Slashdot Mirror
Ask Slashdot: Giving Users Extra-Firewall Access For Sites Normally Blocked?
An anonymous reader writes: My boss and I were having a discussion about our users accessing the internet. He wants the users to be able to log in to the firewall to be able to access external websites that they are normally blocked from accessing. They would get a 45-minute window to do this, and then if they need more time, they need to re-login. (SonicWall does this). I told him that this type of procedure scares the crap out of me, as some users will just keep logging in and doing what we are trying to block them from doing, and they will also be able to access infected websites as well. I think it is in our (the IT staff's) best interest if we continue to allow access to users on a case-by-case basis -- and then turn it off when they have completed their task. I am just curious as to where others stand on this topic. If you are your workplace's BOFH, how much slack do you cut? If you're an employee with unreasonable restrictions, do you bother to get around them?
The boss's plan of allowing users to override the web page filter is absolutely the CORRECT plan. You have a rare boss who understands that the most important thing is that workers be able to work without interference from know-it-alls. Please get with the program!
Moderating "-1, Disagree" is simple censorship. Have the guts to post your opinion.
I've been an IT manager and an IT director so I'll make a few points from that perspective.
1) IT is there to serve the needs of the business and one of the needs of the business is to create / facilitate a productive and encouraging work environment. Now, this doesn't need to mean that you give people everything they ask for, but it does mean that you need to trust people. If there are legitimate reasons for concern then get a firewall product that can measure the amount of time someone is spending surfing the net; however, this is really a business concern and this capability is not for IT to worry about its for the different LOB managers to worry about. If they have that as a general concern then pursue it, otherwise it's not IT's concern.
2) What is IT's concern is the security, availability, and integrity of the computing environment and business data and that does mean taking reasonable measures to protect the assets under your control. That means that perhaps you need AV / Anti-Malware / etc. protections. Perhaps also a webfilter that blocks sites that are known for producing malware with the intent to exploit the visitors to that site. Those sites should come from security vendor watchlists and not some arbitrary list put together by the sysadmins.
3) Doing this is about finding an appropriate balance. That balance can only be maintained through constant communication and feedback with the business leaders (i.e. you need a governance process.) The business leadership / executive will need to decide what that balance is. IT's job is to appropriately communicate the risks, consequences and options and let the executive make the decision on how much risk they are willing to take on. This is why communication is crucial, especially in IT, and why often managers who are non-technical or barely technical, get those positions instead of the very technical people who "know better."
The question is "Why block at all?" not "Should we block at all?" In other words, "What is the specific goal of blocking?" If it's to prevent malware, it requires a different approach than if it's to prevent watching porn. If it's to protect sensitive information, it requires a very different approach, and may well involve blocking in both directions.
So, no, it isn't that idiots as "why block at all" so much as only idiots don't distinguish between "why" and "should we".