Ask Slashdot: Giving Users Extra-Firewall Access For Sites Normally Blocked?

An anonymous reader writes: My boss and I were having a discussion about our users accessing the internet. He wants the users to be able to log in to the firewall to be able to access external websites that they are normally blocked from accessing. They would get a 45-minute window to do this, and then if they need more time, they need to re-login. (SonicWall does this). I told him that this type of procedure scares the crap out of me, as some users will just keep logging in and doing what we are trying to block them from doing, and they will also be able to access infected websites as well. I think it is in our (the IT staff's) best interest if we continue to allow access to users on a case-by-case basis -- and then turn it off when they have completed their task. I am just curious as to where others stand on this topic. If you are your workplace's BOFH, how much slack do you cut? If you're an employee with unreasonable restrictions, do you bother to get around them?

If you gotta ask...

If you are the BOFH you only cut slack for your own amusement.

Assuming you're the local goody-two-shoes Administrator ("NT can be, and usually is, administered by an idiot") the first real question is, why block at all? Perhaps then you can answer why you feel the need to make a big show of allowing exceptions.

Re:If you gotta ask...

[mlts]

The answer to "What, if anything, should we block" versus "What, if anything, should we allow" is "it varies":

Scenario 1: Receiving. Give the guy a Citrix or App-V console into a machine that can browse the Internet unfettered, but doesn't allow files to be transferred to the internal machine. Now the user has access to websites, there is something substantial keeping the actual machine from being compromised.

Scenario 2: Finance. Again, these machines are touching sensitive data, so they, by themselves, don't see the outside world, but the user can always use a VDI implement to browse the web, making the isolation a non-issue.

Scenario 3: General company (dev, QA, sales) use. The above in reverse. Allow traffic out, have a good IDS/IPS in place (this should be in place everywhere, but especially with this), and stick the real sensitive stuff behind a RDP firewall, or a "hop box". The user can manipulate the data, but malware on their machine will have a hard time (though not impossible) to grab the entire database for upload to a blackhat's site.

Scenario 4: Point of sale registers. These have no reason to be connected to the outside Internet, other than through a server for credit card validation.

Of course, these are generic, off-the-top-of-my-head scenarios, but there is no one size fits all solution, other than that it helps to have some type of VDI for separation of data.

Reasonable Access

[FrozenGeek]

What do you consider "reasonable" access? I tend to be very conservative about it. If I can do my job, I consider that reasonable access. Anything not strictly required to do my job is simply a bonus. Under those definitions, I've never had a job that did not afford me reasonable access to the internet. I know that many people will consider "reasonable" access to include things like access to Facebook and twitter and their bank accounts, etc. I disagree. When I'm at work, I'm working. When I'm not at work, I'm not at work. I try very hard to keep the boundary distinct. the more I blur the line, the easier it is for my employer to want me to be always available.

Re:Reasonable Access

[Bert64]

People these days have portable devices, you can allow them to take breaks using an isolated wifi network and their own portable devices...

The average corporate desktop is extremely vulnerable to attacks from websites (against the browser, the plugins, other applications etc), and trying to defend against such attacks is a huge pain and/or huge cost.

Re:Reasonable Access

There are exceptions, but as a rule, I don't use web filters and firewalls to "restrict" users from using non-threatening websites. Productivity standards and issues should be handled between users and their managers. The web filter exists to protect the network from viruses/malware, and from objectionable content that could reflect poorly on the company (gambling, porn, etc.). Otherwise, I have pretty steadfastly refused to block sites because "Joe shouldn't be on that during work hours.". If Joe isn't getting his work done, discipline him for it. If he is, you have either set the standard too low, or Joe is doing a good job and why do you care if he takes a brain break.
 
With that in mind, if you are blocking websites for security purposes, then getting around those restrictions should be done in a secure manner using a sandboxed VM in a DMZ, or something similar. If it's to get around the company restriction on Youtube, this is a perfect solution.

Re:Correct

[Lesrahpem]

The boss's plan of allowing users to override the web page filter is absolutely the CORRECT plan. You have a rare boss who understands that the most important thing is that workers be able to work without interference from know-it-alls. Please get with the program!

This plan is a good one. To curb your concerns you could follow this plan:

1. 1) Allow users to login to unblock sites on an as-needed basis. Keep the process simple so workflow isn't encumbered.
2. 2) Keep a log of every time a user logs in to request access. Possibly keep a log of what sites users are visiting with this access, but do not log the traffic. Just the sites.
3. 3) Pair this log with your issue tracking system and possibly employee performance reviews.

If an employee's support tickets seem to be linked to the sites they are requesting, the employee can be approached and possible restrictions can be put in place if the problem isn't solved with a conversation. The same goes for browsing habits that might be linked to downturns in performance.

This way, you are allowing your employees/users their freedom to browse/work, and only restricting the people who keep presenting problems.

Re:This is really simple...

[angel'o'sphere]

You can not trust your employee not to infect a machine by surfing a random website like facebook.

After all every image can have a troyan/virus embedded exploiting the jpg library of your browser/OS.

It has nothing to do with the employees, its the sites that are the problem, so you block everything except a white list.

Re:Correct

I'm with you on the issue that IT is a function of a business to enable business. I think however there are some real issues with what's going on here.

1) There is a firewall in place which appears to be impeding business from operating
2) The IT guy is trying to get justification from outside to continue impeding business instead of taking the opportunity to identify why the firewall is blocking sites which facilitate their business.
3) He is concerned about malware and other traditional security breeches
4) The sites being blocked are probably black-listed based on the type of site they are as opposed to blocking malicious content from the site.
5) The boss seems to believe the users need to access these sites.
6) He wants to handle this on a case by case basis which seems to impede business enough that this has become an issue.
7) It sounds like he is using some sort of web filtering system which categorizes site types.

I can go on for a while... I may be way off base, but it strikes me that this guy lacks the skills or business knowledge to properly secure the business while also facilitating its operation. I completely disagree with the boss's assessment to allow a timed override. This apparently is a solution which doesn't do anything other than impede the workflow of the users. It sounds like the correct solution is for the boss and IT guy to simply decide :
  Do we permit users to access these categories of websites or don't we?

As for viruses and malware, the entire current generation of firewalls and IPSes on the market are designed to perform deep inspection and most of the good ones implement Snort, ClamAV and more at the edge. They also can retroactively identify that a machine has finished downloading a malicious object before the firewall could identify what it was and then require the machine is remediated until it has been cleared to be on the network again.

I think the boss also has to choose whether to send this guy to proper training and spend money on real firewalls or whether he should just use a service instead.

It's simple

Treat your workers like they're fucking responsible adults. Block 2, maybe 3 categories at the proxy, and nothing more:
1) Pornography (leave that stuff at home, and also to prevent hostile work environment claims)
2) Known spyware/malware/command & control sites (should be pretty self-explanatory)
3) Ads (optional, but could save significantly on bandwidth and potential spyware/malware infection sources; may break certain crappy sites, however)

That's it. Don't block anything else. Treat your employees like responsible adults. If they act irresponsibly, then that's a management issue that needs to be addressed between the employee and the employee's manager. I'm so fucking sick of companies treating employees like little kids and instituting draconian policies blanketly across the entire workforce because they can't/won't address personnel issues at the employee/manager level. The more sites/categories that get blocked, the harder it is for employees to research and do their jobs, and the more likely it makes them to circumvent controls.