Slashdot Mirror

← Back to Stories (view on slashdot.org)

Ask Slashdot: Giving Users Extra-Firewall Access For Sites Normally Blocked?

Posted by timothy on from the does-every-exception-have-a-rule? dept.

An anonymous reader writes: My boss and I were having a discussion about our users accessing the internet. He wants the users to be able to log in to the firewall to be able to access external websites that they are normally blocked from accessing. They would get a 45-minute window to do this, and then if they need more time, they need to re-login. (SonicWall does this). I told him that this type of procedure scares the crap out of me, as some users will just keep logging in and doing what we are trying to block them from doing, and they will also be able to access infected websites as well. I think it is in our (the IT staff's) best interest if we continue to allow access to users on a case-by-case basis -- and then turn it off when they have completed their task. I am just curious as to where others stand on this topic. If you are your workplace's BOFH, how much slack do you cut? If you're an employee with unreasonable restrictions, do you bother to get around them?

44 of 267 comments (clear)

  1. Correct by Spazmania · · Score: 5, Insightful

    The boss's plan of allowing users to override the web page filter is absolutely the CORRECT plan. You have a rare boss who understands that the most important thing is that workers be able to work without interference from know-it-alls. Please get with the program!

    --
    Moderating "-1, Disagree" is simple censorship. Have the guts to post your opinion.
    1. Re:Correct by khasim · · Score: 4, Insightful

      You have a rare boss who understands that the most important thing is that workers be able to work without interference from know-it-alls.

      Well the question would then be why-is-the-firewall-there-in-the-first-place.

      Is it because it was seen as the cost effective solution to workstations being infected by malicious sites/ads/whatever?

      Was there a different reason?

      Web blockers usually require a subscription fee. Why pay the fee and then let users bypass it?

      Wouldn't you want to be notified if a work-related site suddenly got blocked?

    2. Re:Correct by Lesrahpem · · Score: 5, Interesting

      The boss's plan of allowing users to override the web page filter is absolutely the CORRECT plan. You have a rare boss who understands that the most important thing is that workers be able to work without interference from know-it-alls. Please get with the program!

      This plan is a good one. To curb your concerns you could follow this plan:

      1. 1) Allow users to login to unblock sites on an as-needed basis. Keep the process simple so workflow isn't encumbered.
      2. 2) Keep a log of every time a user logs in to request access. Possibly keep a log of what sites users are visiting with this access, but do not log the traffic. Just the sites.
      3. 3) Pair this log with your issue tracking system and possibly employee performance reviews.

      If an employee's support tickets seem to be linked to the sites they are requesting, the employee can be approached and possible restrictions can be put in place if the problem isn't solved with a conversation. The same goes for browsing habits that might be linked to downturns in performance.

      This way, you are allowing your employees/users their freedom to browse/work, and only restricting the people who keep presenting problems.

    3. Re:Correct by Anonymous Coward · · Score: 4, Interesting

      I'm with you on the issue that IT is a function of a business to enable business. I think however there are some real issues with what's going on here.

      1) There is a firewall in place which appears to be impeding business from operating
      2) The IT guy is trying to get justification from outside to continue impeding business instead of taking the opportunity to identify why the firewall is blocking sites which facilitate their business.
      3) He is concerned about malware and other traditional security breeches
      4) The sites being blocked are probably black-listed based on the type of site they are as opposed to blocking malicious content from the site.
      5) The boss seems to believe the users need to access these sites.
      6) He wants to handle this on a case by case basis which seems to impede business enough that this has become an issue.
      7) It sounds like he is using some sort of web filtering system which categorizes site types.

      I can go on for a while... I may be way off base, but it strikes me that this guy lacks the skills or business knowledge to properly secure the business while also facilitating its operation. I completely disagree with the boss's assessment to allow a timed override. This apparently is a solution which doesn't do anything other than impede the workflow of the users. It sounds like the correct solution is for the boss and IT guy to simply decide :
        Do we permit users to access these categories of websites or don't we?

      As for viruses and malware, the entire current generation of firewalls and IPSes on the market are designed to perform deep inspection and most of the good ones implement Snort, ClamAV and more at the edge. They also can retroactively identify that a machine has finished downloading a malicious object before the firewall could identify what it was and then require the machine is remediated until it has been cleared to be on the network again.

      I think the boss also has to choose whether to send this guy to proper training and spend money on real firewalls or whether he should just use a service instead.

    4. Re:Correct by gbjbaanb · · Score: 4, Insightful

      amen. The number of time I've been searching for answers to technical problems, find a site that seems to have the answer from the Google summary, only to click it and be told "denied, reason: personal blog", where i get home and find that someone has hd the same problem I had, blogged about it to help others solve it.

      So,... I waste loads of company time re-solving that problem because the IT guys think they know best. Sorry - when IT stops being a service to enable the users and starts being their own fiefdom, its failed.

    5. Re:Correct by gl4ss · · Score: 2

      it's there because it's the job for the asker of the question. if the override system goes through his job is meaningless.

      and if he fears his network for this reason, his network is already fuxored, so there's that. most likely it's just a whitelist anyways(if he thinks that a disconnected network for connected workers is more beneficial than workers working) or a kickback commercial "bad sites" list(which is as useless as an inhouse developed blacklist - its going to be out of date every day anyways).

      --
      world was created 5 seconds before this post as it is.
  2. Reasonable Access by FrozenGeek · · Score: 5, Interesting

    What do you consider "reasonable" access? I tend to be very conservative about it. If I can do my job, I consider that reasonable access. Anything not strictly required to do my job is simply a bonus. Under those definitions, I've never had a job that did not afford me reasonable access to the internet. I know that many people will consider "reasonable" access to include things like access to Facebook and twitter and their bank accounts, etc. I disagree. When I'm at work, I'm working. When I'm not at work, I'm not at work. I try very hard to keep the boundary distinct. the more I blur the line, the easier it is for my employer to want me to be always available.

    --
    linquendum tondere
    1. Re:Reasonable Access by beelsebob · · Score: 4, Insightful

      It's entirely reasonable to expect employees to take short brain breaks during the working day. It's entirely reasonable for those brain breaks to be spent on random web pages.

      All this comes down to is simply trusting your employees. If you can trust them to get on and do their job, and only take reasonable breaks, then you don't need a filter. If you can't trust them, then 1) your culture is fucked up, fix that, and 2) why the hell are you employing someone so untrustworthy that they don't do their job.

    2. Re:Reasonable Access by Bert64 · · Score: 4, Interesting

      People these days have portable devices, you can allow them to take breaks using an isolated wifi network and their own portable devices...

      The average corporate desktop is extremely vulnerable to attacks from websites (against the browser, the plugins, other applications etc), and trying to defend against such attacks is a huge pain and/or huge cost.

      --
      http://spamdecoy.net - free throwaway anonymous email - avoid spam!
    3. Re:Reasonable Access by Anonymous Coward · · Score: 2, Interesting

      There are exceptions, but as a rule, I don't use web filters and firewalls to "restrict" users from using non-threatening websites. Productivity standards and issues should be handled between users and their managers. The web filter exists to protect the network from viruses/malware, and from objectionable content that could reflect poorly on the company (gambling, porn, etc.). Otherwise, I have pretty steadfastly refused to block sites because "Joe shouldn't be on that during work hours.". If Joe isn't getting his work done, discipline him for it. If he is, you have either set the standard too low, or Joe is doing a good job and why do you care if he takes a brain break.
       
      With that in mind, if you are blocking websites for security purposes, then getting around those restrictions should be done in a secure manner using a sandboxed VM in a DMZ, or something similar. If it's to get around the company restriction on Youtube, this is a perfect solution.

    4. Re:Reasonable Access by tepples · · Score: 4, Informative

      What kind of person doesn't already have internet on their phone plan?

      Me. I carry a flip phone for urgent calls and use my roommate's land line for longer calls.

  3. Not my type of company by drasfr · · Score: 3, Informative

    Outside of spam, dangerous websites with known trojan, and maybe obvious porn. Why would you want to block your employees? I've worked once for a big company like this. I left. A lot of websites were blocked. Even craigslist. Led to workarounds and other hacks. It was also quite counter-productive in many ways.

    Honestly if you don't trust your employees don't hire them. If you have employees that aren't productive because they are doing things they shouldn't be doing then let them go.

    I wouldn't work for you.

    1. Re:Not my type of company by beelsebob · · Score: 2

      Yep, I don't understand how companies don't get this. If you observe that your employees are spending all day dicking around, and they don't get their assigned work done, you fire them. If you don't observe that, then you have no reason to block their access to anything.

    2. Re:Not my type of company by ShanghaiBill · · Score: 4, Insightful

      If you observe that your employees are spending all day dicking around, and they don't get their assigned work done, you fire them.

      Then you go out of business. Responsible self-directed employees who get the job done without close supervision are WAY more expensive than less responsible workers that need some managing. If you hire only the former, you will be crushed by competitors with a much lower cost structure and a much wider hiring pool.

    3. Re:Not my type of company by steak · · Score: 2

      a firewall appliance costs a few thousand dollars a year; while a labor lawyer to defend a justifiable firing of an incompetent worker in a protected class is many tens of thousands of dollars.

      --
      lose != loose
  4. Separate Internet line off the company network! by BoRegardless · · Score: 2

    People get granted access to a specific machine only for that work and it is kept isolated off all network connections.

  5. This is really simple... by beelsebob · · Score: 2

    Stop blocking access at all.

    Just fucking trust your employees. An environment in which people are overtly not trusted to do their jobs just breeds resentment and in fact employees that can't be trusted. People who feel like they're being treated unreasonably tend to act unreasonably in return.

    1. Re:This is really simple... by beelsebob · · Score: 2

      says the moron who has never been at a company where an employee sued for tens of thousands of dollars because one employee decided to look at porn and another employee was "offended".

      That's trivial to deal with - you explicitly write it in the company hand book that looking at porn is banned. When the other person is offended, you quickly nip it in the bud by disciplining the person looking at porn.

      As I said - if you don't trust the employees, don't employ them.

      For reference, there are some enormous companies out there that don't filter the internet (I work for one). They survive just fine simply by saying "don't be idiots and look at porn at work".

    2. Re:This is really simple... by angel'o'sphere · · Score: 4, Interesting

      You can not trust your employee not to infect a machine by surfing a random website like facebook.

      After all every image can have a troyan/virus embedded exploiting the jpg library of your browser/OS.

      It has nothing to do with the employees, its the sites that are the problem, so you block everything except a white list.

      --
      Cost free eBook I read (by iBook/Kobo/Amazon/ObookO/Gutenberg etc.): "The Green Odyssey" by Philip Jose Farmer.
  6. Not a good idea to nanny users by gweihir · · Score: 2

    The thing is, if the users need/want access to those sites, they will find a way. You are kidding yourself if you believe otherwise. The only thing you can do is channel it to ensure some level of security and for that you _must_ prevent it from being exceedingly inconvenient, like your 45 minutes idea. Everything else leads to insecurity caused by security measures, which is a well-known problem causes by paranoid (and hence incompetent) system isolation. In the worst case, you have to provide additional computers to your users that have less Internet access restrictions.

    --
    Most ACs are not even worth the keystrokes to insult them. Be generically insulted by this and ignored otherwise.
  7. Break down the problem by bool2 · · Score: 2
    On face value...

    It sounds like you're trying to achieve two separate goals here :

    1. 1. To limit time spent on websites that are potentially not work-related / time wasting / etc
    2. 2. To block websites that are potentially dangerous to your network (infected)

    To implement the bosses suggestion you need a different system to handle each and a way to categorise the blocked sites - or a system that allows more fine grained control.

    Stepping back a bit...

    More importantly though, your boss should want to demonstrate that he trusts his employees to use their work time sensibly. By blocking websites for reasons other than network security and creating little bureaucratic procedures to unblock them you send a clear signal to the employee that they are not to be trusted with a basic resource like web browsing. Expect them to respond in kind.

  8. Reasonable Access by GeekBoy · · Score: 5, Insightful

    I've been an IT manager and an IT director so I'll make a few points from that perspective.
    1) IT is there to serve the needs of the business and one of the needs of the business is to create / facilitate a productive and encouraging work environment. Now, this doesn't need to mean that you give people everything they ask for, but it does mean that you need to trust people. If there are legitimate reasons for concern then get a firewall product that can measure the amount of time someone is spending surfing the net; however, this is really a business concern and this capability is not for IT to worry about its for the different LOB managers to worry about. If they have that as a general concern then pursue it, otherwise it's not IT's concern.

    2) What is IT's concern is the security, availability, and integrity of the computing environment and business data and that does mean taking reasonable measures to protect the assets under your control. That means that perhaps you need AV / Anti-Malware / etc. protections. Perhaps also a webfilter that blocks sites that are known for producing malware with the intent to exploit the visitors to that site. Those sites should come from security vendor watchlists and not some arbitrary list put together by the sysadmins.

    3) Doing this is about finding an appropriate balance. That balance can only be maintained through constant communication and feedback with the business leaders (i.e. you need a governance process.) The business leadership / executive will need to decide what that balance is. IT's job is to appropriately communicate the risks, consequences and options and let the executive make the decision on how much risk they are willing to take on. This is why communication is crucial, especially in IT, and why often managers who are non-technical or barely technical, get those positions instead of the very technical people who "know better."

  9. Re:If you gotta ask... by taustin · · Score: 5, Insightful

    The question is "Why block at all?" not "Should we block at all?" In other words, "What is the specific goal of blocking?" If it's to prevent malware, it requires a different approach than if it's to prevent watching porn. If it's to protect sensitive information, it requires a very different approach, and may well involve blocking in both directions.

    So, no, it isn't that idiots as "why block at all" so much as only idiots don't distinguish between "why" and "should we".

  10. Why firewall? by ruir · · Score: 2

    Whilst most of the firewall products nowadays do provide proxies or web interfaces for users (for instance WebVPN in Cisco products), I do find it is a terrible idea to open up services and use up resources from the firewall. Just look at the long list of the security advices from WebVPN in Cisco for instance. I do follow the policy of minimum services that i have as a baggage as a Unix admin, and webvpn/proxy/VPN services are all provided by external servers. For instance, pfSense is quite nifty for that, or squid+dansguardian. Why not provide access or provide unrestrictive access in a wifi network for BYOD? They can as well pierce your firewall with personal VPN services, they are very cheap nowadays. As for the corporate network, many people do not understand how a culture of unrestricted access to social networks and allowing adverts is a covert channel to infect personal computers. Also if you want to invest in security and money is not a problem, have a look at the Capsule concept from Checkpoint.

  11. Why is there a block in place? by pegdhcp · · Score: 2
    If the block is really worth the CPU time, then you should be in a position that requires it, so do not punch holes in it.

    If the block is not that much necessary, remove it and make life easier for yourself, and the users if you care about them...

    If there are really two kind of users, one that should have access to the outside and another, that should not, then split your user network, especially assuming that a network that has blocks for outbound connections, probably should have a (preferably two) DMZs that houses servers already in place...

  12. That's not where your solution lies. by o_ferguson · · Score: 2

    You just need one b0xen on an ethernet cable to the one unblocked port on a hardware firewall, and ideally onto a separate line from your ISP. Put glue in all the usb ports and legacy ports, or just remove them. Remove the wifi chip from the board, lock the case and and set it up with a basic install of your primary OS that re-flashed to a known state at midnight every night. Put this box in a visible, public area where users who have to leave your cordon are forced to do it in front of everyone else and through a secure separate pipe. Scale up with more dumb terminals as needed - old tech that's folding out of regular use in production is a good, cheap source for these boxes.

    --
    - In Soviet Korea, only old people loose all their bases to Natalie Portman's petrified hot grits overlords.
    1. Re: That's not where your solution lies. by cyber-vandal · · Score: 3, Insightful

      B0xen? Seriously?

    2. Re: That's not where your solution lies. by Anne+Thwacks · · Score: 2

      His first language is probably Wierdo.

      --
      Sent from my ASR33 using ASCII
    3. Re: That's not where your solution lies. by wonkey_monkey · · Score: 4, Informative

      Not only that, but only one b0xen.

      --
      systemd is Roko's Basilisk.
  13. Need to get around IT by blindcoder · · Score: 2

    I work as an IT consultant / implementer.
    I tend to work in Big Corporations doing infrastructural software projects. This includes introducing new procedures of how IT staff is going to administer their servers in the future (e.g.: how to use SSH in the future) both by technical as well as organisational means.
    This also means that the IT staff and I are not often on good terms which in turn again means I don't get cut any slack wrt. accessing the internet or getting software installed on my assigned corporate workstation. I can't download any files bigger than a certain threshold, can't download files ending in .exe, .msi, .zip, .7z, .rar, .ps1, .tar, .gz, .bz2, the list goes on.
    USB is disabled on the workstations and they don't have an optical drive or a floppy drive.
    Yes, IT is on lockdown.

    When I have to use un-approved software (for example: wireshark for network debugging, vim for efficient file-editing) I usually upload the data I need to a private or corporate cloud instance, download it back onto my laptop via mobile phone network, do my work and transfer it back the same way.

    --
    See my blog for my free opinions.
  14. What the hell is wrong with... by ledow · · Score: 4, Insightful

    "This website is blocked.

    Category: Whatever.

    If you wish to unblock, please contact Administrator."

    Anything else is just open to abuse and you may as well not have a web filter at all (P.S. This has NOTHING to do with your firewall).

  15. Wrong solution by dskoll · · Score: 4, Insightful

    Trying to solve HR problems with technology is doomed to futility.

    At my company, I don't block web sites. If I walked by someone's desk and saw him[1] looking at porn, I'd say "don't do that." If it got out of hand, I'd discipline the person.

    Sometimes I walk past the desks of the tech support guys and I see them on Facebook or playing solitaire. Well, what else are they supposed to be doing if there are no support tickets open or support calls coming in? I don't care if they take breaks every now and then as long as they get their work done.

    ____________________________________________________________

    [1] I suspect it's almost all guys who look at online porn.

  16. One overlooked option... by Alpha232 · · Score: 2

    So far it seems everyone is trying to bring "open internet" to the users computer... why?

    It sounds as if this is intended to be on an "infrequent" and "exception" basis.

    Deploy a terminal server in a DMZ, users can then remote in and browse from there. If you want to allow open downloading, provide a restricted AV protected share to retrieve downloaded files, if you do not want to allow open downloading, provide one anyways but require an IT person to review it manually.
    Reimage nightly if paranoid.

  17. Re: Accidental Upmod by bondsbw · · Score: 4, Insightful

    Meanwhile, your post is not insightful at all.

    --
    All my liberal friends think I'm a conservative, all my conservative friends think I'm a liberal.
  18. Re:If you gotta ask... by dreamchaser · · Score: 2

    The more accurate question is 'What if anything should we block, and why?'

  19. VM/jumpbox by drew_92123 · · Score: 2

    We have always used VMs/jumpboxes that are segregated from the rest of the network to allow for accessing potentially dangerous or unapproved external sites.

    Downloads are enabled, but to get the files from system requires submitting a ticket to have the files downloaded, scanned, and burned to a DVD or placed on an file server.

    While nothing is 100% safe, this sure beats the hell out of compromising your firewall rules and allowing semi-retarded users to fuck shit up.

  20. It's déjà vu all over again .. by nickweller · · Score: 2

    The Six Dumbest Ideas in Computer Security

  21. Trust employees, Solve Security, Easy Efficiency by sdw · · Score: 2

    Claiming security issues is a cop out and excuse to be controlling. If you are running insecure systems, and you are if you are running Windows, then set up a separate wifi network for personal / misc. Internet access. Users can then use their personal devices, phones, tablets, etc., or you could provide Chromebooks which are cheap, secure, easily wipeable, etc. Set up web printing for tickets or similar. If you need to solve attention problems, it needs to be done at the personal level, perhaps suggesting an easy way to insert frequent short breaks. For most types of work, frequent breaks improves productivity. In the past, people took many smoke breaks and similar, so it's not necessarily the case that a Facebook break is a huge new problem. Losing track of time, keeping things in proportion, those can be an issue. A little structure or hinting of some kind is probably all that is needed there.

    --
    Stephen D. Williams
  22. What is the motivation to block access? by iamacat · · Score: 2

    If it's security, a 45 minute window is no improvement over unrestricted access. In fact, firewall login page is an extra chance for password snooping. Ideally, users would be able to open a remote desktop session to an unrestricted VM and the later can be rolled back to initial state once the session is over.

    If you just don't want them to slack off, consider the battle lost. Everyone has smartphones perfectly suited to watch movies or chat with friends for the whole day. Find ways to measure and reward actual productivity rather than hoping to make people work out of boredom.

  23. Re:If you gotta ask... by mlts · · Score: 5, Interesting

    The answer to "What, if anything, should we block" versus "What, if anything, should we allow" is "it varies":

    Scenario 1: Receiving. Give the guy a Citrix or App-V console into a machine that can browse the Internet unfettered, but doesn't allow files to be transferred to the internal machine. Now the user has access to websites, there is something substantial keeping the actual machine from being compromised.

    Scenario 2: Finance. Again, these machines are touching sensitive data, so they, by themselves, don't see the outside world, but the user can always use a VDI implement to browse the web, making the isolation a non-issue.

    Scenario 3: General company (dev, QA, sales) use. The above in reverse. Allow traffic out, have a good IDS/IPS in place (this should be in place everywhere, but especially with this), and stick the real sensitive stuff behind a RDP firewall, or a "hop box". The user can manipulate the data, but malware on their machine will have a hard time (though not impossible) to grab the entire database for upload to a blackhat's site.

    Scenario 4: Point of sale registers. These have no reason to be connected to the outside Internet, other than through a server for credit card validation.

    Of course, these are generic, off-the-top-of-my-head scenarios, but there is no one size fits all solution, other than that it helps to have some type of VDI for separation of data.

  24. Re:Not all cell phones support data by ColaMan · · Score: 2

    I'd image that :

    D. No internet access at work outside of sites deemed acceptable by IT.

    Would be the most affordable. Nobody gives a shit about your flip phone and your request for a stipend so that you can browse your websites on work time.

    --

    You are in a twisty maze of processor lines, all alike.
    There is a lot of hype here.
  25. It's simple by Anonymous Coward · · Score: 4, Interesting

    Treat your workers like they're fucking responsible adults. Block 2, maybe 3 categories at the proxy, and nothing more:
    1) Pornography (leave that stuff at home, and also to prevent hostile work environment claims)
    2) Known spyware/malware/command & control sites (should be pretty self-explanatory)
    3) Ads (optional, but could save significantly on bandwidth and potential spyware/malware infection sources; may break certain crappy sites, however)

    That's it. Don't block anything else. Treat your employees like responsible adults. If they act irresponsibly, then that's a management issue that needs to be addressed between the employee and the employee's manager. I'm so fucking sick of companies treating employees like little kids and instituting draconian policies blanketly across the entire workforce because they can't/won't address personnel issues at the employee/manager level. The more sites/categories that get blocked, the harder it is for employees to research and do their jobs, and the more likely it makes them to circumvent controls.

  26. Re:If you gotta ask... by sumdumass · · Score: 2

    I had two sites i used to administer that were constantly getting infected with something. They hired kids to work the night shift and they would get bored and surf anywhere you could imagine.

    At one site, instituting a computer use policy, proxy, and a blacklist like dan's guardian along with fetching the mail to an internal server and scanning before delivery was enough to curb it to 1 minor infection in 5 years. At the other site, this didn't even come close. We had to completely lock down the internet and approve specific sites and domains as needed. This has yielded no infections in the four or five years i remained with them.

    Both sites have or had a public wifi and separate linux systems for guest access on a separate subnet the employees could use (when guests weren't ) but for some reason they insisted on using company workstations.

    I stopped working with them about two years ago. I dunno what they have now but i saw one of the companies is being sued for a data breach with credit card numbers.

  27. Re:Cell phone WAP by Rasperin · · Score: 2

    pshhhhh, ssh (or other protocol) tunneling on an unblocked port always worked for me...

    The point is, you can't really stop an informed employee/network user from getting around your firewalls. Worst case scenario they just chain off the phone. The downside to this is you still need a firewall to block malware sites. Informed users can still end up on those so that is a potential vulnerability but non informed users have a much higher chance without some type of web blocker. So I'd say just keep a blacklist of known malware and open everything else up (or yeah sign in/log/tag time). But I'd definitely keep the malware sites blocked.

    --
    WTF Slashdot, why do I have to login 50 times to post?