Slashdot Mirror
Ask Slashdot: Giving Users Extra-Firewall Access For Sites Normally Blocked?
An anonymous reader writes: My boss and I were having a discussion about our users accessing the internet. He wants the users to be able to log in to the firewall to be able to access external websites that they are normally blocked from accessing. They would get a 45-minute window to do this, and then if they need more time, they need to re-login. (SonicWall does this). I told him that this type of procedure scares the crap out of me, as some users will just keep logging in and doing what we are trying to block them from doing, and they will also be able to access infected websites as well. I think it is in our (the IT staff's) best interest if we continue to allow access to users on a case-by-case basis -- and then turn it off when they have completed their task. I am just curious as to where others stand on this topic. If you are your workplace's BOFH, how much slack do you cut? If you're an employee with unreasonable restrictions, do you bother to get around them?
If you are the BOFH you only cut slack for your own amusement.
Assuming you're the local goody-two-shoes Administrator ("NT can be, and usually is, administered by an idiot") the first real question is, why block at all? Perhaps then you can answer why you feel the need to make a big show of allowing exceptions.
But my attention span is already expired. Next story pls
The boss's plan of allowing users to override the web page filter is absolutely the CORRECT plan. You have a rare boss who understands that the most important thing is that workers be able to work without interference from know-it-alls. Please get with the program!
Moderating "-1, Disagree" is simple censorship. Have the guts to post your opinion.
What do you consider "reasonable" access? I tend to be very conservative about it. If I can do my job, I consider that reasonable access. Anything not strictly required to do my job is simply a bonus. Under those definitions, I've never had a job that did not afford me reasonable access to the internet. I know that many people will consider "reasonable" access to include things like access to Facebook and twitter and their bank accounts, etc. I disagree. When I'm at work, I'm working. When I'm not at work, I'm not at work. I try very hard to keep the boundary distinct. the more I blur the line, the easier it is for my employer to want me to be always available.
linquendum tondere
Outside of spam, dangerous websites with known trojan, and maybe obvious porn. Why would you want to block your employees? I've worked once for a big company like this. I left. A lot of websites were blocked. Even craigslist. Led to workarounds and other hacks. It was also quite counter-productive in many ways.
Honestly if you don't trust your employees don't hire them. If you have employees that aren't productive because they are doing things they shouldn't be doing then let them go.
I wouldn't work for you.
People get granted access to a specific machine only for that work and it is kept isolated off all network connections.
Stop blocking access at all.
Just fucking trust your employees. An environment in which people are overtly not trusted to do their jobs just breeds resentment and in fact employees that can't be trusted. People who feel like they're being treated unreasonably tend to act unreasonably in return.
It's all about risk mitigation. It's your job to identify and help mitigate risks. It's not necessarily your job to decide which risks to take.
I puncture my company's firewall all the time, without any risk to my work computer, without any logging on my work computer, etc.
You can set policies to restricted, limited access, unrestricted (plus more but I do not admin it)
restricted is always blocked.
limited access (say like facebook or youtube) examples we use.
. you are limited to 30 minutes/day
. one time metered use (for next 10 minutes)
. only during lunch hour
unrestricted -- normal.
You also class users, so IT maybe more open, then HR, or Shop Floor. Execs have full access.
Works with AD, so you users do not have loggin into it.
We (unfortunately) use WatchGuard. However, it supports clientless-SSO with Windows systems connected to a monitored domain, this includes systems with multi-user setups ("Switch User" and even RDS). You can set proxy filtering rules per AD user group and it'll apply to any user currently in any session on a domain system. The latest version of the firmware doesn't seem to have any major issues with clientless SSO any more, as long as it's setup correctly. You setup an event log monitor on each DC and setup an "authentication gateway" which speaks to these monitors and this "Gateway" is what the WatchGuard units connect to in order to query which users are logged in and where.
I read somewhere that a corporation created wireless network for employee personal device.
I do the research at home, and then take an extra long lunch break to make up for the 'personal time' burned to workaround the idiotic IT teams rules.
I work for a public library system as one of two IT employees. Our state disallows display of offensive material in public, so we have pornographic content and extreme violence (gore websites) blocked. All of our staff and the public-use computers share the same internet filters, so all of our employees have access to social media and everything else under the sun. So far that's not been as much of a problem as some people make it out to be.
On occasion somebody on the public-use computers will encounter a website that's been blocked either in error, or what I would call a "fringe" website like Victoria's Secret. At that point either myself or the other IT employee will create an exception for it. We don't have any sort of public facing log-in on the firewall blocking page. We figure it's best to keep that out-of-reach of members of the public and slow-typing staff.
Seriously? Trolling of the most obtuse brute force method possible?! Playing race cards is just lazy. Come up with a more clever troll. Negative points for you. Trolling is a art. this is bullshit lazyness
Then block everything. Provide a separate network for employees to connect their own personal devices.
“He’s not deformed, he’s just drunk!”
The thing is, if the users need/want access to those sites, they will find a way. You are kidding yourself if you believe otherwise. The only thing you can do is channel it to ensure some level of security and for that you _must_ prevent it from being exceedingly inconvenient, like your 45 minutes idea. Everything else leads to insecurity caused by security measures, which is a well-known problem causes by paranoid (and hence incompetent) system isolation. In the worst case, you have to provide additional computers to your users that have less Internet access restrictions.
Most ACs are not even worth the keystrokes to insult them. Be generically insulted by this and ignored otherwise.
It sounds like you're trying to achieve two separate goals here :
To implement the bosses suggestion you need a different system to handle each and a way to categorise the blocked sites - or a system that allows more fine grained control.
Stepping back a bit...
More importantly though, your boss should want to demonstrate that he trusts his employees to use their work time sensibly. By blocking websites for reasons other than network security and creating little bureaucratic procedures to unblock them you send a clear signal to the employee that they are not to be trusted with a basic resource like web browsing. Expect them to respond in kind.
I've been an IT manager and an IT director so I'll make a few points from that perspective.
1) IT is there to serve the needs of the business and one of the needs of the business is to create / facilitate a productive and encouraging work environment. Now, this doesn't need to mean that you give people everything they ask for, but it does mean that you need to trust people. If there are legitimate reasons for concern then get a firewall product that can measure the amount of time someone is spending surfing the net; however, this is really a business concern and this capability is not for IT to worry about its for the different LOB managers to worry about. If they have that as a general concern then pursue it, otherwise it's not IT's concern.
2) What is IT's concern is the security, availability, and integrity of the computing environment and business data and that does mean taking reasonable measures to protect the assets under your control. That means that perhaps you need AV / Anti-Malware / etc. protections. Perhaps also a webfilter that blocks sites that are known for producing malware with the intent to exploit the visitors to that site. Those sites should come from security vendor watchlists and not some arbitrary list put together by the sysadmins.
3) Doing this is about finding an appropriate balance. That balance can only be maintained through constant communication and feedback with the business leaders (i.e. you need a governance process.) The business leadership / executive will need to decide what that balance is. IT's job is to appropriately communicate the risks, consequences and options and let the executive make the decision on how much risk they are willing to take on. This is why communication is crucial, especially in IT, and why often managers who are non-technical or barely technical, get those positions instead of the very technical people who "know better."
Whilst most of the firewall products nowadays do provide proxies or web interfaces for users (for instance WebVPN in Cisco products), I do find it is a terrible idea to open up services and use up resources from the firewall. Just look at the long list of the security advices from WebVPN in Cisco for instance. I do follow the policy of minimum services that i have as a baggage as a Unix admin, and webvpn/proxy/VPN services are all provided by external servers. For instance, pfSense is quite nifty for that, or squid+dansguardian. Why not provide access or provide unrestrictive access in a wifi network for BYOD? They can as well pierce your firewall with personal VPN services, they are very cheap nowadays. As for the corporate network, many people do not understand how a culture of unrestricted access to social networks and allowing adverts is a covert channel to infect personal computers. Also if you want to invest in security and money is not a problem, have a look at the Capsule concept from Checkpoint.
I think the reasonable way to handle such things is: donâ(TM)t allow the user to go to additional websites, but give them pixels-and-mouse only access to VMs in some cloud, the sate of which is thrown away after the session (and important data explicitly saved to an temporary drive, where you can run all the checks which you like.)
or what I would call a "fringe" website like Victoria's Secret.
A multibillion dollar retailer selling something almost every single person on the planet wears in some form is a "fringe" site? Sigh. I think people the US just need to get over their ridiculous hangups about the human body...
If the block is not that much necessary, remove it and make life easier for yourself, and the users if you care about them...
If there are really two kind of users, one that should have access to the outside and another, that should not, then split your user network, especially assuming that a network that has blocks for outbound connections, probably should have a (preferably two) DMZs that houses servers already in place...
Do you actually want internal security or not? That's the question that you have to ask yourself, very seriously indeed. If the answer is "Yes", then it has consequences.
If you do want security on your corporate LAN, then there is no valid reason whatsoever for punching a hole in the firewall for the personal convenience of some employee. Every such hole bypasses the protection of your security perimeter, and makes a mockery of your security aims.
And that is why you have to ask yourself the question first, consider your answer carefully, and live by your decision.
You just need one b0xen on an ethernet cable to the one unblocked port on a hardware firewall, and ideally onto a separate line from your ISP. Put glue in all the usb ports and legacy ports, or just remove them. Remove the wifi chip from the board, lock the case and and set it up with a basic install of your primary OS that re-flashed to a known state at midnight every night. Put this box in a visible, public area where users who have to leave your cordon are forced to do it in front of everyone else and through a secure separate pipe. Scale up with more dumb terminals as needed - old tech that's folding out of regular use in production is a good, cheap source for these boxes.
- In Soviet Korea, only old people loose all their bases to Natalie Portman's petrified hot grits overlords.
I work as an IT consultant / implementer. .exe, .msi, .zip, .7z, .rar, .ps1, .tar, .gz, .bz2, the list goes on.
I tend to work in Big Corporations doing infrastructural software projects. This includes introducing new procedures of how IT staff is going to administer their servers in the future (e.g.: how to use SSH in the future) both by technical as well as organisational means.
This also means that the IT staff and I are not often on good terms which in turn again means I don't get cut any slack wrt. accessing the internet or getting software installed on my assigned corporate workstation. I can't download any files bigger than a certain threshold, can't download files ending in
USB is disabled on the workstations and they don't have an optical drive or a floppy drive.
Yes, IT is on lockdown.
When I have to use un-approved software (for example: wireshark for network debugging, vim for efficient file-editing) I usually upload the data I need to a private or corporate cloud instance, download it back onto my laptop via mobile phone network, do my work and transfer it back the same way.
See my blog for my free opinions.
I have a similar policy at work: there are a number of intranet and whitelisted internet sites and for the rest you use credentials. Intranet also contains a socialisation portal for mostly professional purposes. Also, every time you enter the credentials you see a notification that traffic is monitored. They have also blacklisted known malware sites and some potentially dangerous sites (such as the infamous sourceforge.com). In principle this is a reasonable policy, as a lot of attacks/infections come from willful disregard of good practices and rules.
All this policy is coupled with inability to install software (except from approved list in a software catalog) and the inability to use USB pen drives except for a couple of approved models.
Now, my local IT dept. has bent some of these rules for me and a few others that need special conditions, specified and justified: ability to install software on work laptop, special/separate internet access at the price of additional screening at a flexible rate. Correctly describing the policies, rules and exceptions and good management/collaboration for the purpose of ensuring reasonable productivity (my company does not produce IT - services or software) is what keep us both secure and in business.
uhm...
Well the question would then be why-is-the-firewall-there-in-the-first-place.
Your post is insightful, but not for the reason you think it is.
"There is more worth loving than we have strength to love." - Brian Jay Stanley
It is not the IT department's place to tell the users what sites are appropriate---let alone how long they should be able to access them.
Sure, blocking access to sites may reduce the IT department's workload. However, the money-making part of the company has their job to do.
I'm a software developer. My workplace uses a BlueCoat proxy that does MITM for all HTTP and HTTPS. The HTTPS is done by terminating the TLS at the proxy, then establishing a new TLS to the external server. All external access requires authentication with a 5-minute timeout. Some sites are prohibited. We are provided certificates that we are to install in our browsers so they don't complain about the certs not being valid on the proxy. Which doesn't work very well. Any TLS site is a crapshoot. This also completely breaks any non-web usage of TLS. Git, Subversion, Eclipse plugin updates, forget it. Those don't work at all. I've complained, which didn't do any good. So I've taken to disconnecting from the corporate network and tethering to my phone to get that type of work done. I have unlimited data on my phone, so that doesn't bother me. But it's annoying to have to use a slow crappy cell phone data connection instead of the 1 gigabit ethernet cable that's sitting right there.
"This website is blocked.
Category: Whatever.
If you wish to unblock, please contact Administrator."
Anything else is just open to abuse and you may as well not have a web filter at all (P.S. This has NOTHING to do with your firewall).
Trying to solve HR problems with technology is doomed to futility.
At my company, I don't block web sites. If I walked by someone's desk and saw him[1] looking at porn, I'd say "don't do that." If it got out of hand, I'd discipline the person.
Sometimes I walk past the desks of the tech support guys and I see them on Facebook or playing solitaire. Well, what else are they supposed to be doing if there are no support tickets open or support calls coming in? I don't care if they take breaks every now and then as long as they get their work done.
____________________________________________________________
[1] I suspect it's almost all guys who look at online porn.
Isn't this where you use a DMZ and put a machine, A MACHINE! that basically bypasses the firewall in the DMZ. Of course there is no removable media drive in it and its USB ports are turned off, and it has something like Deep Freeze on it, sure, go ahead. It's also not on the internal network or the IP is just sequestered. Or, just have the boss pay for a secondary internet connection for a similar machine (or set of machines) and be good that way.
Either way, hell no is that stuff getting onto my network or any non-throw away machine, or they define "external websites that they are normally blocked from accessing" completely, because they're blocked for a damn good reason (there's better be exceptional)!
So far it seems everyone is trying to bring "open internet" to the users computer... why?
It sounds as if this is intended to be on an "infrequent" and "exception" basis.
Deploy a terminal server in a DMZ, users can then remote in and browse from there. If you want to allow open downloading, provide a restricted AV protected share to retrieve downloaded files, if you do not want to allow open downloading, provide one anyways but require an IT person to review it manually.
Reimage nightly if paranoid.
Finally, everyone has a cell phone now days.
An Audiovox 8610 flip phone cannot connect to the Internet.
Cellular data - use that.
I'd be glad to do so in exchange for a reasonable cellular data stipend. Consider these choices:
I imagine that of the three, option A would be most affordable in most cases.
Depends on "why" you're trying to block access:
Surfing Facebook is a productivity hit? A time bound exception (30 mins at a time) might be a viable approach.
Porn? Probably no valid reason to surf porn at most jobs.
As a previous poster said, if you're really concerned about malware / C+C servers etc, blacklist everything, whitelist a hand full of websites required for the job.
If they are trying to attract valuable skills and good judgement, no filter. You are trusting these folks explicitly with your business and trusting their judgement. This works to show them that you *don't* trust their judgement and will demoralize them.
If they are managing unskilled folks to do generic work, a filter may be appropriate. Low-wage unskilled positions aren't given much motivation to stay on task given an alternative, they don't have a real stake in the success of the company, and should be replacable (if not replaceable, they should be compensated better). It is still demoralizing, but folks in those positions don't generally have any morale no matter what (we've all been in this situation at one point in our career).
Say a company will be using a product from a particular supplier, and an employee wants to view an instructional video about this product uploaded to YouTube by this supplier. Should that count against the employee's YouTube time?
My perspective is from working as a contractor to banks and other companies in the banking sector in the UK and Europe, and occasionally to companies working in Defence contracting, where there is no issue with foreign nationals providing such services. The ultimate goal is, where possible, to prevent data breaches. However, when budgets are limited and business requirements mandate access to external services, IT security becomes about (0.9) Establishing ownership of the IT security policy and firewall management; (1) making it as hard as possible for the breach to occur; (2) minimizing the data that can be lost during a breach; (3) establishing clear auditing procedures to help recognize and quantify the nature of the breach and the data exposed; and (4) establish reporting and information sharing policies to advise internal and external stake-holders of the breach.
There should probably be a (1.1) in there as well, which is to identify the most likely sources of a breach and manage the risks in each case, although as an IT security issue the biggest single source of hacks, electronic break-ins, lost data, and any kind of shenanigans that lead to your company's data being splurged all over the internet, is the stupid fuck-wit sitting at the desk (you and I included, but especially the users outside the IT department). Everyone from the company chairman down to the lowest employee is a softer target than the firewall itself.
If there is a breach (and chances are that there will be one if there has not been one already, so the statement should probably be "if/when you DISCOVER the breach"), the IT team are the ones who will get it in the neck for allowing the breach, even if users are given the ability to control their own firewall settings.
If users need access to a website or service that is not currently allowed, they should submit a business case/request to their line manager who then approves it. IT then co-approve and make the relevant changes (and if IT say "no", they need to have a damn good reason). There is a paper trail, and all open ports and firewall rules are there because of business decisions. IT will still get it in the neck, but there will be an audit trail.
Allowing users to open their own ports (whether it is temporary or permanent is totally irrelevant) means that those clients cannot be trusted by the server farms/network resources on the network, so they should be moved into a DMZ with a firewall between them and the rest of the network.
SwitchProxy to an SSH tunnel to my own box
If you require access to a restricted site, you ask IT to give you access. we also pass that request to their boss.
Access is good for 24 hours only unless they have a real need to have access permanently.
This is trivial to do with any commercial firewall.
Do not look at laser with remaining good eye.
At the firewall Ive configured open access to the web, with a caching proxy only for videos and static content. I dont have an extra layer of DansGuardian or BlueCoat policing users. known attack pages are generally blocked by google safe browsing. I enforce a very strict policy on security awareness, so my users are generally careful around the web. Periodically, content logs are scanned from the firewall and I generate reports for the management and HR to review. theyre the only ones who care what you do on breaks anyhow.
lately Ive had my log script checking for data exfiltration...cc patterns and phone numbers mostly. Blacklisting is done through null-routing subnets and only if a request comes from a C level or HR.
Good people go to bed earlier.
I do both, thank you very much. Because that's what this world needs
We have always used VMs/jumpboxes that are segregated from the rest of the network to allow for accessing potentially dangerous or unapproved external sites.
Downloads are enabled, but to get the files from system requires submitting a ticket to have the files downloaded, scanned, and burned to a DVD or placed on an file server.
While nothing is 100% safe, this sure beats the hell out of compromising your firewall rules and allowing semi-retarded users to fuck shit up.
I work as an IT consultant / implementer.
I also work as a consultant (though programming, not IT).
You've hit the nail on the head as to how to deal with overly restrictive IT people - work hourly. Now it's not so annoying when you have to go through some lame workaround to do something, it's a direct financial benefit to yourself for the extra hours needed to get work done...
"There is more worth loving than we have strength to love." - Brian Jay Stanley
It is trivial to set up a WiFi access point on your own cell phone to temporarily bypass any and all annoying filters.
"My boss .. wants the users to be able to log in to the firewall .. I told him that this type of procedure scares the crap out of me, as some users will just keep logging in and doing what we are trying to block them from doing, and they will also be able to access infected websites as well.
If you think your firewall is protecting your Windows desktops from infected websites, then it is you who are deluded.
1. Get this in writing!!
2. document your protest of this..
3. wait.
4 boss get fired for implementing this.. (from soon to be mailware/virus infestation)
5. get promotion and raise
6. Profit!
Blocking websites won't make you safe, it'll just piss off the end users. And if your endusers can be compromised merely by visiting a URL, then maybe you need to replace the client OS ..
This problem is largely solved.
We use an ASA and Websense. There are other products that accomplish this as well, and both the ASA and Websense will integrate with a variety of these.
Inside Websense, policies can be set, as examples:
* Apply policies to restrict or not restrict based on user, IP, IP range, AD group, etc...
- Not all or nothing - you can, for instance, ALWAYS restrict certain categories or sites, like ones with trojans or whatever.
* On *any* combination of the above, you can then
* Restrict or not restrict based on time frames so at lunch hour it's less restrictive.
* Categories or individual sites can be set to "continue" which give the user a notice that they have to click a button to actually go to that site
- Very useful as a reminder "Are you sure using this site is reasonable at this time?"
* And most important to the question, you could also set a time limit per day for any site or category.
- 30 minutes of facebook a day, 1 hour of "Social Media" sites each day, etc...
- Applied per user based on, again, any of those criteria.
I'm not sure about your specific legal jurisdiction, but as I understand it, some places have rules that are basically, "If you have a policy and do not technically enforce that policy, then the policy does not exist, and you liable for anything done over that connection." So, if you are making it easy for employees to go to any sites they want and then you get busted for someone accessing kiddie porn, you had better hope you have good logs - although that might not be enough. The sad thing is that the better option is (as many have suggested) to trust your employees and let them self-manage, however you do potentially leave yourself open to some nasty outcomes if you are not covering yourself enough. Now, if you are tracking, by employee, which sites are being visited and when, then I'm not sure where this puts you (and I would expect it varies depending on jurisdiction) - however, employees are much less likely to go somewhere nasty if they know the boss can review their logs at any time. At the very least, you should be able to see who went where and when - and you should actually check this regularly. As someone who has been on both sides (admin and user), it would be nice for those times that I need a site that has been (in my opinion) incorrectly blocked, but the extra step of "I have to specifically do something to get around this" would probably discourage time-wasting and less-than-savoury behaviour. But, a lawyer might not see things the same way - if you allowed access, you might still be responsible for what someone did with that.
The Six Dumbest Ideas in Computer Security
Might you simply use a separate computer that is not as prone to infection as the work PCs?
> He wants the users to be able to log in to the firewall to be able to
> access external websites that they are normally blocked from accessing.
Why they are blocked? Is it a security policy? If not strictly security policy (malware sites, hacking sites, phishing etc.) and not obvious non work related stuff and unwanted (gambling, pornography, hate, etc.) who decided to block access to all sites by default? Sometimes users do need to have access to Internet to actually do their work. You haven't said anything about the character of your workplace.
> They would get a 45-minute window to do this, and then if they need more time,
> they need to re-login.
Seems reasonable. Why not? Also I would have supplied the managers of these employes with simple statistics about each user. How long daily he uses the Internet, what are his general intrests (social media, news, etc.) and let everybody know that these stats are aviable to managers.
> I told him that this type of procedure scares the crap out of me, as some users
> will just keep logging in and doing what we are trying to block them from doing,
And what exactly are you as an IT staff trying to block? Who asked you to block anything?
> and they will also be able to access infected websites as well.
Your boss told you to make infected websites accessible? Are you stupid or something? It is obvious that you should block malware ridden sites nevertheless. Any decend proxy/filtering solution allows you to do that and also provide other access policies (like time windows and so on).
> I think it is in our (the IT staff's) best interest if we continue to allow access to users
> on a case-by-case basis -- and then turn it off when they have completed their task.
I think you don't get who actually does work on your sallary in your company (your users) - your best intrest as IT staff is to allow your users to do their job without any not nessesary obstacles (like incompetent BOFHs).
Claiming security issues is a cop out and excuse to be controlling. If you are running insecure systems, and you are if you are running Windows, then set up a separate wifi network for personal / misc. Internet access. Users can then use their personal devices, phones, tablets, etc., or you could provide Chromebooks which are cheap, secure, easily wipeable, etc. Set up web printing for tickets or similar. If you need to solve attention problems, it needs to be done at the personal level, perhaps suggesting an easy way to insert frequent short breaks. For most types of work, frequent breaks improves productivity. In the past, people took many smoke breaks and similar, so it's not necessarily the case that a Facebook break is a huge new problem. Losing track of time, keeping things in proportion, those can be an issue. A little structure or hinting of some kind is probably all that is needed there.
Stephen D. Williams
isn't this a bit redundant? There're LAWS which cover this shit. Personally identifiable data is subject to legal protections, violations of which in a privately owned company can and do result in jail time for directors. Data pertaining to infrastructure or financial transactions are subject to varying degrees of protection under national security legislation up to and including the Official Secrets Act. Violation of THAT can lead to charges of treason.
As a data administrator in a legal practice, personally identifiable information security was priority number one. That information was strictly airgapped and transfer of data to and from the client was done face to face. Hard drives containing redundant information were not erased, they were shredded. Possibility of recovery of anything whatsoever: 0.0. Possibility of any third party getting access to that data: 0.0. How many times did I have to issue a refusal? Oh, many. Same reason every single time: it is not our data policy to divulge or release any information. Period. Here's a fuck-off biscuit, bon appetit. Even the High Court didn't get a client list with a writ of mandamus. I don't care who the fuck you are. If you're not authorised to have that data (and I am the sole arbiter of that), you are NOT getting it.
Political debates have me rolling my eyes so much I think I got optical whiplash. I should sue. - Foamy The Squirrel
Simple as this. If i need to beg for access to web sites, when i need to access them, i won't. So if that information is needed, well, that task is done without that information, if it's done at all. Fuck that, fuck that fucking gestabo bullshit you have going on there.
Some users can be trusted with access. They've got NOD32 installed because your corporate AV is crap, run malware and rootkit scanners regularly, are running with UBlock and Noscript on, no Flash or Java (not even installed). It's probably good to still have a warning for known bad sites for them, but in general they're probably more paranoid than IT is.
Other people will click on anything. If they get two emails in a row saying 'DO NOT CLICK ON ANY EMAIL LINKS' then the next email has 'CLICK HERE FOR MALWARE' they will click on the malware. Those people need to be locked down and no exceptions made, because they can't be trusted anywhere, any time.
Most people are somewhere in between.
And yes, I bypass the IT stuff. I run all my web browsing through an SSH tunnel, not really to bypass any blocks but because I don't want anyone spying on it and I don't trust any commercial MitM SSL solutions (Hello Komodia/Superfish). I gave myself admin access since I have to install new things all the time for various projects. BUT I did clear this with IT, at least on the personal level - ours are good people and have better things to do.
Why are you blocking access to anything? As an IT administrator it is _not_your_job_ to block anything for users and otherwise disturb them while using your network. Your job as an IT administrator is to allow your users to do their job without any unnecessary obstacles. Also keep in mind that usually (if you are not an IT service company) the users do their jobs so the company earns for your sallary - business wise - you don't earn shit, they do.
So with that in mind the structure of Internet access policy should be as follows.
- access to harmful webstites is blocked by default (like malware, phishing, hacking) - this is a no brainer and you shouldn't give anybody access to such sites - block it by default as you are protecting your company's assets (which IS your job)
- access to potentially harmful websites is blocked by default (like sites that post no technical threat but othwerwise are not legal - child pornography, hatespeech, drugs and so on) users interfacing with such sites could post image damage for your company - which is also an asset - which you need to protect (as it IS your job)
- access to certainly non work related websites (pornography, gambling) - I would probably block it by default, I don't see any reason to allow it and also I don't see anybody going to argue with you that he needs access to pornography (unless he is doing research on that)
- other websties like time wasting social media, gaming, news, etc. - basically evertything else - it is NOT YOUR JOB to put such policies in place without a request from your management (probably coming from HR)
- other policies like time/role based - also NOT YOUR JOB - this is HR
- it IS YOUR JOB to keep your users actions accountable - so it is to log all their internet access so if needed (f.e. an incident) you can present it to management - also when you are loging Internet access that in most jurisdictions it is safest to inform (on paper and let them sign that they accept the policy) your users about it
So given these rules you certainly need some kind of policy enforcing technology at your Internet access gateway. Probalby a proxy with filtering and a security appliance.
Of course you should assist your HR staff with sugesstions on what can and can't be done with your systems/budget restrains and so on. You should implement the policies as HR or your boss tell you. You just don't want to decide on that matter - it is NOT YOUR JOB.
First, what are you protecting? Is your corporate data that precious and attractive that you fear being compromised and the whole of it being taken and sold? Do you store PII? If data such as credentials for banking and financials being stored on your internal network? If so, then you have a substantial liability, and some data loss prevention and malware detection and disablement is necessary.
Second, do you have any regulatory, legal, or contractual requirements to prevent data loss? If so, prevention is necessary.
Last, do you want to avoid being held hostage to an attack of an encrypting malware? More dittos then.
All this complaining that you shouldn't be impeding business, that you're a megalomaniac desiring only power and control, and accusing you of being an idiot ignores potentially valid and compelling business reasons to prevent intrusions and losses. I'm well aware of these threats, but I work for aab Fortune 100 financial services company, and the regulatory requirements alone demand we block by default and monitor data incoming and outgoing.
Oh, and intrusion detection needs to be in your plans.
Don't listen to the amateurs. Block by default, require business justification and offer a risk assessment for all exception requests, monitor and report suspicious activity. Don't trust your internal users. Segment wherever possible. Plan for failure. Exercise recovery plans. Due diligence.
deleting the extra space after periods so i can stay relevant, yeah.
If it's security, a 45 minute window is no improvement over unrestricted access. In fact, firewall login page is an extra chance for password snooping. Ideally, users would be able to open a remote desktop session to an unrestricted VM and the later can be rolled back to initial state once the session is over.
If you just don't want them to slack off, consider the battle lost. Everyone has smartphones perfectly suited to watch movies or chat with friends for the whole day. Find ways to measure and reward actual productivity rather than hoping to make people work out of boredom.
If you're an employee with unreasonable restrictions, do you bother to get around them?
I did not bother much about corporate web filters, though they often blocked technical blogs and such. However, then our company started to use MITM attacks in the HTTPS connections. Since then all my web browsing traffic bypasses the corporate firewall via a tunnel. If the company/IT does not trust me, there is no reason I should trust them.
PS. Of course I am using adblock/noscript/click-to-run-flash etc and have not had a single virus infection in 15 years, in case some IT droid should feel like to complain about my irresponsibility.
Next Gen Firewalls typically have three interesting features that changes this game. The first is Single-Sign-On tech that allows the ntwkr to use User ID (either on Active Directory, LDAP, or pulling it off 802.1x\RADIUS, or SYSLOG). That gives them an extra special group that they can then give extra perms to or bypass capabilities (maybe even with a coaching TOS screenie). There are lawyers, executives, and HRIS people that may need bypass to do investigations for the company or maybe the company just wants to treat people like adults, but in the case there is a HR issue or violation they need the logging. The second and third are the ability to hand application controls, URL Filtering, and GEO-IP reputation in the same security policy as the user Identity. This single-policy execution makes these firewalls a no-brainer to push whatever policies you need.
Now, I am of a mindset that technology should fix business problems and content filtering is a business problem. Depending on the business you are in and job description, the responsibilities change. I think the discussion is fairly moot due to lack of information on industry.
My opinions:
In the tech world leave it open but log everything
In the financial industry, GEO-IP, In-line antivirus, and application control (with SSL inspection) are key, but you have to be fairly open with the content filter (coaching pages).
In education, block everything (I keed, but not really)
etc etc etc
It is the Company's network connection, block whatever you like.
But, and this is important, have an easy mechanism where a user can submit an url, an admin can verify it is a legitimate business related site, and have the site whitelisted immediately. That way you can block "Big Butt Russian Teens" or whatever, but when the SmartFilter(tm) randomly decides that Fairchildsemi.com contains "adult content, sports, gambling and lotteries" (happened to me) the legit business use is not impeded.
Tell your boss to stop browsing porn in the office
Do they offer any products for blocking forum spam?
It will most likely be done on the % of images that have flesh tone. For a computer it would be hard to tell the difference between a couple of lingerie model and a porn scene.
The only way I would do something like this is as follows:
- Give everyone who wants "unfettered" external web access a "Pervert Prison" made up of a non-normal architecture box running Android or Ubuntu: Like the Embedsky E9 i.MX6Q or similar.
- Set up all the "Pervert Prison" machines on either a VLAN or a their own physical network, with each Department of "Prisons" on its own subnet.
- Disable all external storage.
- NAT the network.
- Throttle the "prison" network to 57.6Kbaud.
If you have important data it absolutely should not be stored on the same machines used to watch porn and browse Facebook. I know we are supposed to be entering the Internet Of Things revolution where even your fridge has direct access to the internet, but there is no reason to use the same machine to both access random web pages and store sensitive client financial data. Just install an open wifi router, completely disconnected from your business network, and allow the employees to research/goof-off at their leisure on their iphones.
Troll is not a replacement for I disagree.
If we are rightly scared of browser-borne infections and intrusions, then why are we still running browsers on our machines? Why not designate a machine, outside the firewall / in the DMZ, that runs ALL the browsers. The user logs into that machine, and the browser display events are sent back to the client machine. The safe client machine never runs a single snippet of plugin, or gobbles a single byte of untrusted network traffic. The client machine does not even -know- how to get to the internet.
Sending receiving files can be locked down and logged. Or prevented.
The sound device would be a pain, and might require a new protocol, but this would solve many problems. I think it might make SSL better too (no proxy bs).
Perhaps a specialized (corporate) browser nexus product could be offered...with sound and optimized for the browser.
The client machine never talks to the internet. It just sees pictures of it.
It's dangerous out there.
Treat your workers like they're fucking responsible adults. Block 2, maybe 3 categories at the proxy, and nothing more:
1) Pornography (leave that stuff at home, and also to prevent hostile work environment claims)
2) Known spyware/malware/command & control sites (should be pretty self-explanatory)
3) Ads (optional, but could save significantly on bandwidth and potential spyware/malware infection sources; may break certain crappy sites, however)
That's it. Don't block anything else. Treat your employees like responsible adults. If they act irresponsibly, then that's a management issue that needs to be addressed between the employee and the employee's manager. I'm so fucking sick of companies treating employees like little kids and instituting draconian policies blanketly across the entire workforce because they can't/won't address personnel issues at the employee/manager level. The more sites/categories that get blocked, the harder it is for employees to research and do their jobs, and the more likely it makes them to circumvent controls.
We make it simple in my organization, unless it is a malicious site or other security related category (e.g. anonymizers), HR owns who can surf what, as it is more of a time management issue than an IT issue.
Use a content categorization service. Set up what is (1) allowed / (2) what is not allowed for productivity reasons / (3)strictly forbidden for security reasons. Set up a captive portal with an authorization (user / pw) to access level (2) content.
This way security concerns are protected while still allowing users to slack off or access a mis categorized site. All of these elevated accesses are logged for admin review.
This is the way I have Astaro (sophos) UTM set up in my environment. The only things in category (2) are porn and blatantly illegal video streaming.
Was free unfettered Internet use one of the benefits in your compensation package?
Are you asking about my own personal employment situation or about what compensation package provides the best balance of benefits to the employer and employee? I was intending to discuss the latter. I imagine it's cheaper for an employer to offer segregated Wi-Fi in the break room than to increase all employees' salaries by the amount needed to subscribe to comparable individual cellular data service.
You expect IT to not lock shit down? I don't get the comments here. Corporate culture might suck, but it isn't IT's fault. When my asshole boss says don't let anybody have fun on the internet, lock them all down,... and then if and when someone is found out to not be completely locked down, my ass get chewed out. So no, my stable job is not worth someone else's facebook, sorry.
Setting workplace rules is your boss's job. If he/she wants to cut your coworkers some slack, it's not your call. Keeping your work computers free of malware *is* your job, but if you're depending on a firewall for that, you're doing it wrong.
Besides blocking pornography there is no need for web blocking any longer. Your users all have mobile phones they can use to do ANYTHING. You might as well allow most of it, ensure your security software is doing its job, and monitor for reporting purposes only.
Ok then.
Because faggots?
The question comes down to, is access to this site legitimately work-related or not? If it isn't, no access. If it's dangerous, no access. If it's reasonably safe and needed for work, then the user needs access period. No time window, no login, if they need access to that site for work then they should have access to it. Either that site needs removed from the block list entirely, or an exception to the block needs to be made for whatever group needs access (developers may need access to sites that the call center people don't, for example).
Fucking christ, get over yourself and your superiority complex. Is your security so fragile that you have to block sites like that? The only things you should be blocking are viruses.
Anyone with another computer on the outside of your firewall who has any computer knowledge (or a friend with any) will tunnel straight through your stupid firewall. I rent a cheap ass server to do just that. Firewalls are there for morons, so block what you want the to stop the morons from seeing, everyone else does not give a shit.
There are three kinds of falsehood: the first is a 'fib,' the second is a downright lie, and the third is statistics.
At my work, they are blocking a lot (using bluecoat filter). Results: I have squid running in the cloud,I am connected via a ssh tunnel and chrome shortcut has the option --proxy-server=127.0.0.1:xxxx to bypass entirely the entreprise block. Many people have similar work arounds.
At a previous job, there was almost no block, but the intranet was giving a link to a page where we could monitor the time spend on all the websites during the month. I think this kind of monitoring (added to the usual signature of a policy chart) is a good deterrent for all abuses.
Filtering software are smarter and smarter. They are expensive, people complain. And they are an invitation to find work arounds. I think its best to get rid of them.
Of course I don't mean wanking to it. Now that I entirely understand. But just watching it? It certainly isn't for the acting!
People watch it at your work? (Hopefully they aren't rubbing one out under their desks) And I had another friend who watched it in the car (thankfully passenger seat, but hearing the moans must have been extremely distracting to the driver!)
Is there any reason to watch porn without jerking it that I'm missing? Or are you touching yourself subtly in a way that I can't see. Please explain?
If they can't handle that responsibility then they might not be the best fit for your company.
>Well the question would then be why-is-the-firewall-there-in-the-first-place.
Most of the comments here act is if it's the users not being trusted. Managing the users is a separate issue. That might better be handled with an app that gathers stats, then throws them up on the screensavers of the whole section summarizing who did what. If some get embarrassed they'll likely stop.
The real purpose of firewalls should be to guard against harmful content. Anything not white-listed should be heavily filtered through proxy servers, with no scripting support, cookies or plugins supported (certainly no FLASH!!). Block off-site iFrames and other rich content. PDFs and video can be a problem that has to be blocked too.
Users can't be trusted to know when Ebay is infected, or know that it is allowing all sorts of invasive stalking scripting (even running some)
Are you blocking because the website carries malware, or are you blocking it because your boss doesn't approve of the content? Those are separate issues. If you are blocked because of content, then your boss needs to decide which employees should be trusted with internet access and unblock them (but audit). If the site contains malware it needs to stay blocked, until you have an IT guy on staff who can access the site in a sandbox VM. If the problem is loss prevention, they need to airgap the network with the stuff they don't want to get out.
Implemented a similar thing using Fortinet firewalls a few years back. You can still have AV protection on the firewall and provide access to a wider range of sites. You still want to be blocking *some* sites, like porn or racist sites to protect your company though, but you're relying on the site tagging which (in my instance) the Fortinet Web Filtering service provided.
Users just logged in with their Domain password to authenticate their level of access (as you may not want everyone having this.. i.e. finance or other more secure teams) and off it went, logging every site that was visited, mind, in case there were issues that needed evidence to back up some wrong-doing.
It's worth also providing a report to the Management team to review monthly, as if you have data showing that 80% of the time users are on Facebook, it becomes a productivity issue, rather than access.
Richard
It's entirely reasonable to expect employees to take short brain breaks during the working day. It's entirely reasonable for those brain breaks to be spent on random web pages.
Then they can do it on their own devices separate from the corporate network. This is not a reasonable argument in favor of reducing security. If they want to play on facebook during their break time they can do it on their own iPad. Corporate networks are for corporate business ONLY.
All this comes down to is simply trusting your employees.
Has nothing to do with trusting employees or not. Even trustworthy employees can be fooled into infecting a network. If they want to do something not permitted by the company policy (presuming company policy is sane) then they can do it on a network outside of the company.
The submitter has asked for input on a solution, but not defined the problem yet. So we can't truly help.
We have this issue at my company, and have resolved it through the use of "bypass codes" with OpenDNS as a web site filter. We have a basic access which has blocks by category, which OpenDNS does pretty well. We have some special company-wide exceptions for some customer sites which would fall under specific categories (A few gun catalogs or swimsuit catalogs that we print for customers fall in their weapons or lingerie categories) For this that may need access to some sites outside this, we have bypass codes that can be entered which allow access to a wider set of categories, but still block the porn and hate sites, etc. Finally we have a master code which is kept in IT which we can enter to allow access to any site, but it is valid only until they close the browser, at which point they are allowed only the standard level of access again. There is one issue with OpenDNS and SSL sites, as you are essentially using them as a proxy and the SSL certificate match fails, so it is not a perfect solution, but potentially a good for for the OP's needs.
I have a lot of experience with Watchguard firewalls which have a similar content filter technology and within that the option to allow users to override a block for a period of time. However, at last a year or two ago, this didn't work in practice. We set a time limit of 15 minutes and 30 minutes later people were still browsing the Internet. I think the issue was the web browser would keep connections open and either the firewall wouldn't close that active connection or it in some other way prevented the timer from starting. I'm not sure if Sonicwall firewalls have the same technical issue. You should test that prior to a larger rollout.
Give users a sandboxed system that they can use to request access to specific firewalled web sites (a remote desktop connection to a virtual machine should do the trick).
If they need to save data to those web sites or upload files to them, give them some storage space that can be used for this purpose, but scan the bejesus out of anything that is saved to that location before it's allowed to be copied to your "normal" data-storage locations.
Once they log off, destroy the sandbox (or archive it for IT post-analysis).
One of the earlier commentators was right about one thing: Management has a business to run. If tech gets in the way of getting work done, that's a bad thing. If the bosses perceive that tech is getting in the way when it's really saving them from a disaster later, they will still perceive it as a bad thing and act accordingly.
Knowledge is how to play a game, intelligence is how to win, wisdom is knowing what game to play.
With the huge number of VPN services out there running on common https ports these days your employees are going to go anywhere they want anyway unless you're strictly controlling their actual desktop machines and the software that they can install and run (and even then they have local access so if they're smart they'll figure it out) so while I definitely think it's ridiculous to allow the users to access the firewall directly it's also important to remember that your rules are quaint and outmoded in real life.
Back in 2001, well probably 1998, we had numerous highly effective web filtering proxies. Apparently they're now called firewalls. Among numerous other features, these systems classified websites and allowed administrators/managers to specify which were allowed for different groups of people. One group could have extremely limited access while another had more open access. These systems also had the capability to schedule different access levels, so a restricted worker would be less restricted at lunch, or after hours. Amaze balls!
These systems also had a feature that allowed "bonus access" where a user could choose to use more open access for a limited amount of time each day. Just like OP is fearful of.
The thing is that you never provided fully open access. The malicious site list was always blocked no matter what. Why would you permit the malicious list to be accessible to anyone, ever?
You need to do what you are told, but you also need to do your job. As per management's instructions, allow enhanced access. But limit it to the management specified number of hours. Never allow the malicious list. Never allow the child porn list. Don't be the stereotypical Network Nazi.
For fucks sake man! All of these technical and political issues were addressed over a decade ago!
The Internet's a big place. A "black" list won't do much to help.