't even come close. We had to completely lock down the internet
Re: (Score:2, Funny)
Is your attention span really th-SQUIRREL!
Re: (Score:2)
HTTPS interception? Pretty bog-standard nowadays, you shouldn't need to explain what it is on here.
Why it should break non-web stuff? Fuck knows. You need to sack your IT team or get them to make exclusions for the sites you need.
Joining your computer to a tethered phone and then later reconnecting to the corporate network? Sackable offence in my workplace.
You're both being dickheads. But the question is really do you *need* access to external git/svn/etc.? If so, then working around it in such a way
Work-related use of YouTube (Score:2)
Say a company will be using a product from a particular supplier, and an employee wants to view an instructional video about this product uploaded to YouTube by this supplier. Should that count against the employee's YouTube time?
Re: (Score:2)
Re: (Score:2)
It will most likely be done on the % of images that have flesh tone. For a computer it would be hard to tell the difference between a couple of lingerie model and a porn scene.
Re: (Score:2)
And the remove box is compromised, and the attacker rides on your -X back to your box. Wheee.