Slashdot Mirror
Ask Slashdot: Giving Users Extra-Firewall Access For Sites Normally Blocked?
An anonymous reader writes: My boss and I were having a discussion about our users accessing the internet. He wants the users to be able to log in to the firewall to be able to access external websites that they are normally blocked from accessing. They would get a 45-minute window to do this, and then if they need more time, they need to re-login. (SonicWall does this). I told him that this type of procedure scares the crap out of me, as some users will just keep logging in and doing what we are trying to block them from doing, and they will also be able to access infected websites as well. I think it is in our (the IT staff's) best interest if we continue to allow access to users on a case-by-case basis -- and then turn it off when they have completed their task. I am just curious as to where others stand on this topic. If you are your workplace's BOFH, how much slack do you cut? If you're an employee with unreasonable restrictions, do you bother to get around them?
The boss's plan of allowing users to override the web page filter is absolutely the CORRECT plan. You have a rare boss who understands that the most important thing is that workers be able to work without interference from know-it-alls. Please get with the program!
Moderating "-1, Disagree" is simple censorship. Have the guts to post your opinion.
What do you consider "reasonable" access? I tend to be very conservative about it. If I can do my job, I consider that reasonable access. Anything not strictly required to do my job is simply a bonus. Under those definitions, I've never had a job that did not afford me reasonable access to the internet. I know that many people will consider "reasonable" access to include things like access to Facebook and twitter and their bank accounts, etc. I disagree. When I'm at work, I'm working. When I'm not at work, I'm not at work. I try very hard to keep the boundary distinct. the more I blur the line, the easier it is for my employer to want me to be always available.
linquendum tondere
Outside of spam, dangerous websites with known trojan, and maybe obvious porn. Why would you want to block your employees? I've worked once for a big company like this. I left. A lot of websites were blocked. Even craigslist. Led to workarounds and other hacks. It was also quite counter-productive in many ways.
Honestly if you don't trust your employees don't hire them. If you have employees that aren't productive because they are doing things they shouldn't be doing then let them go.
I wouldn't work for you.
People get granted access to a specific machine only for that work and it is kept isolated off all network connections.
Stop blocking access at all.
Just fucking trust your employees. An environment in which people are overtly not trusted to do their jobs just breeds resentment and in fact employees that can't be trusted. People who feel like they're being treated unreasonably tend to act unreasonably in return.
I puncture my company's firewall all the time, without any risk to my work computer, without any logging on my work computer, etc.
You can set policies to restricted, limited access, unrestricted (plus more but I do not admin it)
restricted is always blocked.
limited access (say like facebook or youtube) examples we use.
. you are limited to 30 minutes/day
. one time metered use (for next 10 minutes)
. only during lunch hour
unrestricted -- normal.
You also class users, so IT maybe more open, then HR, or Shop Floor. Execs have full access.
Works with AD, so you users do not have loggin into it.
We (unfortunately) use WatchGuard. However, it supports clientless-SSO with Windows systems connected to a monitored domain, this includes systems with multi-user setups ("Switch User" and even RDS). You can set proxy filtering rules per AD user group and it'll apply to any user currently in any session on a domain system. The latest version of the firmware doesn't seem to have any major issues with clientless SSO any more, as long as it's setup correctly. You setup an event log monitor on each DC and setup an "authentication gateway" which speaks to these monitors and this "Gateway" is what the WatchGuard units connect to in order to query which users are logged in and where.
I work for a public library system as one of two IT employees. Our state disallows display of offensive material in public, so we have pornographic content and extreme violence (gore websites) blocked. All of our staff and the public-use computers share the same internet filters, so all of our employees have access to social media and everything else under the sun. So far that's not been as much of a problem as some people make it out to be.
On occasion somebody on the public-use computers will encounter a website that's been blocked either in error, or what I would call a "fringe" website like Victoria's Secret. At that point either myself or the other IT employee will create an exception for it. We don't have any sort of public facing log-in on the firewall blocking page. We figure it's best to keep that out-of-reach of members of the public and slow-typing staff.
Then block everything. Provide a separate network for employees to connect their own personal devices.
“He’s not deformed, he’s just drunk!”
The thing is, if the users need/want access to those sites, they will find a way. You are kidding yourself if you believe otherwise. The only thing you can do is channel it to ensure some level of security and for that you _must_ prevent it from being exceedingly inconvenient, like your 45 minutes idea. Everything else leads to insecurity caused by security measures, which is a well-known problem causes by paranoid (and hence incompetent) system isolation. In the worst case, you have to provide additional computers to your users that have less Internet access restrictions.
Most ACs are not even worth the keystrokes to insult them. Be generically insulted by this and ignored otherwise.
It sounds like you're trying to achieve two separate goals here :
To implement the bosses suggestion you need a different system to handle each and a way to categorise the blocked sites - or a system that allows more fine grained control.
Stepping back a bit...
More importantly though, your boss should want to demonstrate that he trusts his employees to use their work time sensibly. By blocking websites for reasons other than network security and creating little bureaucratic procedures to unblock them you send a clear signal to the employee that they are not to be trusted with a basic resource like web browsing. Expect them to respond in kind.
I've been an IT manager and an IT director so I'll make a few points from that perspective.
1) IT is there to serve the needs of the business and one of the needs of the business is to create / facilitate a productive and encouraging work environment. Now, this doesn't need to mean that you give people everything they ask for, but it does mean that you need to trust people. If there are legitimate reasons for concern then get a firewall product that can measure the amount of time someone is spending surfing the net; however, this is really a business concern and this capability is not for IT to worry about its for the different LOB managers to worry about. If they have that as a general concern then pursue it, otherwise it's not IT's concern.
2) What is IT's concern is the security, availability, and integrity of the computing environment and business data and that does mean taking reasonable measures to protect the assets under your control. That means that perhaps you need AV / Anti-Malware / etc. protections. Perhaps also a webfilter that blocks sites that are known for producing malware with the intent to exploit the visitors to that site. Those sites should come from security vendor watchlists and not some arbitrary list put together by the sysadmins.
3) Doing this is about finding an appropriate balance. That balance can only be maintained through constant communication and feedback with the business leaders (i.e. you need a governance process.) The business leadership / executive will need to decide what that balance is. IT's job is to appropriately communicate the risks, consequences and options and let the executive make the decision on how much risk they are willing to take on. This is why communication is crucial, especially in IT, and why often managers who are non-technical or barely technical, get those positions instead of the very technical people who "know better."
The question is "Why block at all?" not "Should we block at all?" In other words, "What is the specific goal of blocking?" If it's to prevent malware, it requires a different approach than if it's to prevent watching porn. If it's to protect sensitive information, it requires a very different approach, and may well involve blocking in both directions.
So, no, it isn't that idiots as "why block at all" so much as only idiots don't distinguish between "why" and "should we".
Whilst most of the firewall products nowadays do provide proxies or web interfaces for users (for instance WebVPN in Cisco products), I do find it is a terrible idea to open up services and use up resources from the firewall. Just look at the long list of the security advices from WebVPN in Cisco for instance. I do follow the policy of minimum services that i have as a baggage as a Unix admin, and webvpn/proxy/VPN services are all provided by external servers. For instance, pfSense is quite nifty for that, or squid+dansguardian. Why not provide access or provide unrestrictive access in a wifi network for BYOD? They can as well pierce your firewall with personal VPN services, they are very cheap nowadays. As for the corporate network, many people do not understand how a culture of unrestricted access to social networks and allowing adverts is a covert channel to infect personal computers. Also if you want to invest in security and money is not a problem, have a look at the Capsule concept from Checkpoint.
I think the reasonable way to handle such things is: donâ(TM)t allow the user to go to additional websites, but give them pixels-and-mouse only access to VMs in some cloud, the sate of which is thrown away after the session (and important data explicitly saved to an temporary drive, where you can run all the checks which you like.)
That would also prompt the question of whether you are just on a personal power trip here?
Most ACs are not even worth the keystrokes to insult them. Be generically insulted by this and ignored otherwise.
If the block is not that much necessary, remove it and make life easier for yourself, and the users if you care about them...
If there are really two kind of users, one that should have access to the outside and another, that should not, then split your user network, especially assuming that a network that has blocks for outbound connections, probably should have a (preferably two) DMZs that houses servers already in place...
Is your attention span really th-SQUIRREL!
Get free satoshi (Bitcoin) and Dogecoins
You just need one b0xen on an ethernet cable to the one unblocked port on a hardware firewall, and ideally onto a separate line from your ISP. Put glue in all the usb ports and legacy ports, or just remove them. Remove the wifi chip from the board, lock the case and and set it up with a basic install of your primary OS that re-flashed to a known state at midnight every night. Put this box in a visible, public area where users who have to leave your cordon are forced to do it in front of everyone else and through a secure separate pipe. Scale up with more dumb terminals as needed - old tech that's folding out of regular use in production is a good, cheap source for these boxes.
- In Soviet Korea, only old people loose all their bases to Natalie Portman's petrified hot grits overlords.
I work as an IT consultant / implementer. .exe, .msi, .zip, .7z, .rar, .ps1, .tar, .gz, .bz2, the list goes on.
I tend to work in Big Corporations doing infrastructural software projects. This includes introducing new procedures of how IT staff is going to administer their servers in the future (e.g.: how to use SSH in the future) both by technical as well as organisational means.
This also means that the IT staff and I are not often on good terms which in turn again means I don't get cut any slack wrt. accessing the internet or getting software installed on my assigned corporate workstation. I can't download any files bigger than a certain threshold, can't download files ending in
USB is disabled on the workstations and they don't have an optical drive or a floppy drive.
Yes, IT is on lockdown.
When I have to use un-approved software (for example: wireshark for network debugging, vim for efficient file-editing) I usually upload the data I need to a private or corporate cloud instance, download it back onto my laptop via mobile phone network, do my work and transfer it back the same way.
See my blog for my free opinions.
I have a similar policy at work: there are a number of intranet and whitelisted internet sites and for the rest you use credentials. Intranet also contains a socialisation portal for mostly professional purposes. Also, every time you enter the credentials you see a notification that traffic is monitored. They have also blacklisted known malware sites and some potentially dangerous sites (such as the infamous sourceforge.com). In principle this is a reasonable policy, as a lot of attacks/infections come from willful disregard of good practices and rules.
All this policy is coupled with inability to install software (except from approved list in a software catalog) and the inability to use USB pen drives except for a couple of approved models.
Now, my local IT dept. has bent some of these rules for me and a few others that need special conditions, specified and justified: ability to install software on work laptop, special/separate internet access at the price of additional screening at a flexible rate. Correctly describing the policies, rules and exceptions and good management/collaboration for the purpose of ensuring reasonable productivity (my company does not produce IT - services or software) is what keep us both secure and in business.
uhm...
"This website is blocked.
Category: Whatever.
If you wish to unblock, please contact Administrator."
Anything else is just open to abuse and you may as well not have a web filter at all (P.S. This has NOTHING to do with your firewall).
Trying to solve HR problems with technology is doomed to futility.
At my company, I don't block web sites. If I walked by someone's desk and saw him[1] looking at porn, I'd say "don't do that." If it got out of hand, I'd discipline the person.
Sometimes I walk past the desks of the tech support guys and I see them on Facebook or playing solitaire. Well, what else are they supposed to be doing if there are no support tickets open or support calls coming in? I don't care if they take breaks every now and then as long as they get their work done.
____________________________________________________________
[1] I suspect it's almost all guys who look at online porn.
HTTPS interception? Pretty bog-standard nowadays, you shouldn't need to explain what it is on here.
Why it should break non-web stuff? Fuck knows. You need to sack your IT team or get them to make exclusions for the sites you need.
Joining your computer to a tethered phone and then later reconnecting to the corporate network? Sackable offence in my workplace.
You're both being dickheads. But the question is really do you *need* access to external git/svn/etc.? If so, then working around it in such a way is not the way to do it.
So far it seems everyone is trying to bring "open internet" to the users computer... why?
It sounds as if this is intended to be on an "infrequent" and "exception" basis.
Deploy a terminal server in a DMZ, users can then remote in and browse from there. If you want to allow open downloading, provide a restricted AV protected share to retrieve downloaded files, if you do not want to allow open downloading, provide one anyways but require an IT person to review it manually.
Reimage nightly if paranoid.
Finally, everyone has a cell phone now days.
An Audiovox 8610 flip phone cannot connect to the Internet.
Cellular data - use that.
I'd be glad to do so in exchange for a reasonable cellular data stipend. Consider these choices:
I imagine that of the three, option A would be most affordable in most cases.
Depends on "why" you're trying to block access:
Surfing Facebook is a productivity hit? A time bound exception (30 mins at a time) might be a viable approach.
Porn? Probably no valid reason to surf porn at most jobs.
As a previous poster said, if you're really concerned about malware / C+C servers etc, blacklist everything, whitelist a hand full of websites required for the job.
Say a company will be using a product from a particular supplier, and an employee wants to view an instructional video about this product uploaded to YouTube by this supplier. Should that count against the employee's YouTube time?
My perspective is from working as a contractor to banks and other companies in the banking sector in the UK and Europe, and occasionally to companies working in Defence contracting, where there is no issue with foreign nationals providing such services. The ultimate goal is, where possible, to prevent data breaches. However, when budgets are limited and business requirements mandate access to external services, IT security becomes about (0.9) Establishing ownership of the IT security policy and firewall management; (1) making it as hard as possible for the breach to occur; (2) minimizing the data that can be lost during a breach; (3) establishing clear auditing procedures to help recognize and quantify the nature of the breach and the data exposed; and (4) establish reporting and information sharing policies to advise internal and external stake-holders of the breach.
There should probably be a (1.1) in there as well, which is to identify the most likely sources of a breach and manage the risks in each case, although as an IT security issue the biggest single source of hacks, electronic break-ins, lost data, and any kind of shenanigans that lead to your company's data being splurged all over the internet, is the stupid fuck-wit sitting at the desk (you and I included, but especially the users outside the IT department). Everyone from the company chairman down to the lowest employee is a softer target than the firewall itself.
If there is a breach (and chances are that there will be one if there has not been one already, so the statement should probably be "if/when you DISCOVER the breach"), the IT team are the ones who will get it in the neck for allowing the breach, even if users are given the ability to control their own firewall settings.
If users need access to a website or service that is not currently allowed, they should submit a business case/request to their line manager who then approves it. IT then co-approve and make the relevant changes (and if IT say "no", they need to have a damn good reason). There is a paper trail, and all open ports and firewall rules are there because of business decisions. IT will still get it in the neck, but there will be an audit trail.
Allowing users to open their own ports (whether it is temporary or permanent is totally irrelevant) means that those clients cannot be trusted by the server farms/network resources on the network, so they should be moved into a DMZ with a firewall between them and the rest of the network.
Meanwhile, your post is not insightful at all.
All my liberal friends think I'm a conservative, all my conservative friends think I'm a liberal.
If you require access to a restricted site, you ask IT to give you access. we also pass that request to their boss.
Access is good for 24 hours only unless they have a real need to have access permanently.
This is trivial to do with any commercial firewall.
Do not look at laser with remaining good eye.
At the firewall Ive configured open access to the web, with a caching proxy only for videos and static content. I dont have an extra layer of DansGuardian or BlueCoat policing users. known attack pages are generally blocked by google safe browsing. I enforce a very strict policy on security awareness, so my users are generally careful around the web. Periodically, content logs are scanned from the firewall and I generate reports for the management and HR to review. theyre the only ones who care what you do on breaks anyhow.
lately Ive had my log script checking for data exfiltration...cc patterns and phone numbers mostly. Blacklisting is done through null-routing subnets and only if a request comes from a C level or HR.
Good people go to bed earlier.
The more accurate question is 'What if anything should we block, and why?'
We have always used VMs/jumpboxes that are segregated from the rest of the network to allow for accessing potentially dangerous or unapproved external sites.
Downloads are enabled, but to get the files from system requires submitting a ticket to have the files downloaded, scanned, and burned to a DVD or placed on an file server.
While nothing is 100% safe, this sure beats the hell out of compromising your firewall rules and allowing semi-retarded users to fuck shit up.
I work as an IT consultant / implementer.
I also work as a consultant (though programming, not IT).
You've hit the nail on the head as to how to deal with overly restrictive IT people - work hourly. Now it's not so annoying when you have to go through some lame workaround to do something, it's a direct financial benefit to yourself for the extra hours needed to get work done...
"There is more worth loving than we have strength to love." - Brian Jay Stanley
It is trivial to set up a WiFi access point on your own cell phone to temporarily bypass any and all annoying filters.
This problem is largely solved.
We use an ASA and Websense. There are other products that accomplish this as well, and both the ASA and Websense will integrate with a variety of these.
Inside Websense, policies can be set, as examples:
* Apply policies to restrict or not restrict based on user, IP, IP range, AD group, etc...
- Not all or nothing - you can, for instance, ALWAYS restrict certain categories or sites, like ones with trojans or whatever.
* On *any* combination of the above, you can then
* Restrict or not restrict based on time frames so at lunch hour it's less restrictive.
* Categories or individual sites can be set to "continue" which give the user a notice that they have to click a button to actually go to that site
- Very useful as a reminder "Are you sure using this site is reasonable at this time?"
* And most important to the question, you could also set a time limit per day for any site or category.
- 30 minutes of facebook a day, 1 hour of "Social Media" sites each day, etc...
- Applied per user based on, again, any of those criteria.
I'm not sure about your specific legal jurisdiction, but as I understand it, some places have rules that are basically, "If you have a policy and do not technically enforce that policy, then the policy does not exist, and you liable for anything done over that connection." So, if you are making it easy for employees to go to any sites they want and then you get busted for someone accessing kiddie porn, you had better hope you have good logs - although that might not be enough. The sad thing is that the better option is (as many have suggested) to trust your employees and let them self-manage, however you do potentially leave yourself open to some nasty outcomes if you are not covering yourself enough. Now, if you are tracking, by employee, which sites are being visited and when, then I'm not sure where this puts you (and I would expect it varies depending on jurisdiction) - however, employees are much less likely to go somewhere nasty if they know the boss can review their logs at any time. At the very least, you should be able to see who went where and when - and you should actually check this regularly. As someone who has been on both sides (admin and user), it would be nice for those times that I need a site that has been (in my opinion) incorrectly blocked, but the extra step of "I have to specifically do something to get around this" would probably discourage time-wasting and less-than-savoury behaviour. But, a lawyer might not see things the same way - if you allowed access, you might still be responsible for what someone did with that.
The Six Dumbest Ideas in Computer Security
Claiming security issues is a cop out and excuse to be controlling. If you are running insecure systems, and you are if you are running Windows, then set up a separate wifi network for personal / misc. Internet access. Users can then use their personal devices, phones, tablets, etc., or you could provide Chromebooks which are cheap, secure, easily wipeable, etc. Set up web printing for tickets or similar. If you need to solve attention problems, it needs to be done at the personal level, perhaps suggesting an easy way to insert frequent short breaks. For most types of work, frequent breaks improves productivity. In the past, people took many smoke breaks and similar, so it's not necessarily the case that a Facebook break is a huge new problem. Losing track of time, keeping things in proportion, those can be an issue. A little structure or hinting of some kind is probably all that is needed there.
Stephen D. Williams
isn't this a bit redundant? There're LAWS which cover this shit. Personally identifiable data is subject to legal protections, violations of which in a privately owned company can and do result in jail time for directors. Data pertaining to infrastructure or financial transactions are subject to varying degrees of protection under national security legislation up to and including the Official Secrets Act. Violation of THAT can lead to charges of treason.
As a data administrator in a legal practice, personally identifiable information security was priority number one. That information was strictly airgapped and transfer of data to and from the client was done face to face. Hard drives containing redundant information were not erased, they were shredded. Possibility of recovery of anything whatsoever: 0.0. Possibility of any third party getting access to that data: 0.0. How many times did I have to issue a refusal? Oh, many. Same reason every single time: it is not our data policy to divulge or release any information. Period. Here's a fuck-off biscuit, bon appetit. Even the High Court didn't get a client list with a writ of mandamus. I don't care who the fuck you are. If you're not authorised to have that data (and I am the sole arbiter of that), you are NOT getting it.
Political debates have me rolling my eyes so much I think I got optical whiplash. I should sue. - Foamy The Squirrel
Some users can be trusted with access. They've got NOD32 installed because your corporate AV is crap, run malware and rootkit scanners regularly, are running with UBlock and Noscript on, no Flash or Java (not even installed). It's probably good to still have a warning for known bad sites for them, but in general they're probably more paranoid than IT is.
Other people will click on anything. If they get two emails in a row saying 'DO NOT CLICK ON ANY EMAIL LINKS' then the next email has 'CLICK HERE FOR MALWARE' they will click on the malware. Those people need to be locked down and no exceptions made, because they can't be trusted anywhere, any time.
Most people are somewhere in between.
And yes, I bypass the IT stuff. I run all my web browsing through an SSH tunnel, not really to bypass any blocks but because I don't want anyone spying on it and I don't trust any commercial MitM SSL solutions (Hello Komodia/Superfish). I gave myself admin access since I have to install new things all the time for various projects. BUT I did clear this with IT, at least on the personal level - ours are good people and have better things to do.
Why are you blocking access to anything? As an IT administrator it is _not_your_job_ to block anything for users and otherwise disturb them while using your network. Your job as an IT administrator is to allow your users to do their job without any unnecessary obstacles. Also keep in mind that usually (if you are not an IT service company) the users do their jobs so the company earns for your sallary - business wise - you don't earn shit, they do.
So with that in mind the structure of Internet access policy should be as follows.
- access to harmful webstites is blocked by default (like malware, phishing, hacking) - this is a no brainer and you shouldn't give anybody access to such sites - block it by default as you are protecting your company's assets (which IS your job)
- access to potentially harmful websites is blocked by default (like sites that post no technical threat but othwerwise are not legal - child pornography, hatespeech, drugs and so on) users interfacing with such sites could post image damage for your company - which is also an asset - which you need to protect (as it IS your job)
- access to certainly non work related websites (pornography, gambling) - I would probably block it by default, I don't see any reason to allow it and also I don't see anybody going to argue with you that he needs access to pornography (unless he is doing research on that)
- other websties like time wasting social media, gaming, news, etc. - basically evertything else - it is NOT YOUR JOB to put such policies in place without a request from your management (probably coming from HR)
- other policies like time/role based - also NOT YOUR JOB - this is HR
- it IS YOUR JOB to keep your users actions accountable - so it is to log all their internet access so if needed (f.e. an incident) you can present it to management - also when you are loging Internet access that in most jurisdictions it is safest to inform (on paper and let them sign that they accept the policy) your users about it
So given these rules you certainly need some kind of policy enforcing technology at your Internet access gateway. Probalby a proxy with filtering and a security appliance.
Of course you should assist your HR staff with sugesstions on what can and can't be done with your systems/budget restrains and so on. You should implement the policies as HR or your boss tell you. You just don't want to decide on that matter - it is NOT YOUR JOB.
First, what are you protecting? Is your corporate data that precious and attractive that you fear being compromised and the whole of it being taken and sold? Do you store PII? If data such as credentials for banking and financials being stored on your internal network? If so, then you have a substantial liability, and some data loss prevention and malware detection and disablement is necessary.
Second, do you have any regulatory, legal, or contractual requirements to prevent data loss? If so, prevention is necessary.
Last, do you want to avoid being held hostage to an attack of an encrypting malware? More dittos then.
All this complaining that you shouldn't be impeding business, that you're a megalomaniac desiring only power and control, and accusing you of being an idiot ignores potentially valid and compelling business reasons to prevent intrusions and losses. I'm well aware of these threats, but I work for aab Fortune 100 financial services company, and the regulatory requirements alone demand we block by default and monitor data incoming and outgoing.
Oh, and intrusion detection needs to be in your plans.
Don't listen to the amateurs. Block by default, require business justification and offer a risk assessment for all exception requests, monitor and report suspicious activity. Don't trust your internal users. Segment wherever possible. Plan for failure. Exercise recovery plans. Due diligence.
deleting the extra space after periods so i can stay relevant, yeah.
If it's security, a 45 minute window is no improvement over unrestricted access. In fact, firewall login page is an extra chance for password snooping. Ideally, users would be able to open a remote desktop session to an unrestricted VM and the later can be rolled back to initial state once the session is over.
If you just don't want them to slack off, consider the battle lost. Everyone has smartphones perfectly suited to watch movies or chat with friends for the whole day. Find ways to measure and reward actual productivity rather than hoping to make people work out of boredom.
The answer to "What, if anything, should we block" versus "What, if anything, should we allow" is "it varies":
Scenario 1: Receiving. Give the guy a Citrix or App-V console into a machine that can browse the Internet unfettered, but doesn't allow files to be transferred to the internal machine. Now the user has access to websites, there is something substantial keeping the actual machine from being compromised.
Scenario 2: Finance. Again, these machines are touching sensitive data, so they, by themselves, don't see the outside world, but the user can always use a VDI implement to browse the web, making the isolation a non-issue.
Scenario 3: General company (dev, QA, sales) use. The above in reverse. Allow traffic out, have a good IDS/IPS in place (this should be in place everywhere, but especially with this), and stick the real sensitive stuff behind a RDP firewall, or a "hop box". The user can manipulate the data, but malware on their machine will have a hard time (though not impossible) to grab the entire database for upload to a blackhat's site.
Scenario 4: Point of sale registers. These have no reason to be connected to the outside Internet, other than through a server for credit card validation.
Of course, these are generic, off-the-top-of-my-head scenarios, but there is no one size fits all solution, other than that it helps to have some type of VDI for separation of data.
Next Gen Firewalls typically have three interesting features that changes this game. The first is Single-Sign-On tech that allows the ntwkr to use User ID (either on Active Directory, LDAP, or pulling it off 802.1x\RADIUS, or SYSLOG). That gives them an extra special group that they can then give extra perms to or bypass capabilities (maybe even with a coaching TOS screenie). There are lawyers, executives, and HRIS people that may need bypass to do investigations for the company or maybe the company just wants to treat people like adults, but in the case there is a HR issue or violation they need the logging. The second and third are the ability to hand application controls, URL Filtering, and GEO-IP reputation in the same security policy as the user Identity. This single-policy execution makes these firewalls a no-brainer to push whatever policies you need.
Now, I am of a mindset that technology should fix business problems and content filtering is a business problem. Depending on the business you are in and job description, the responsibilities change. I think the discussion is fairly moot due to lack of information on industry.
My opinions:
In the tech world leave it open but log everything
In the financial industry, GEO-IP, In-line antivirus, and application control (with SSL inspection) are key, but you have to be fairly open with the content filter (coaching pages).
In education, block everything (I keed, but not really)
etc etc etc
It is the Company's network connection, block whatever you like.
But, and this is important, have an easy mechanism where a user can submit an url, an admin can verify it is a legitimate business related site, and have the site whitelisted immediately. That way you can block "Big Butt Russian Teens" or whatever, but when the SmartFilter(tm) randomly decides that Fairchildsemi.com contains "adult content, sports, gambling and lotteries" (happened to me) the legit business use is not impeded.
Do they offer any products for blocking forum spam?
It will most likely be done on the % of images that have flesh tone. For a computer it would be hard to tell the difference between a couple of lingerie model and a porn scene.
If you have important data it absolutely should not be stored on the same machines used to watch porn and browse Facebook. I know we are supposed to be entering the Internet Of Things revolution where even your fridge has direct access to the internet, but there is no reason to use the same machine to both access random web pages and store sensitive client financial data. Just install an open wifi router, completely disconnected from your business network, and allow the employees to research/goof-off at their leisure on their iphones.
Troll is not a replacement for I disagree.
I know several places that require internet access for the POS to work right, such as ones that generate UPS/FedEx/USPS labels, people using Inuit's Online POS system, and people using Square's Register app. With that said, the one I use to support, I filtered what sites one could access, and it was kept on a isolated network from the rest of the company.
If we are rightly scared of browser-borne infections and intrusions, then why are we still running browsers on our machines? Why not designate a machine, outside the firewall / in the DMZ, that runs ALL the browsers. The user logs into that machine, and the browser display events are sent back to the client machine. The safe client machine never runs a single snippet of plugin, or gobbles a single byte of untrusted network traffic. The client machine does not even -know- how to get to the internet.
Sending receiving files can be locked down and logged. Or prevented.
The sound device would be a pain, and might require a new protocol, but this would solve many problems. I think it might make SSL better too (no proxy bs).
Perhaps a specialized (corporate) browser nexus product could be offered...with sound and optimized for the browser.
The client machine never talks to the internet. It just sees pictures of it.
Treat your workers like they're fucking responsible adults. Block 2, maybe 3 categories at the proxy, and nothing more:
1) Pornography (leave that stuff at home, and also to prevent hostile work environment claims)
2) Known spyware/malware/command & control sites (should be pretty self-explanatory)
3) Ads (optional, but could save significantly on bandwidth and potential spyware/malware infection sources; may break certain crappy sites, however)
That's it. Don't block anything else. Treat your employees like responsible adults. If they act irresponsibly, then that's a management issue that needs to be addressed between the employee and the employee's manager. I'm so fucking sick of companies treating employees like little kids and instituting draconian policies blanketly across the entire workforce because they can't/won't address personnel issues at the employee/manager level. The more sites/categories that get blocked, the harder it is for employees to research and do their jobs, and the more likely it makes them to circumvent controls.
I had two sites i used to administer that were constantly getting infected with something. They hired kids to work the night shift and they would get bored and surf anywhere you could imagine.
At one site, instituting a computer use policy, proxy, and a blacklist like dan's guardian along with fetching the mail to an internal server and scanning before delivery was enough to curb it to 1 minor infection in 5 years. At the other site, this didn't even come close. We had to completely lock down the internet and approve specific sites and domains as needed. This has yielded no infections in the four or five years i remained with them.
Both sites have or had a public wifi and separate linux systems for guest access on a separate subnet the employees could use (when guests weren't ) but for some reason they insisted on using company workstations.
I stopped working with them about two years ago. I dunno what they have now but i saw one of the companies is being sued for a data breach with credit card numbers.
Was free unfettered Internet use one of the benefits in your compensation package?
Are you asking about my own personal employment situation or about what compensation package provides the best balance of benefits to the employer and employee? I was intending to discuss the latter. I imagine it's cheaper for an employer to offer segregated Wi-Fi in the break room than to increase all employees' salaries by the amount needed to subscribe to comparable individual cellular data service.
You expect IT to not lock shit down? I don't get the comments here. Corporate culture might suck, but it isn't IT's fault. When my asshole boss says don't let anybody have fun on the internet, lock them all down,... and then if and when someone is found out to not be completely locked down, my ass get chewed out. So no, my stable job is not worth someone else's facebook, sorry.
It sounds like you did the best thing possible to keep the problem in check. There comes a time when a problem ceases to be a technical issue, and becomes an HR one. For example, in a previous life, I worked at a job where there was one network port on a switch for a specialized appliance that needed unfettered Internet access (both incoming and outgoing). When I saw someone tack an Ethernet switch onto that line and set up an AP, I locked the port down to the MAC of the kiosk. I then encountered someone putting an embedded device with three Ethernet ports, faking the MAC of the first one going to the switch, and the device using NAT to allow the appliance and another wireless AP on that line.
My solution was to move the appliance into the same locked IDF closet as the switch, then have a custom Web filter made for that hacked port with every site getting denied access. Even though I had access door logs and knew who it was, he was the darling of management, and getting in his way was like pissing on the third rail of a subway train.
Setting workplace rules is your boss's job. If he/she wants to cut your coworkers some slack, it's not your call. Keeping your work computers free of malware *is* your job, but if you're depending on a firewall for that, you're doing it wrong.
Besides blocking pornography there is no need for web blocking any longer. Your users all have mobile phones they can use to do ANYTHING. You might as well allow most of it, ensure your security software is doing its job, and monitor for reporting purposes only.
The question comes down to, is access to this site legitimately work-related or not? If it isn't, no access. If it's dangerous, no access. If it's reasonably safe and needed for work, then the user needs access period. No time window, no login, if they need access to that site for work then they should have access to it. Either that site needs removed from the block list entirely, or an exception to the block needs to be made for whatever group needs access (developers may need access to sites that the call center people don't, for example).
Such stations should be limited to a white list only, with everything else blocked. And by rights, be on a separate network, but it has to be on the same network as the server behind the POS stations to work at all, and that's an intruder is after anyway. There's only so much you can do.
The real lesson is there are no easy answers, and every situation has to be handled on its own merits.
There comes a time when a problem ceases to be a technical issue, and becomes an HR one.
Sing it, brother. I got paid to surf porn web sites one time, because I was told to completely document the misdeeds of an employee who had access to an unrestricted computer. Most of them were obviously porn, and needed no further investigation, but some I had to go to the home page to be sure. In the end, I had 45 pages of proxy logs, in small print (for one week). I'd had a conversation with that employee less than 2 weeks earlier about how if you did someone on my network, I have a log of it.
(And he liked to print it out - in black & white. They still call the bottom drawer of the file cabinet "the porn drawer.")
At my work, they are blocking a lot (using bluecoat filter). Results: I have squid running in the cloud,I am connected via a ssh tunnel and chrome shortcut has the option --proxy-server=127.0.0.1:xxxx to bypass entirely the entreprise block. Many people have similar work arounds.
At a previous job, there was almost no block, but the intranet was giving a link to a page where we could monitor the time spend on all the websites during the month. I think this kind of monitoring (added to the usual signature of a policy chart) is a good deterrent for all abuses.
Filtering software are smarter and smarter. They are expensive, people complain. And they are an invitation to find work arounds. I think its best to get rid of them.
If they can't handle that responsibility then they might not be the best fit for your company.
Are you blocking because the website carries malware, or are you blocking it because your boss doesn't approve of the content? Those are separate issues. If you are blocked because of content, then your boss needs to decide which employees should be trusted with internet access and unblock them (but audit). If the site contains malware it needs to stay blocked, until you have an IT guy on staff who can access the site in a sandbox VM. If the problem is loss prevention, they need to airgap the network with the stuff they don't want to get out.
It's entirely reasonable to expect employees to take short brain breaks during the working day. It's entirely reasonable for those brain breaks to be spent on random web pages.
Then they can do it on their own devices separate from the corporate network. This is not a reasonable argument in favor of reducing security. If they want to play on facebook during their break time they can do it on their own iPad. Corporate networks are for corporate business ONLY.
All this comes down to is simply trusting your employees.
Has nothing to do with trusting employees or not. Even trustworthy employees can be fooled into infecting a network. If they want to do something not permitted by the company policy (presuming company policy is sane) then they can do it on a network outside of the company.
The submitter has asked for input on a solution, but not defined the problem yet. So we can't truly help.
We have this issue at my company, and have resolved it through the use of "bypass codes" with OpenDNS as a web site filter. We have a basic access which has blocks by category, which OpenDNS does pretty well. We have some special company-wide exceptions for some customer sites which would fall under specific categories (A few gun catalogs or swimsuit catalogs that we print for customers fall in their weapons or lingerie categories) For this that may need access to some sites outside this, we have bypass codes that can be entered which allow access to a wider set of categories, but still block the porn and hate sites, etc. Finally we have a master code which is kept in IT which we can enter to allow access to any site, but it is valid only until they close the browser, at which point they are allowed only the standard level of access again. There is one issue with OpenDNS and SSL sites, as you are essentially using them as a proxy and the SSL certificate match fails, so it is not a perfect solution, but potentially a good for for the OP's needs.
Give users a sandboxed system that they can use to request access to specific firewalled web sites (a remote desktop connection to a virtual machine should do the trick).
If they need to save data to those web sites or upload files to them, give them some storage space that can be used for this purpose, but scan the bejesus out of anything that is saved to that location before it's allowed to be copied to your "normal" data-storage locations.
Once they log off, destroy the sandbox (or archive it for IT post-analysis).
One of the earlier commentators was right about one thing: Management has a business to run. If tech gets in the way of getting work done, that's a bad thing. If the bosses perceive that tech is getting in the way when it's really saving them from a disaster later, they will still perceive it as a bad thing and act accordingly.
Knowledge is how to play a game, intelligence is how to win, wisdom is knowing what game to play.
With the huge number of VPN services out there running on common https ports these days your employees are going to go anywhere they want anyway unless you're strictly controlling their actual desktop machines and the software that they can install and run (and even then they have local access so if they're smart they'll figure it out) so while I definitely think it's ridiculous to allow the users to access the firewall directly it's also important to remember that your rules are quaint and outmoded in real life.
A Linux box with x2go makes a great internet machine. You can allow users to run firefox or chrome.
Cheap storage VM.
The Internet's a big place. A "black" list won't do much to help.