Worms/Viruses - Is Blocking Internet Access an Overreaction?

jjustice asks: "I am a Software Engineer at a company that makes financial software for the healthcare industry. We got hit hard by Nimda last week and lost a few days of productivity. Some parts of management are now convinced that the Internet is too dangerous to allow us access from our LAN. They've completely the fact that most viruses/trojans/etc come in via email (which they don't plan to block). I don't know how I would do my job without at least Google Groups and Oracle's Technet/Metalink. They're considering an isolated subnetwork or a special 'lab' for Internet access only. I would hate to have to leave my desk to look something up on the Internet. It would totally disrupt my habitual workflow. Am I just being spoiled? Do other companies have similar Internet access policies? How can I convince them that this is excessive paranoia?" Wouldn't better security and virus checking be the more prudent solution in this case? For those of you suffering from a similar problem, this submission from cpufreak might be the cure-all you are looking for: "A large number of people work in an environment where they're internet access is restricted, and they have to go through a proxy of some kind.This can be frustrating and inconvenient for you - but the employer aims to restrict your internet access in order to keep your focus on the work in hand.But can they actually do this? Chris Mason has written a little bouncer which supports most common intel based platforms, which lets you get out and quite simply do what you want, at the same time making it very difficult for them to know exactly what your doing. more details can be found here."

Talk to them in person

[XoXus]

This may sound obvious, but try talking to them in person, and explain that the biggest threat is email propogated trojans. If you put it to them simply, without jargon or condescension, they'll probably understand.

Oh, and speak to them individually. Management tends to be rather stupid when put together.

Dave.

No Net == Productivity Disaster?

[MrBlack]

Sometimes I wonder how programmers worked before widespread use of the internet. Currently if I have a problem with something that I cannot solve myself a couple of minutes searching google + newsgroups will usually reveal the answer, or a viable alternative. The wealth of information is staggering (even if the signal to noise is a sometimes a bit low - you have to learn to be selective). On the flip-side I've noticed I can sometimes loose chunks of time posting stuff to slashdot, surfing the web etc that is not really work related. It seems obvious to me that the answer is better security and configuration of firewalls etc, but then I'm not a manager.

Other than outlining the common sense arguments against blocking the net in your question, I cannot think of any arguments except to try it for a week/fortnight/however long you need to get sensible data. Then measure your current productivity against your productivity when you had net access.

Re:A logical reply

[Ziwdam]

If they're going to block internet access, they must have a firewall anyway... either that or they are just going to change the router/gateway setting on every workstation. Not having a firewall is just kind of stupid, though.

It doesn't matter so much if you use NAT to protect the internal network, simply denying access to internal machines from the outside world would protect machines inside from getting hit by Nimda-type worms.

I'm not saying that NAT isn't a good idea (don't need all those IP addresses!), I'm just saying it's not necessary for security.

I think the root issue here is that many IT people, especially ones trained to run Microsoft servers, have no clue about security. (Well, Microsoft has no clue about security, but that's a whole 'nother rant...) This is especially bad since keeping a server somewhat secure is not that hard -- read Bugtraq, apply all security patches, and don't do anything stupid like give out the root password to people claiming to be from the ISP. Oh, and always try and keep access as low as possible. If someone needs a mail account, don't give them shell access too! Or, firewall the internal network so that the outside world can't get to it. Really, it's not all that hard.