Slashdot Mirror

← Back to Stories (view on slashdot.org)

Ask Slashdot: Giving Users Extra-Firewall Access For Sites Normally Blocked?

Posted by timothy on from the does-every-exception-have-a-rule? dept.

An anonymous reader writes: My boss and I were having a discussion about our users accessing the internet. He wants the users to be able to log in to the firewall to be able to access external websites that they are normally blocked from accessing. They would get a 45-minute window to do this, and then if they need more time, they need to re-login. (SonicWall does this). I told him that this type of procedure scares the crap out of me, as some users will just keep logging in and doing what we are trying to block them from doing, and they will also be able to access infected websites as well. I think it is in our (the IT staff's) best interest if we continue to allow access to users on a case-by-case basis -- and then turn it off when they have completed their task. I am just curious as to where others stand on this topic. If you are your workplace's BOFH, how much slack do you cut? If you're an employee with unreasonable restrictions, do you bother to get around them?

19 of 267 comments (clear)

  1. Correct by Spazmania · · Score: 5, Insightful

    The boss's plan of allowing users to override the web page filter is absolutely the CORRECT plan. You have a rare boss who understands that the most important thing is that workers be able to work without interference from know-it-alls. Please get with the program!

    --
    Moderating "-1, Disagree" is simple censorship. Have the guts to post your opinion.
    1. Re:Correct by khasim · · Score: 4, Insightful

      You have a rare boss who understands that the most important thing is that workers be able to work without interference from know-it-alls.

      Well the question would then be why-is-the-firewall-there-in-the-first-place.

      Is it because it was seen as the cost effective solution to workstations being infected by malicious sites/ads/whatever?

      Was there a different reason?

      Web blockers usually require a subscription fee. Why pay the fee and then let users bypass it?

      Wouldn't you want to be notified if a work-related site suddenly got blocked?

    2. Re:Correct by Lesrahpem · · Score: 5, Interesting

      The boss's plan of allowing users to override the web page filter is absolutely the CORRECT plan. You have a rare boss who understands that the most important thing is that workers be able to work without interference from know-it-alls. Please get with the program!

      This plan is a good one. To curb your concerns you could follow this plan:

      1. 1) Allow users to login to unblock sites on an as-needed basis. Keep the process simple so workflow isn't encumbered.
      2. 2) Keep a log of every time a user logs in to request access. Possibly keep a log of what sites users are visiting with this access, but do not log the traffic. Just the sites.
      3. 3) Pair this log with your issue tracking system and possibly employee performance reviews.

      If an employee's support tickets seem to be linked to the sites they are requesting, the employee can be approached and possible restrictions can be put in place if the problem isn't solved with a conversation. The same goes for browsing habits that might be linked to downturns in performance.

      This way, you are allowing your employees/users their freedom to browse/work, and only restricting the people who keep presenting problems.

    3. Re:Correct by Anonymous Coward · · Score: 4, Interesting

      I'm with you on the issue that IT is a function of a business to enable business. I think however there are some real issues with what's going on here.

      1) There is a firewall in place which appears to be impeding business from operating
      2) The IT guy is trying to get justification from outside to continue impeding business instead of taking the opportunity to identify why the firewall is blocking sites which facilitate their business.
      3) He is concerned about malware and other traditional security breeches
      4) The sites being blocked are probably black-listed based on the type of site they are as opposed to blocking malicious content from the site.
      5) The boss seems to believe the users need to access these sites.
      6) He wants to handle this on a case by case basis which seems to impede business enough that this has become an issue.
      7) It sounds like he is using some sort of web filtering system which categorizes site types.

      I can go on for a while... I may be way off base, but it strikes me that this guy lacks the skills or business knowledge to properly secure the business while also facilitating its operation. I completely disagree with the boss's assessment to allow a timed override. This apparently is a solution which doesn't do anything other than impede the workflow of the users. It sounds like the correct solution is for the boss and IT guy to simply decide :
        Do we permit users to access these categories of websites or don't we?

      As for viruses and malware, the entire current generation of firewalls and IPSes on the market are designed to perform deep inspection and most of the good ones implement Snort, ClamAV and more at the edge. They also can retroactively identify that a machine has finished downloading a malicious object before the firewall could identify what it was and then require the machine is remediated until it has been cleared to be on the network again.

      I think the boss also has to choose whether to send this guy to proper training and spend money on real firewalls or whether he should just use a service instead.

    4. Re:Correct by gbjbaanb · · Score: 4, Insightful

      amen. The number of time I've been searching for answers to technical problems, find a site that seems to have the answer from the Google summary, only to click it and be told "denied, reason: personal blog", where i get home and find that someone has hd the same problem I had, blogged about it to help others solve it.

      So,... I waste loads of company time re-solving that problem because the IT guys think they know best. Sorry - when IT stops being a service to enable the users and starts being their own fiefdom, its failed.

  2. Reasonable Access by FrozenGeek · · Score: 5, Interesting

    What do you consider "reasonable" access? I tend to be very conservative about it. If I can do my job, I consider that reasonable access. Anything not strictly required to do my job is simply a bonus. Under those definitions, I've never had a job that did not afford me reasonable access to the internet. I know that many people will consider "reasonable" access to include things like access to Facebook and twitter and their bank accounts, etc. I disagree. When I'm at work, I'm working. When I'm not at work, I'm not at work. I try very hard to keep the boundary distinct. the more I blur the line, the easier it is for my employer to want me to be always available.

    --
    linquendum tondere
    1. Re:Reasonable Access by beelsebob · · Score: 4, Insightful

      It's entirely reasonable to expect employees to take short brain breaks during the working day. It's entirely reasonable for those brain breaks to be spent on random web pages.

      All this comes down to is simply trusting your employees. If you can trust them to get on and do their job, and only take reasonable breaks, then you don't need a filter. If you can't trust them, then 1) your culture is fucked up, fix that, and 2) why the hell are you employing someone so untrustworthy that they don't do their job.

    2. Re:Reasonable Access by Bert64 · · Score: 4, Interesting

      People these days have portable devices, you can allow them to take breaks using an isolated wifi network and their own portable devices...

      The average corporate desktop is extremely vulnerable to attacks from websites (against the browser, the plugins, other applications etc), and trying to defend against such attacks is a huge pain and/or huge cost.

      --
      http://spamdecoy.net - free throwaway anonymous email - avoid spam!
    3. Re:Reasonable Access by tepples · · Score: 4, Informative

      What kind of person doesn't already have internet on their phone plan?

      Me. I carry a flip phone for urgent calls and use my roommate's land line for longer calls.

  3. Reasonable Access by GeekBoy · · Score: 5, Insightful

    I've been an IT manager and an IT director so I'll make a few points from that perspective.
    1) IT is there to serve the needs of the business and one of the needs of the business is to create / facilitate a productive and encouraging work environment. Now, this doesn't need to mean that you give people everything they ask for, but it does mean that you need to trust people. If there are legitimate reasons for concern then get a firewall product that can measure the amount of time someone is spending surfing the net; however, this is really a business concern and this capability is not for IT to worry about its for the different LOB managers to worry about. If they have that as a general concern then pursue it, otherwise it's not IT's concern.

    2) What is IT's concern is the security, availability, and integrity of the computing environment and business data and that does mean taking reasonable measures to protect the assets under your control. That means that perhaps you need AV / Anti-Malware / etc. protections. Perhaps also a webfilter that blocks sites that are known for producing malware with the intent to exploit the visitors to that site. Those sites should come from security vendor watchlists and not some arbitrary list put together by the sysadmins.

    3) Doing this is about finding an appropriate balance. That balance can only be maintained through constant communication and feedback with the business leaders (i.e. you need a governance process.) The business leadership / executive will need to decide what that balance is. IT's job is to appropriately communicate the risks, consequences and options and let the executive make the decision on how much risk they are willing to take on. This is why communication is crucial, especially in IT, and why often managers who are non-technical or barely technical, get those positions instead of the very technical people who "know better."

  4. Re:If you gotta ask... by taustin · · Score: 5, Insightful

    The question is "Why block at all?" not "Should we block at all?" In other words, "What is the specific goal of blocking?" If it's to prevent malware, it requires a different approach than if it's to prevent watching porn. If it's to protect sensitive information, it requires a very different approach, and may well involve blocking in both directions.

    So, no, it isn't that idiots as "why block at all" so much as only idiots don't distinguish between "why" and "should we".

  5. What the hell is wrong with... by ledow · · Score: 4, Insightful

    "This website is blocked.

    Category: Whatever.

    If you wish to unblock, please contact Administrator."

    Anything else is just open to abuse and you may as well not have a web filter at all (P.S. This has NOTHING to do with your firewall).

  6. Wrong solution by dskoll · · Score: 4, Insightful

    Trying to solve HR problems with technology is doomed to futility.

    At my company, I don't block web sites. If I walked by someone's desk and saw him[1] looking at porn, I'd say "don't do that." If it got out of hand, I'd discipline the person.

    Sometimes I walk past the desks of the tech support guys and I see them on Facebook or playing solitaire. Well, what else are they supposed to be doing if there are no support tickets open or support calls coming in? I don't care if they take breaks every now and then as long as they get their work done.

    ____________________________________________________________

    [1] I suspect it's almost all guys who look at online porn.

  7. Re:Not my type of company by ShanghaiBill · · Score: 4, Insightful

    If you observe that your employees are spending all day dicking around, and they don't get their assigned work done, you fire them.

    Then you go out of business. Responsible self-directed employees who get the job done without close supervision are WAY more expensive than less responsible workers that need some managing. If you hire only the former, you will be crushed by competitors with a much lower cost structure and a much wider hiring pool.

  8. Re: Accidental Upmod by bondsbw · · Score: 4, Insightful

    Meanwhile, your post is not insightful at all.

    --
    All my liberal friends think I'm a conservative, all my conservative friends think I'm a liberal.
  9. Re:This is really simple... by angel'o'sphere · · Score: 4, Interesting

    You can not trust your employee not to infect a machine by surfing a random website like facebook.

    After all every image can have a troyan/virus embedded exploiting the jpg library of your browser/OS.

    It has nothing to do with the employees, its the sites that are the problem, so you block everything except a white list.

    --
    Cost free eBook I read (by iBook/Kobo/Amazon/ObookO/Gutenberg etc.): "The Green Odyssey" by Philip Jose Farmer.
  10. Re: That's not where your solution lies. by wonkey_monkey · · Score: 4, Informative

    Not only that, but only one b0xen.

    --
    systemd is Roko's Basilisk.
  11. Re:If you gotta ask... by mlts · · Score: 5, Interesting

    The answer to "What, if anything, should we block" versus "What, if anything, should we allow" is "it varies":

    Scenario 1: Receiving. Give the guy a Citrix or App-V console into a machine that can browse the Internet unfettered, but doesn't allow files to be transferred to the internal machine. Now the user has access to websites, there is something substantial keeping the actual machine from being compromised.

    Scenario 2: Finance. Again, these machines are touching sensitive data, so they, by themselves, don't see the outside world, but the user can always use a VDI implement to browse the web, making the isolation a non-issue.

    Scenario 3: General company (dev, QA, sales) use. The above in reverse. Allow traffic out, have a good IDS/IPS in place (this should be in place everywhere, but especially with this), and stick the real sensitive stuff behind a RDP firewall, or a "hop box". The user can manipulate the data, but malware on their machine will have a hard time (though not impossible) to grab the entire database for upload to a blackhat's site.

    Scenario 4: Point of sale registers. These have no reason to be connected to the outside Internet, other than through a server for credit card validation.

    Of course, these are generic, off-the-top-of-my-head scenarios, but there is no one size fits all solution, other than that it helps to have some type of VDI for separation of data.

  12. It's simple by Anonymous Coward · · Score: 4, Interesting

    Treat your workers like they're fucking responsible adults. Block 2, maybe 3 categories at the proxy, and nothing more:
    1) Pornography (leave that stuff at home, and also to prevent hostile work environment claims)
    2) Known spyware/malware/command & control sites (should be pretty self-explanatory)
    3) Ads (optional, but could save significantly on bandwidth and potential spyware/malware infection sources; may break certain crappy sites, however)

    That's it. Don't block anything else. Treat your employees like responsible adults. If they act irresponsibly, then that's a management issue that needs to be addressed between the employee and the employee's manager. I'm so fucking sick of companies treating employees like little kids and instituting draconian policies blanketly across the entire workforce because they can't/won't address personnel issues at the employee/manager level. The more sites/categories that get blocked, the harder it is for employees to research and do their jobs, and the more likely it makes them to circumvent controls.