Slashdot Mirror

← Back to Stories (view on slashdot.org)

Worms/Viruses - Is Blocking Internet Access an Overreaction?

Posted by Cliff on from the chopping-off-your-arm-to-spite-your-finger dept.

jjustice asks: "I am a Software Engineer at a company that makes financial software for the healthcare industry. We got hit hard by Nimda last week and lost a few days of productivity. Some parts of management are now convinced that the Internet is too dangerous to allow us access from our LAN. They've completely the fact that most viruses/trojans/etc come in via email (which they don't plan to block). I don't know how I would do my job without at least Google Groups and Oracle's Technet/Metalink. They're considering an isolated subnetwork or a special 'lab' for Internet access only. I would hate to have to leave my desk to look something up on the Internet. It would totally disrupt my habitual workflow. Am I just being spoiled? Do other companies have similar Internet access policies? How can I convince them that this is excessive paranoia?" Wouldn't better security and virus checking be the more prudent solution in this case? For those of you suffering from a similar problem, this submission from cpufreak might be the cure-all you are looking for: "A large number of people work in an environment where they're internet access is restricted, and they have to go through a proxy of some kind.This can be frustrating and inconvenient for you - but the employer aims to restrict your internet access in order to keep your focus on the work in hand.But can they actually do this? Chris Mason has written a little bouncer which supports most common intel based platforms, which lets you get out and quite simply do what you want, at the same time making it very difficult for them to know exactly what your doing. more details can be found here."

7 of 15 comments (clear)

  1. Talk to them in person by XoXus · · Score: 3, Insightful

    This may sound obvious, but try talking to them in person, and explain that the biggest threat is email propogated trojans. If you put it to them simply, without jargon or condescension, they'll probably understand.

    Oh, and speak to them individually. Management tends to be rather stupid when put together.

    Dave.

  2. A logical reply by _typo · · Score: 2, Interesting

    Tell them that lack of management got them the problem in the first place and that they should be looking to cure the problem instead of patching around it. I have a LAN, a NAT LAN that didn't get hit by worms or viruses. Why? Because the firewall was designed to be secure in the first place and make the rest of the network invisible to the outside world. As for email, dump outlook and use netscape/mozilla, that should keep you alot safer. Make *THAT* an enforced policy and not restricted net access.

    --

    Pedro Côrte-Real.

    1. Re:A logical reply by Ziwdam · · Score: 2, Insightful

      If they're going to block internet access, they must have a firewall anyway... either that or they are just going to change the router/gateway setting on every workstation. Not having a firewall is just kind of stupid, though.

      It doesn't matter so much if you use NAT to protect the internal network, simply denying access to internal machines from the outside world would protect machines inside from getting hit by Nimda-type worms.

      I'm not saying that NAT isn't a good idea (don't need all those IP addresses!), I'm just saying it's not necessary for security.

      I think the root issue here is that many IT people, especially ones trained to run Microsoft servers, have no clue about security. (Well, Microsoft has no clue about security, but that's a whole 'nother rant...) This is especially bad since keeping a server somewhat secure is not that hard -- read Bugtraq, apply all security patches, and don't do anything stupid like give out the root password to people claiming to be from the ISP. Oh, and always try and keep access as low as possible. If someone needs a mail account, don't give them shell access too! Or, firewall the internal network so that the outside world can't get to it. Really, it's not all that hard.

      --
      It is a miracle that curiosity survives formal education.-Albert Einstein
    2. Re:A logical reply by sphealey · · Score: 2

      "If they're going to block internet access, they must have a firewall anyway... either that or they are just going to change the router/gateway setting on every workstation"

      I have talked to quite a few managers and company owners in the last few weeks who are getting ready to just unplug the Internet connection - totally and forever. From a return on investment perspective it is becoming less clear that the Internet is a net gain for the typical business.

      sPh

  3. No Net == Productivity Disaster? by MrBlack · · Score: 4, Insightful
    Sometimes I wonder how programmers worked before widespread use of the internet. Currently if I have a problem with something that I cannot solve myself a couple of minutes searching google + newsgroups will usually reveal the answer, or a viable alternative. The wealth of information is staggering (even if the signal to noise is a sometimes a bit low - you have to learn to be selective). On the flip-side I've noticed I can sometimes loose chunks of time posting stuff to slashdot, surfing the web etc that is not really work related. It seems obvious to me that the answer is better security and configuration of firewalls etc, but then I'm not a manager.

    Other than outlining the common sense arguments against blocking the net in your question, I cannot think of any arguments except to try it for a week/fortnight/however long you need to get sensible data. Then measure your current productivity against your productivity when you had net access.

    1. Re:No Net == Productivity Disaster? by WasterDave · · Score: 2

      Sometimes I wonder how programmers worked before widespread use of the internet.

      Books. MSDN (believe it or not).

      I can sometimes loose chunks of time posting stuff to slashdot, surfing the web etc that is not really work related.

      Don't worry, before the Internet there was staring out the window, drinking too much coffee... hundreds of ways of wasting time. On the flip side, if you feel your productivity is suffering because you're posting to slashdot, don't. Basically. All the firewalling, content filters and Nazi'ism from sysadmin's will not stop bored people from wasting time.

      Speaking of which, I have stuff to do.

      Dave

      --
      I write a blog now, you should be afraid.
  4. E-mail attachments........and stuff.... by Chanc_Gorkon · · Score: 2

    I think that just excluding web access isn't going to achieve their objective. Moving to a platform with less security faults and better security over all is something that needs to be done. Microsoft built some cool stuff, but the failed to realize that while you could actually use it for useful things, that it could actually be used for malicious intent and did not make it easy enough to fix. Linux and open sources OS's are good because there are thousands of eyes looking at the code every day. I know I am preaching to the choir here, but this is an idea who's time has come.

    Another thing is that companies SCRIMP on training. Period. We used to have a perwson which offered volunteer training on various products. What noone EVER looked at or suggested was both policy and software training as a REQUIRMENT! Thus people are not only idiots about e-mail virii and stuff, they now can't use what they are paid to use. So they decided we needed a new one (more "pretty" and "PC LIKE" then the mainframe). A project got started by these exact folks. After our folks and some folks in other departments helped (usually the ones who help are not the ones who use the system), and we got a project approved and we can actually start to spend money, there's zero interest and they keep wanting to change our existing system. Now when the real work starts (RSN), noone cares and the higher ups don't want to lay a no changes mandate down and we are chasing a moving target. Why did I type all this? It displays the complete LACK of understanding of computers. Some people think, oh we need to change the way we do this and then don't think on how it affects the computer folks maintaining the current system who are trying to devlop a new system and maintaine the existing stuff. A simple policy change can wreak havoc on our lives. We have no way of billing them and they think that these kind of changes cost no money (to them) but it doesn't matter that we have to work overtime for weeks to implement their change. Ok I am rambling again, but it's this behavior is why users don't think when they click on executables. They think, oh well if I mess it up, IT will fix it. They take no responsibility for their actions.

    I feel if most IT departments would just get the approval to bill other departments for things they do, then one: we'd have budget for the infrastructure upgrades and two: we'd have the budget and time to have enough admins to take control of the security problems and bottlenecks on the network. People have to realize that these are NOT their PC's and NOT their server's, they just happen to use them.

    --

    Gorkman