Restricting corporate internet access
Discussion
Can anyone recommend any software to prevent access to:
Webmail
Instant Messenger
Inappropriate websites (I know of cyberpatrol)
Prevent downloading of certain file types, eg exe, scr, zip, rar, avi, mpg, mpeg, wmv etc
For company use rather than home. I’m trying to get a few products for evaluation.
Any thoughts,
Thanks in advance
Steve
Webmail
Instant Messenger
Inappropriate websites (I know of cyberpatrol)
Prevent downloading of certain file types, eg exe, scr, zip, rar, avi, mpg, mpeg, wmv etc
For company use rather than home. I’m trying to get a few products for evaluation.
Any thoughts,
Thanks in advance
Steve
Can anyone recommend any software to prevent access to:
Webmail
Instant Messenger
Inappropriate websites (I know of cyberpatrol)
Prevent downloading of certain file types, eg exe, scr, zip, rar, avi, mpg, mpeg, wmv etc
For company use rather than home. I’m trying to get a few products for evaluation.
Any thoughts,
Thanks in advance
Steve
A combination of Firewall and proxy would do it, how many users are you looking at?
As stated above firewall & proxy are your best bets, but you will need someone on hand to maintain and look after it incase it needs tweaking. Your internet connection should already have some sort of firewall, if not, you really should consider getting one.
Webmail
Instant Messenger
Inappropriate websites (I know of cyberpatrol)
Prevent downloading of certain file types, eg exe, scr, zip, rar, avi, mpg, mpeg, wmv etc
I can understand your need to restrict certain download types but at my work certainly, if I was unable to download files I wouldn't be able to get any work done. A lot of work gets shuttled bettwen us and clients via zips. Not to mention the programming packages needed to be downloaded.
Sadly no solution works as you would like. Blocking Hotmail/Yahoo is all well and fine. Additionally there are hundreds if not thousands of webmail sites out there. Maintaining a list of all of them is a massive task in itself.
I do understand that webmail can be a distraction from your employees work, but then I believe that is something that should be addressed in the contract between you and your employees. Here at my workplace we don't place any restrictions upon internet usage but have an internet usage policy. Failure to adhear to that is grounds for disipinary action and even dismisal. Will you also be banning mobile phones in the work place? Will you be reading people's "work" email to make sure that it is strictly "work" related?
Can I ask your reasons for deciding to restrict access to these types of sites/files? I assume that work is not being delievered on time due to the above factors? You don't trust your employees?
Edited to add: Does my post reflect how bored I am here at work at the moment?
God I really do go on sometimes!!! 
Mental note to self... GET A LIFE >> Edited by Hates_ on Wednesday 30th April 11:52
Can anyone recommend any software to prevent access to:
Webmail
Instant Messenger
Inappropriate websites (I know of cyberpatrol)
Prevent downloading of certain file types, eg exe, scr, zip, rar, avi, mpg, mpeg, wmv etc
For company use rather than home. I’m trying to get a few products for evaluation.
Any thoughts,
Thanks in advance
Steve
We use a product called "Websense". It divides websites into several dozen categories, then a custom proxy decides whether to give users access or not, based on the type of website, who they are, which groups they belong to, and so on. Works very well.
I'm proposing (following some excellent advice on here) that regular staff awareness through email from the top bod should be enough to obtain a fair and balanced approach to web usage, in terms of chat rooms, instant messenger, inappropriate sites etc.
The time and money required to evaluate, purchase, configure, and maintain suitable software or firewall configurations is, in my opinion, not the best use of resources in a company with 100 odd web users. That's what my recommendation says, wonder what the response will be to "don't spend your money on this", even though I raised the risk in the first place.
Steve
The time and money required to evaluate, purchase, configure, and maintain suitable software or firewall configurations is, in my opinion, not the best use of resources in a company with 100 odd web users. That's what my recommendation says, wonder what the response will be to "don't spend your money on this", even though I raised the risk in the first place.
Steve
I think you're on the right track, as is Hates. While a lot of this depends on the sort of company, this works well for our 250-user engineering firm:
- block downloading of zip/exe/etc - we have a "whitelist" of a dozen sites which are allowed (mainly where people are downloading zipped drawings and the like). Anything outside of that people either call IT and have it emailed to them, or they request that the site gets put on the whitelist. People were up in arms initially, but the requests quickly died away to almost nothing, bandwidth use is down, and people can't download software that breaks other things.
- block IM. Mainly from the usual "block everything then open the ports you need" with a few tweaks for the cleverer bits of software. No-one needs it, and we can't log it.
- log everything going through the proxies, ensure all web traffic goes through them, and make people aware of what you're doing. We used to run monthly top sites/users reports when we had more time, and it got the message across. There have only been two firings over internet abuse - both times their bosses came to us with suspicions, we provided evidence for them. It shouldn't be IT's job to spot someone wasting all day online, that's for their boss to notice.
A lot of this is made easier because we use Bordermanager for firewall/proxy and can set rights based on individual NDS users or groups. Thus IT's is pretty unhindered because we need to download zip/exes and connect on wierd ports, and it lets you have exceptions like the CEO who /has/ to use some whizzy bit of software that needs to connect out. Gives us the flexibility, and if someone needs different rights, we just add them to a different group in C1, although I haven't had to do anything for ages. I imagine the same is achievable on MS networks too.
I don't like the content filtering stuff - often seems to chop perfectly legit sites for no apparent reason, and perfectly innocent sites (like online engineering supplier catalogues) can contain words that trigger them off. Pain to deal with, and does anyone care less if an employee stumbles on a porn site by mistake, or places their annual bet on the Grand National online?
If a company has never had anything like this before, you _need_ a proper usage policy in place, and to have people aware of (and agreed to) monitoring of internet access. Someone who knows about HR issues should be able to advise - it can be a lot more hassle than setting up the techy side.
- block downloading of zip/exe/etc - we have a "whitelist" of a dozen sites which are allowed (mainly where people are downloading zipped drawings and the like). Anything outside of that people either call IT and have it emailed to them, or they request that the site gets put on the whitelist. People were up in arms initially, but the requests quickly died away to almost nothing, bandwidth use is down, and people can't download software that breaks other things.
- block IM. Mainly from the usual "block everything then open the ports you need" with a few tweaks for the cleverer bits of software. No-one needs it, and we can't log it.
- log everything going through the proxies, ensure all web traffic goes through them, and make people aware of what you're doing. We used to run monthly top sites/users reports when we had more time, and it got the message across. There have only been two firings over internet abuse - both times their bosses came to us with suspicions, we provided evidence for them. It shouldn't be IT's job to spot someone wasting all day online, that's for their boss to notice.
A lot of this is made easier because we use Bordermanager for firewall/proxy and can set rights based on individual NDS users or groups. Thus IT's is pretty unhindered because we need to download zip/exes and connect on wierd ports, and it lets you have exceptions like the CEO who /has/ to use some whizzy bit of software that needs to connect out. Gives us the flexibility, and if someone needs different rights, we just add them to a different group in C1, although I haven't had to do anything for ages. I imagine the same is achievable on MS networks too.
I don't like the content filtering stuff - often seems to chop perfectly legit sites for no apparent reason, and perfectly innocent sites (like online engineering supplier catalogues) can contain words that trigger them off. Pain to deal with, and does anyone care less if an employee stumbles on a porn site by mistake, or places their annual bet on the Grand National online?
If a company has never had anything like this before, you _need_ a proper usage policy in place, and to have people aware of (and agreed to) monitoring of internet access. Someone who knows about HR issues should be able to advise - it can be a lot more hassle than setting up the techy side.
I have been head of IT in a number of companies and colleges. SJG pointed out that you need the internet access policy agreed with your HR. Absolutely, this is often overlooked by companies and they find implementation difficult if it is not in place.
Firewall and proxy... some good ones out there that do not require masses of attention. Need to look at the email server as well as part of the overall strategy. (Policy required for that and this one is even more important cos it's got major legal ramifications!!!)
At the college(s) I found that the ban lists from the suppliers were good and automatically downloaded (sometimes fail though!) but even the best lists miss sites, so a regular IT duty was just to look through the stats off the firewall at the ten most hit sites and look for any untoward activity - it's so easy to spot- and add that to the banned list. People soon get the message when their fav site goes unavailable - you can also put up a notice when they try and connect to banned sites asking them to contact IT if they suspect the ban is inappropriate. Funny how few calls are ever made.
Stats from the firewall always help in persuading management that the added bandwidth is required and it is being used efficiently. Budgets get easier to justify.
Above all, remember that someone in the company is legally responsible for activity on the network - is that you? If so, act now.
Email me if you need any help off line. I have some email and network policies that you could benefit from.
Firewall and proxy... some good ones out there that do not require masses of attention. Need to look at the email server as well as part of the overall strategy. (Policy required for that and this one is even more important cos it's got major legal ramifications!!!)
At the college(s) I found that the ban lists from the suppliers were good and automatically downloaded (sometimes fail though!) but even the best lists miss sites, so a regular IT duty was just to look through the stats off the firewall at the ten most hit sites and look for any untoward activity - it's so easy to spot- and add that to the banned list. People soon get the message when their fav site goes unavailable - you can also put up a notice when they try and connect to banned sites asking them to contact IT if they suspect the ban is inappropriate. Funny how few calls are ever made.
Stats from the firewall always help in persuading management that the added bandwidth is required and it is being used efficiently. Budgets get easier to justify.
Above all, remember that someone in the company is legally responsible for activity on the network - is that you? If so, act now.
Email me if you need any help off line. I have some email and network policies that you could benefit from.
Gassing Station | Business | Top of Page | What's New | My Stuff