Slashdot Mirror
Ask Slashdot: Giving Users Extra-Firewall Access For Sites Normally Blocked?
An anonymous reader writes: My boss and I were having a discussion about our users accessing the internet. He wants the users to be able to log in to the firewall to be able to access external websites that they are normally blocked from accessing. They would get a 45-minute window to do this, and then if they need more time, they need to re-login. (SonicWall does this). I told him that this type of procedure scares the crap out of me, as some users will just keep logging in and doing what we are trying to block them from doing, and they will also be able to access infected websites as well. I think it is in our (the IT staff's) best interest if we continue to allow access to users on a case-by-case basis -- and then turn it off when they have completed their task. I am just curious as to where others stand on this topic. If you are your workplace's BOFH, how much slack do you cut? If you're an employee with unreasonable restrictions, do you bother to get around them?
The boss's plan of allowing users to override the web page filter is absolutely the CORRECT plan. You have a rare boss who understands that the most important thing is that workers be able to work without interference from know-it-alls. Please get with the program!
Moderating "-1, Disagree" is simple censorship. Have the guts to post your opinion.
It's entirely reasonable to expect employees to take short brain breaks during the working day. It's entirely reasonable for those brain breaks to be spent on random web pages.
All this comes down to is simply trusting your employees. If you can trust them to get on and do their job, and only take reasonable breaks, then you don't need a filter. If you can't trust them, then 1) your culture is fucked up, fix that, and 2) why the hell are you employing someone so untrustworthy that they don't do their job.
I've been an IT manager and an IT director so I'll make a few points from that perspective.
1) IT is there to serve the needs of the business and one of the needs of the business is to create / facilitate a productive and encouraging work environment. Now, this doesn't need to mean that you give people everything they ask for, but it does mean that you need to trust people. If there are legitimate reasons for concern then get a firewall product that can measure the amount of time someone is spending surfing the net; however, this is really a business concern and this capability is not for IT to worry about its for the different LOB managers to worry about. If they have that as a general concern then pursue it, otherwise it's not IT's concern.
2) What is IT's concern is the security, availability, and integrity of the computing environment and business data and that does mean taking reasonable measures to protect the assets under your control. That means that perhaps you need AV / Anti-Malware / etc. protections. Perhaps also a webfilter that blocks sites that are known for producing malware with the intent to exploit the visitors to that site. Those sites should come from security vendor watchlists and not some arbitrary list put together by the sysadmins.
3) Doing this is about finding an appropriate balance. That balance can only be maintained through constant communication and feedback with the business leaders (i.e. you need a governance process.) The business leadership / executive will need to decide what that balance is. IT's job is to appropriately communicate the risks, consequences and options and let the executive make the decision on how much risk they are willing to take on. This is why communication is crucial, especially in IT, and why often managers who are non-technical or barely technical, get those positions instead of the very technical people who "know better."
The question is "Why block at all?" not "Should we block at all?" In other words, "What is the specific goal of blocking?" If it's to prevent malware, it requires a different approach than if it's to prevent watching porn. If it's to protect sensitive information, it requires a very different approach, and may well involve blocking in both directions.
So, no, it isn't that idiots as "why block at all" so much as only idiots don't distinguish between "why" and "should we".
Why have checks and balances on anything? Why count cash registers at the end of a shift? Why not just trust them? Why have a dress code? In the Real World, there sometimes need to be rules and limits.
The problem is not everyone is you. Not everyone will be reasonable with the Internet. Additionally there are other concerns - someone visiting the wrong site (not porn, more like the wrong part of craigslist) in view of others and sexual harassment lawsuit is filed for a hostile workplace (true story). Or everyone leaving Facebook open on their desktop with videos, etc sucking up all the bandwidth (90% of all bandwidth was used solely on personal activity) making actual work related use slow. Bandwidth is cheap? Who wants to justify or approve another $1500 a month for the next bandwidth tier for more personal use?
Finally, everyone has a cell phone now days. Cellular data - use that.
"This website is blocked.
Category: Whatever.
If you wish to unblock, please contact Administrator."
Anything else is just open to abuse and you may as well not have a web filter at all (P.S. This has NOTHING to do with your firewall).
Trying to solve HR problems with technology is doomed to futility.
At my company, I don't block web sites. If I walked by someone's desk and saw him[1] looking at porn, I'd say "don't do that." If it got out of hand, I'd discipline the person.
Sometimes I walk past the desks of the tech support guys and I see them on Facebook or playing solitaire. Well, what else are they supposed to be doing if there are no support tickets open or support calls coming in? I don't care if they take breaks every now and then as long as they get their work done.
____________________________________________________________
[1] I suspect it's almost all guys who look at online porn.
B0xen? Seriously?
If you observe that your employees are spending all day dicking around, and they don't get their assigned work done, you fire them.
Then you go out of business. Responsible self-directed employees who get the job done without close supervision are WAY more expensive than less responsible workers that need some managing. If you hire only the former, you will be crushed by competitors with a much lower cost structure and a much wider hiring pool.
Meanwhile, your post is not insightful at all.
All my liberal friends think I'm a conservative, all my conservative friends think I'm a liberal.