digg

Facebook Connect Join Digg About

Why Enterprises Shouldn't Limit Web Traffic

eweek.com Web surfing attacks like Nine-Ball cause companies to limit employee Web traffic, citing security and productivity. However it is only a bandage since people look for ways to circumvent the system and it only takes one mistake to create damage. Rather, companies should look at employee education as ways to improve IT security.

Who dugg this? Made popular Jun 19, 2009

Digg DudeWhat is Digg?

Digg is a place for people to discover and share content from anywhere on the web. Digg surfaces the best stuff as submitted and voted on by the community. Take the Tour to learn more.

62 Comments

show profanity settings
expand all
  • firefox15, on 06/19/2009, -0/+30FTA: "Do they [employees] know not to visit untrustworthy pornographic sites?"

    I sure hope they know that only trustworthy porno is approved on company time.
  • aguita, on 06/19/2009, -3/+28That's pretty stupid. I think at this point we all can agree that educating users is a losing battle. There are more effective ways at keeping things secure.
  • Somefoo, on 06/19/2009, -1/+25This reads like advice from someone who's never actually tried the solution he's proposing.
  • ugacrew, on 06/19/2009, -0/+22I don't know how many times I've "educated" users not to do something and see them do it again and again after I turn my back. Sometimes I feel like I'm wasting my breath. It's so much easier to protect systems from the admin levels than having to worry about someone who won't understand or remember why a certain thing should be done. Oh and let's not forget those users who think they know everything and deliberately do something because they think their method is better. This guy doesn't sound like he's worked a day in IT, just my opinion. I think a better viewpoint would be combining both and not relying one one thing and not the other.
  • ivanmarsh, on 06/19/2009, -1/+15You don't know what you're talking about. The proxy server is the only machine that has a route off of the network. You can't get off the network, much less to a "home proxy server" by going around the proxy server.
  • mrwhitethc, on 06/19/2009, -0/+13HA! This article is a joke, a comes off as written by someone who's mad at their admin because they can't get to ESPN at work.
  • crpndeth, on 06/19/2009, -0/+10As a technology trainer for a large organization I can say without a doubt...training doesn't work. It's one of the most futile jobs there is, feels like I'm fighting a losing battle daily.
  • Ninjapope, on 06/19/2009, -0/+9Bandwidth
  • ivanmarsh, on 06/19/2009, -0/+8He-he... you would have enjoyed the day we started blocking MySpace and Facebook. It was hilarious.
  • specialK16, on 06/19/2009, -1/+8Unlimited traffic here. Use around 300MB-600MB per day (according to Networx). I also finish my work on time and my superiors are overall very happy. Limiting web traffic to increase productivity is just a load of *****. Unproductive employees will still be unproductive even if their Internet is taking away.
  • Nairebis, on 06/19/2009, -0/+7Yeah, let's depend on educated employees to be absolutely perfect, rather than implement solutions that intrinsically protect security and don't depend on human perfection. Yeah, that's a great idea.
  • FKnight, on 06/19/2009, -1/+8I don't know what ivanmarsh is being buried. He's absolutely right. Anyone qualified to be a network security administrator can keep MaverickAlex's amateur ssh tunneled web traffic attempt from working using the most basic procedures. MaverickAlex indeed has NO IDEA what he's talking about.
  • ivanmarsh, on 06/19/2009, -0/+6It's a pretty sad commentary on the quality of IT people out there that apparently so many networks are so insecure that it's a common belief that such a simple tool can circumvent security. I don't consider myself a freaking rocket surgeon but the people that are being given IT positions these days frighten me.
  • fadetoone, on 06/19/2009, -0/+5Because Picard needs the bandwidth to view all those sex pictures of his crew.
  • pagno, on 06/19/2009, -0/+5Didnt make it to the article, just a looping ad. Judging from the description, what the article is suggesting is impossible. The majority of people cant be bothered to learn good computing habits. They either cant grasp the ideas, or refuse to learn because they arent nerds.
  • ivanmarsh, on 06/19/2009, -2/+7Indeed... we had one simple rule "don't install software on your system without asking IT first", of course no one followed it. So, after spending the majority of my departments' time fixing machines that end-users have screwed up by installing software/spyware we've gone to a whitelist proxy system and locked down the rights to the local machine and eliminated the problem.

    As for the "bandage since people look for ways to circumvent the system" that's complete BS... there is no way for my end-users to get off my network except through my proxy server. He who owns the routers owns the network. "No route to host" isn't an error, it's a security measure.
  • pak314, on 06/19/2009, -0/+5Because they can reroute the traffic through the main deflector dish? Actually they can reroute anything through the main deflector dish.
  • tdwtomcat, on 06/19/2009, -0/+4The weirdest thing kept happening when I tried to read the article. The splash page ad came up and of course I click skip instead of waiting the 12 seconds. Instead of skipping it just reloaded the page and made me wait 12 more seconds. Finally I just tried to wait the time, but at the end it just reloaded again. Never got to the article.
  • Ninjapope, on 06/19/2009, -0/+4Training, like the author is mentioning, is only feasible for smaller companies. In anything bigger, people are dealing with an overload of unrelated information and will ignore any sort of education related information. The only way to make it work is if it's given to them in a focused environment, like a classroom or a meeting. Even then, you run into planning and organizing issues.
  • Trigonometron, on 06/19/2009, -0/+4Training is Futile.
  • SkippyDoorknob, on 06/19/2009, -0/+4Make it so
  • DivisibleByZero, on 06/19/2009, -1/+5As much as I wish it was the case, "employee education" with this regard seems genuinely impossible. Some people are just too damned stupid to keep their computers healthy.
  • edwartica, on 06/19/2009, -0/+4Sure, end users screwing things up make more work for the IT department, but in the end, more works equates to more jobs. More jobs equates to a stronger economy. So stop your belly aching and be thankful for job security.

    /sarcasm
  • HonoredMule, on 06/19/2009, -0/+4Well to be fair, many corporate networks need access to so much with needs changing at random as to make whitelisting infeasible. Now you can blacklist entire consumer IP ranges, but you can't possibly catch every privately run proxy operating out of a data warehouse, some of which could be run by your own employees.

    Half my coworkers wouldn't even be able to do their job at all behind whitelist-managed security. Then again, half (actually, about 95%) of my coworkers run Linux desktops anyway.
  • FKnight, on 06/19/2009, -0/+4@mathcreative
    An enterprise Websense installation, yearly, is the price of a Dell Precision -- depending on number of licenses of course. It doesn't even scratch the surface of an IT budget. Don't take my word for it -- get a quote from your vendor.

    Additionally, I have hard numbers in that malware issues dropped nearly close to 90% (granted, this is the company I worked for -- YMMV).

    Education is helpful, but education alone is not a solution. For crying out loud, people at companies go to porn sites in a cubicle 100% visible to their coworkers and they DON'T CARE -- even after repeated warnings.. The author of this article has never worked in IT, I can guarantee that.

  • wrestlingnrj, on 06/19/2009, -0/+3Seeing as it took me 20 minutes to explain to one of my users over the phone on how to even turn on her computer (literally only has 1 button on the front of it), I doubt teaching users good computing habits is futile. Also seeing the same mistakes and problems from the same people all the time, it's better to just lock them out.
  • ivanmarsh, on 06/19/2009, -1/+4I'm not paid to be fair.

    Everyone that works for us has everything they need to do their jobs... which is what they're being paid for.

    Internet access is multi-tiered based on the employees actual need. Advertising, malware, spyware, and malicious sites are blacklisted. Everything anyone actually needs is controlled by a whitelist. And all traffic is monitored.

    ...and like I said, you can't run a proxy on my network and get out of my network and you can't connect to a proxy outside of my network without that proxy being on the whitelist. And if an outside proxy did get whitelisted I would catch it rather quickly based on the amount of traffic hitting that address.

    I don't know what you think Linux has to do with it. You can't get off of the network because of the way the routing is set up, not because of any OS settings. You could bring your own machine from home, with full administrator access and all of your favorite hacking tools and you still wouldn't be able to get anywhere no matter what you did. If you don't have Layer 3 access to even find the firewall that provides internet access... as in you couldn't so much as ping the firewall's internal interface, you certainly aren't going to find a path to pass traffic to the internet.
  • binaryecho, on 06/19/2009, -1/+4Wouldn't work. IT managers and support personnel are WAAAAYYYY too cool.
  • HonoredMule, on 06/19/2009, -0/+3This kind of thing can happen if you're blocking 3rd party cookies. My solution is to take my time and attention elsewhere.
  • ilike4, on 06/19/2009, -0/+3Not a single mention of wasted bandwidth being used by employees streaming music, video, playing online games. Has the author of this article ever worked in a corporate environment and managed a network? Clearly not.

    By using SonicWALL's Content Filtering service all the work is done by SonicWALL on the back end, and as a network admin, we just need to make sure that the correct categories are selected, ie pornography, drugs, games, etc. This has saved us and our clients frustrating hours of trying to figure out why their bandwidth is slow or why malware keeps popping up. End users will eventually do whatever they want to do, despite their "education", which is why limiting web traffic is necessary.
  • 3Den, on 06/19/2009, -3/+5That's rediculous.

    Companies with reasonably locked down computers, properly patched, with proper supporting equipment and monitoring, AND an appropriate level of user education are relatively free of the disruptions caused by malware.

    Companies that don't patch and keep things up to date, and don't educate users, and don't monitor things, don't.

    There is no real in between.
  • BDOUG, on 06/19/2009, -0/+2Seems like an OK argument for education/training but not a good argument against web filtering. The two are not mutually exclusive, afterall. I hate web filters as much as the next guy but it really is a simple, practical, and effective way of protecting your corporate network from a whole lot of pain. Just because it doesn't protect you from all forms of attack doesn't mean it's not an important layer in a multi-layered defense.
  • insertAliasHere, on 06/19/2009, -0/+2I know that most of the users I've tried to teach just don't ***** get it. I would get calls from my users telling me that their computer told them they have a virus (which always actually turned out to be a web browser popup, a fake notification), and no matter how many times I tried to explain the difference and how they could spot that it was a fake, I would still get the calls.
  • greenvortex, on 06/19/2009, -0/+2From the headline, I expected a Youtube "Star Trek"/"Spiderman" mashup.
  • pagno, on 06/19/2009, -0/+2Same thing happened to me.
  • Nimda11, on 06/19/2009, -1/+3a few words.
    1. Can't we filter and educate?
    2. Vyatta/Squid/Snort/OpenDNS and a looooong ruler (fer slappin hands)
    3. Vista/7+Designated UAC elevation account + frequent password changes = corporate security bliss.
  • acknotSW, on 06/19/2009, -0/+2No doubt. A buddy of mine is like that, he thought he was being very clever by using a password crack on the admin account and logging into the local machine instead of the domain so he could change his background and stuff.

    Yep, he was very clever until one of the IT guys saw his changed background and he was fired for it. It was his first job out of college but he had interned at that company for 3 years while in school, they started him at $62,000. It was almost 6 years before he saw that kind of money again. He learned his lesson and I learned a couple things myself like to password protect the bios and to never assume that a user won’t do/try something.

    There are very good reasons why IT people don’t have a sense of humor when it comes to users bypassing security and usage protocols, but it’s mainly that our asses are on the line when things go wrong and even if you get canned for messing with ***** that you know you shouldn’t, we are held just as responsible for letting it happen.
  • HonoredMule, on 06/19/2009, -0/+2Put an average user in front of computer he doesn't own and someone else supports, and he'll be just as careless and stupid as he bloody well feels...after all, it's not like he's liable for any consequences.

    Until a virus can physically stab you in the eye, the majority of corporate users will willfully reject education/instructions/policies.
  • inactive, on 06/19/2009, -2/+3Employees are too stupid to learn.

    HAY I GOT AN EMAIL WITH VIRUS.EXE ATTACHED AND I CLICKED IT NOW MY COMPUTERS BROKEN LOL!!!!1111oneoneone

    cut their access back to guest status. Problem solved :D
  • beepsy, on 06/19/2009, -0/+1My problem with filtering is the absurdly large amounts of false positives these sort of systems find. I work in IT as a programmer, generally my group is separate from the networking people. Over the last year I had submitted to them easily 100 urls of programming based web sites, that we needed for our work that were falsely classified as "entertainment" or "job search" related.

    The process to white list a site like this was tedious. I would put a request into the help desk, who would confirm with my manager that things were ok. A request was sent to networking who would then make the changes. All told sometimes it was several days to get to a resource I needed. Can't tell you the amount of time I ended up losing waiting for this process to run its course.

    This doesn't even count blocking useful tools that might be used to bypass the proxy. For example my work place eventually blocked google translate as it was possible to retrieved blocked pages through it.

    Eventually networking gave me a connection that by passed the proxy because they got sick of having to white list all the things I needed.

    If a guy wants to sit on espn for hours a day then fire his ass, if someone is spending time browsing myspace orfacebook once again fire him. If people are getting their work done then who cares if they spend a few minutes a day on these sites? Studies have shown that taking breaks helps keep employees productive.
  • Trigonometron, on 06/19/2009, -1/+2Tubes
  • HonoredMule, on 06/19/2009, -0/+1What Linux "has to do do with it" is that a Linux machine is far less vulnerable to most mainstream attacks from both the web and network peers and so likely won't spread crap even in the odd cases where they do pick it up. Consequently, having a mostly-Linux network significantly mitigates the need for such restrictive access in the first place.

    If you'd get off your high-horse for a moment, you'd realize I wasn't at any point trying to refute your network god-hood. And as long as I don't work for you, I don't care how much of a hard ass you are about it either. Labor law protects the grunts from any serious mistreatment, and the rest of us can apply free market principles to eke out a more comfortable and relaxed existence in a less hostile workplace.
  • asgardshill, on 06/19/2009, -0/+1That splash page ad came up 404-compliant for me. I just waited the 12 seconds and the article popped up.
  • mdman, on 06/20/2009, -0/+1thats why I limit traffic! so you cant ***** off when you should be working..
  • aywwts4, on 06/19/2009, -1/+2Smoothwall with dansguardian and urlfilter and snort is really a quick, free, and easy solution I deploy all over the place. (Yes there are better, but this is free, modular, lightweight, and plug and play)

    No executable format is allowed in my network, all pages are virus scanned before being displayed, it can even detect iframe attacks and other bad pages. zip files are scanned hundreds of archives deep, I can keep some employees restricted to a whitelist of the 3 sites they need to visit, other employees just know it is in the employee handbook that I can monitor traffic.

    Search the logs, grep for and facebook, myspace, youtube, foxsports, email, etc, copy it into word, highlight the website names, print off 40 pages of reports from a single day, show it to management, thats real control, the blocking is to help people resist the temptation of getting fired.

    Start using a putty tunnel and I will find you, an SSH session has a telltale signature, which should only be coming and going to 5 servers on the network and my workstation, snort is configured to find SSH sessions on other IPs and alert me, all it takes is a walk over to their workstation to find out what they are doing.

    Hourly employees are free to do whatever they want on breaks. Salaried employees are always exempt.

    And to the idiots who think this is conscionable, lets see what you think if you cut a few thousand dollars of your money in checks for facebook surfing. Pay me an hour for digging, see how that feels.
  • Lazybones, on 06/21/2009, -0/+1Two solutions there:
    - Could have unblocked bing
    - Could have changed the default search page in IE, assuming they were using Active Directory or some other network management tool
  • BDOUG, on 06/19/2009, -0/+1I agree with you in spirit, and I too have seen rather stupid web filters at work. Including one that blocked an internal (intranet) page on one of our servers....really dumb, that one.

    I also agree that firing the time wasters (ironic since I'm on Digg....) is a smart way to handle them.

    However, at the place I currently work we have "sane" web filters that really only blocks the really bad / dangerous stuff and aren't that intrusive or annoying at all. It's really more of a configuration issue (again, layers of security is the key).
  • justhim, on 06/19/2009, -1/+2My company filters Internet access and bing.com is blocked because the domain used to belong to some kind of chat site. Instead of opening the site up (because the IE search bar is defaulted to live.com which now forwards to bing.com), they leave it blocked and spent roughly two days worth of helpdesk time to tell users the site is a security risk and teach them how to use Google instead.

    So much for those two days worth of productivity for both the IT employees as well as the rest of the company's employees who were affected by this.
  • Lazybones, on 06/21/2009, -0/+1Not when streaming video and music times a large number of employees is taking up more than 50% of your legitimate critical traffic. This can be a real problem for regional offices that are limited to T1 speeds and need to use that line to access information from a head office.
  • Fetching more discussions...
    Show 51 - 64 of 64 discussions

  • Add a Comment

    Login or register to comment!
    Or, sign-in super fast with your Facebook account ...


© Digg Inc. 2009 — Content created and posted by Digg users is dedicated to the public domain | Terms of Use Updated | Privacy Policy
DIGG, DIGG IT, DUGG, DIGG THIS, Digg graphics, logos, designs, page headers, button icons, scripts, and other service names are the trademarks of Digg Inc.