Ask Slashdot: Giving Users Extra-Firewall Access For Sites Normally Blocked?
An anonymous reader writes: My boss and I were having a discussion about our users accessing the internet. He wants the users to be able to log in to the firewall to be able to access external websites that they are normally blocked from accessing. They would get a 45-minute window to do this, and then if they need more time, they need to re-login. (SonicWall does this). I told him that this type of procedure scares the crap out of me, as some users will just keep logging in and doing what we are trying to block them from doing, and they will also be able to access infected websites as well. I think it is in our (the IT staff's) best interest if we continue to allow access to users on a case-by-case basis -- and then turn it off when they have completed their task. I am just curious as to where others stand on this topic. If you are your workplace's BOFH, how much slack do you cut? If you're an employee with unreasonable restrictions, do you bother to get around them?
What do you consider "reasonable" access? I tend to be very conservative about it. If I can do my job, I consider that reasonable access. Anything not strictly required to do my job is simply a bonus. Under those definitions, I've never had a job that did not afford me reasonable access to the internet. I know that many people will consider "reasonable" access to include things like access to Facebook and twitter and their bank accounts, etc. I disagree. When I'm at work, I'm working. When I'm not at work, I'm not at work. I try very hard to keep the boundary distinct. the more I blur the line, the easier it is for my employer to want me to be always available.
linquendum tondere
The boss's plan of allowing users to override the web page filter is absolutely the CORRECT plan. You have a rare boss who understands that the most important thing is that workers be able to work without interference from know-it-alls. Please get with the program!
This plan is a good one. To curb your concerns you could follow this plan:
If an employee's support tickets seem to be linked to the sites they are requesting, the employee can be approached and possible restrictions can be put in place if the problem isn't solved with a conversation. The same goes for browsing habits that might be linked to downturns in performance.
This way, you are allowing your employees/users their freedom to browse/work, and only restricting the people who keep presenting problems.
The answer to "What, if anything, should we block" versus "What, if anything, should we allow" is "it varies":
Scenario 1: Receiving. Give the guy a Citrix or App-V console into a machine that can browse the Internet unfettered, but doesn't allow files to be transferred to the internal machine. Now the user has access to websites, there is something substantial keeping the actual machine from being compromised.
Scenario 2: Finance. Again, these machines are touching sensitive data, so they, by themselves, don't see the outside world, but the user can always use a VDI implement to browse the web, making the isolation a non-issue.
Scenario 3: General company (dev, QA, sales) use. The above in reverse. Allow traffic out, have a good IDS/IPS in place (this should be in place everywhere, but especially with this), and stick the real sensitive stuff behind a RDP firewall, or a "hop box". The user can manipulate the data, but malware on their machine will have a hard time (though not impossible) to grab the entire database for upload to a blackhat's site.
Scenario 4: Point of sale registers. These have no reason to be connected to the outside Internet, other than through a server for credit card validation.
Of course, these are generic, off-the-top-of-my-head scenarios, but there is no one size fits all solution, other than that it helps to have some type of VDI for separation of data.