Description
This article is from the Firewalls
FAQ, by Matt Curtin cmcurtin@interhack.net and Marcus J. Ranum
mjr@nfr.com with numerous contributions by others.
34 How can I restrict web access so users can't view sites unrelated to work?
A few years ago, someone got the idea that it's a good idea to block
``bad'' web sites, i.e., those that contain material that The Company views
``inappropriate''. The idea has been increasing in popularity, but there are
several things to consider when thinking about implementing such controls in
your firewall.
* It is not possible to practically block everything that an employer
deems ``inappropriate''. The Internet is full of every sort of
material. Blocking one source will only redirect traffic to another
source of such material, or cause someone to figure a way around the
block.
* Most organizations do not have a standard for judging the
appropriateness of material that their employees bring to work, i.e.,
books, magazines, etc. Do you inspect everyone's briefcase for
``inappropriate material'' every day? If you do not, then why would you
inspect every packet for ``inappropriate material''? Any decisions
along those lines in such an organization will be arbitrary. Attempting
to take disciplinary action against an employee where the only standard
is arbitrary typically isn't wise, for reasons well beyond the scope of
this document.
* Products that perform site-blocking, commercial and otherwise, are
typically easy to circumvent. Hostnames can be rewritten as IP
addresses. IP addresses can be written as a 32-bit integer value, or as
four 8-bit integers (the most common form). Other possibilities exist,
as well. Connections can be proxied. Web pages can be fetched via
email. You can't block them all. The effort that you'll spend trying to
implement and manage such controls will almost certainly far exceed any
level of damage control that you're hoping to have.
The rule-of-thumb to remember here is that you cannot solve social problems
with technical solutions. If there is a problem with someone going to an
``inappropriate'' web site, that is because someone else saw it and was
offended by what he saw, or because that person's productivity is below
expectations. In either case, those are matters for the personnel
department, not the firewall administrator.
Continue to:
Share and Enjoy
Bookmark this story so others can enjoy it:
Tags
security, Internet, firewalls, ssl, port, protection, application layer, proxy server, packet screening, filtering rules, viruses, terms
