Internet access control queston?

[Bob]

We got a small network (w2k, sp4, a domain and about 40 workstations). We
have a problem with employees using up a limited amount of bandwidth (we can
only get Cable connections) downloading non work related files like music
and videos and generally slowing down our legitimate other network traffic.

I have been tasked with finding a solution that will prevent them from
downloading non work related content in order to preserve bandwidth (I'm
still not totally sure how to define that, there may be valid multimedia
files that are ok to get for instance).

The solution should be one over which centralized control can be had . That
is, we should not have to set things up on each individual user's machine.

Our Internet access currently is via a Watchguard firewall, but this by
itself does not seem flexible enough to do this kind of work.

Any insight on how best to achieve this would be greatly appreciated.

Bob

 

[3c273]

1) Setup a proxy server
2) Check the log
3) Fire the first person you catch misusing it
4) Tell everyone else why that person got fired
Game over!

Louis
Just a thought

 

[Bob]

Good idea but unfortunately not so easy in reality. There are laws here that
make it difficult to fire people that have been employed for several years,
the cost of litigation when unions become involved ends up being
prohibitive, the management's time spent on that discipline enforcment takes
them away from doing their essential job which is growing and improving the
company and they are loath fire unless absolutely necessary because it ends
up poisoning the workplace relations. So they would prefer just being able
to prevent the misuse smoothly with a techno solution.
Thanks for the idea.
Bob

 

[Phillip Windell]

Good idea but unfortunately not so easy in reality.

Unfortuneately it *is* the reality.
IMO - It is often a mistake to even give employees internet access to start
with. Many jobs don't *really* require it. There is a difference between
wanting it and needing it. Employees that use SMTP EMail with an outside
mail server can have the email without having web access,...you just give
them permssion to use SMTP and POP3, but not HTTP & HTTPS.

Computers are not babysitters. If a company's management cannot control the
behavior of their own employees, a computer sure isn't going to do it,...and
in such cases the company will usually "fold".
There is no such product that is going to do exactly what you are asking.
Some can come close,..but be prepared to spend some $$$$.
A product like MS ISA Server will come close.
MS ISA Server combined with filtering products like SurfControl will come
even closer,...but products like SurfControl interferre with some of the
ISA's functionality. It is an imperfect world.


--
Phillip Windell [MCP, MVP, CCNA]
www.wandtv.com
-----------------------------------------------------
Understanding the ISA 2004 Access Rule Processing
http://www.isaserver.org/articles/ISA2004_AccessRules.html

Troubleshooting Client Authentication on Access Rules in ISA Server 2004
http://download.microsoft.com/download/9/1/8/918ed2d3-71d0-40ed-8e6d-fd6eeb6cfa07/ts_rules.doc

Microsoft Internet Security & Acceleration Server: Guidance
http://www.microsoft.com/isaserver/techinfo/Guidance/2004.asp
http://www.microsoft.com/isaserver/techinfo/Guidance/2000.asp

Microsoft Internet Security & Acceleration Server: Partners
http://www.microsoft.com/isaserver/partners/default.asp

Deployment Guidelines for ISA Server 2004 Enterprise Edition
http://www.microsoft.com/technet/prodtechnol/isa/2004/deploy/dgisaserver.mspx
-----------------------------------------------------

 

[Someuser]

Hi Bob,

The first thing I would do is to create an "Acceptable Use Policy" which
clearly defines what employess are permitted to do with the company's
"communication resources". This document would include both internet and
telephone usage. Within the document clearly state that unauthorized use of
company resources is to be considered corporate theft and will lead to the
termination of the employee.

Distribute the document in duplicate to all employees and have them sign and
return one copy to your HR and then file it in the employee's file.

I have been doing this for years but with a wider scope that includes
confidentiality, solicitation of employees, etc...

Under this scenario, employees clearly know their limits and can't say down
the road that they were unaware since they signed an acknowledgent.

There is no way any court or tribunal will side with an employee who has
been caught stealing corporate resources and has prejudiced the firm.

You see this is not a technical issue but a employee management issue. Would
you look the other way or shy away from terminating an employee who decides
to start a home business which requires lets say 10,000 photocopies of a
document per month and secretly uses the company equipement to produce his
documents?

Corporate theft is corporate theft no matter what spin you put on it.

James

 

[Phillip Windell]

You see this is not a technical issue but a employee management issue.

Exactly!

Computers are lousey babysitters.

 

[Someuser]

I also agree with you on the point that unrestricted internet access is like
opening pandora's box. We once could'nt figure out why our usable bandwidth
was almost nil until we discovered a P2P app was sucking us dry. For some
employees the lure of high speed access to mp3s etc can get way out of
control.

James

 

[Bob]

I agree with all that you are saying about managing employees and I for one
would do exactly what you suggest, have the employees sign the internet use
policy and I would not hesitate a tenth of a second in firing anyone who did
not comply. Could be my most valuable salesman, I would not care, he'd be
gone in a second. I can't stomach thieves, no matter how innocently they try
to paint themselves or what excuses others or they themselves invoke.
But hey, my customer wants it. I told him all that and he still wants it, so
I'm m gonna try my best to accomodate him cause that's what I always do
Thanks for your time folks

Bob

 

[Bob]

Well, more and more programs are being used that require Internet access,
for instance at my customer site he has three locations, at all three they
do data entry to a sql database at home office with a package that is really
just a collection of asp pages on a web site on a server at the home office.
The company that sold them the package told them it was a great thing
because they could access just one copy of the program from anywhere in any
of their locations, including working from home! No concerns at all about
security would you believe!
Anyways, I think that giving Internet access is often a real requirement. I
know that at this site it is. They are a car dealership and the manufacturer
requires them to use a web site for some things with respect to sales.

Thanks Phillip
Bob

Good idea but unfortunately not so easy in reality.

Unfortuneately it *is* the reality.
IMO - It is often a mistake to even give employees internet access to
start with. Many jobs don't *really* require it. There is a difference
between wanting it and needing it. Employees that use SMTP EMail with an
outside mail server can have the email without having web access,...you
just give them permssion to use SMTP and POP3, but not HTTP & HTTPS.

Computers are not babysitters. If a company's management cannot control
the behavior of their own employees, a computer sure isn't going to do
it,...and in such cases the company will usually "fold".
There is no such product that is going to do exactly what you are asking.
Some can come close,..but be prepared to spend some $$$$.
A product like MS ISA Server will come close.
MS ISA Server combined with filtering products like SurfControl will come
even closer,...but products like SurfControl interferre with some of the
ISA's functionality. It is an imperfect world.


--
Phillip Windell [MCP, MVP, CCNA]
www.wandtv.com
-----------------------------------------------------
Understanding the ISA 2004 Access Rule Processing
http://www.isaserver.org/articles/ISA2004_AccessRules.html

Troubleshooting Client Authentication on Access Rules in ISA Server 2004
http://download.microsoft.com/download/9/1/8/918ed2d3-71d0-40ed-8e6d-fd6eeb6cfa07/ts_rules.doc

Microsoft Internet Security & Acceleration Server: Guidance
http://www.microsoft.com/isaserver/techinfo/Guidance/2004.asp
http://www.microsoft.com/isaserver/techinfo/Guidance/2000.asp

Microsoft Internet Security & Acceleration Server: Partners
http://www.microsoft.com/isaserver/partners/default.asp

Deployment Guidelines for ISA Server 2004 Enterprise Edition
http://www.microsoft.com/technet/prodtechnol/isa/2004/deploy/dgisaserver.mspx

 

[Kurt]

If you have a list of websites that your users "require" access to, any
mid-level router can handle blocking everything else with ease:

access-list 101 permit ip <your network address & mask> <address of allowed
site> [eq http] (or https or whatever protocol my be required)
access-list 101 permit ip <your net addr & mask> <other sites> [optional
protocol]
! permit access to sites you want to allow
!
!
access-list 101 deny ip any any eq http
access-list 101 deny ip any any eq https
access-list 101 deny ip any any eq ftp
! deny access to all other ftp, http and https sites
!
!
access-list 101 permit ip any any
! permit other traffic (mail, etc)

By applying access lists in this manner you can allow your users to visit
the sites they require for their jobs. If you segregate departments into ip
blocks that would correspond to subnets, you can allow access to different
content for different departments. If people find a way through it, you can
lock it down as required or open up access to new sites as it becomes
necessary.

Another way if you're running your own internal DNS, is to set up a separate
server with an AD integrated zone for local resolution and dynamic
registration, and a "." zone. Then create zones for sites your user require
access to and point yo users to that as their only DNS server. They'll
technically still have Internet access, but won't know it because they won't
be able to resolve any names.

....kurt

Well, more and more programs are being used that require Internet access,
for instance at my customer site he has three locations, at all three they
do data entry to a sql database at home office with a package that is
really just a collection of asp pages on a web site on a server at the
home office. The company that sold them the package told them it was a
great thing because they could access just one copy of the program from
anywhere in any of their locations, including working from home! No
concerns at all about security would you believe!
Anyways, I think that giving Internet access is often a real requirement.
I know that at this site it is. They are a car dealership and the
manufacturer requires them to use a web site for some things with respect
to sales.

Thanks Phillip
Bob

Good idea but unfortunately not so easy in reality.

Unfortuneately it *is* the reality.
IMO - It is often a mistake to even give employees internet access to
start with. Many jobs don't *really* require it. There is a difference
between wanting it and needing it. Employees that use SMTP EMail with an
outside mail server can have the email without having web access,...you
just give them permssion to use SMTP and POP3, but not HTTP & HTTPS.

Computers are not babysitters. If a company's management cannot control
the behavior of their own employees, a computer sure isn't going to do
it,...and in such cases the company will usually "fold".
There is no such product that is going to do exactly what you are asking.
Some can come close,..but be prepared to spend some $$$$.
A product like MS ISA Server will come close.
MS ISA Server combined with filtering products like SurfControl will come
even closer,...but products like SurfControl interferre with some of the
ISA's functionality. It is an imperfect world.


--
Phillip Windell [MCP, MVP, CCNA]
www.wandtv.com
-----------------------------------------------------
Understanding the ISA 2004 Access Rule Processing
http://www.isaserver.org/articles/ISA2004_AccessRules.html

Troubleshooting Client Authentication on Access Rules in ISA Server 2004
http://download.microsoft.com/download/9/1/8/918ed2d3-71d0-40ed-8e6d-fd6eeb6cfa07/ts_rules.doc

Microsoft Internet Security & Acceleration Server: Guidance
http://www.microsoft.com/isaserver/techinfo/Guidance/2004.asp
http://www.microsoft.com/isaserver/techinfo/Guidance/2000.asp

Microsoft Internet Security & Acceleration Server: Partners
http://www.microsoft.com/isaserver/partners/default.asp

Deployment Guidelines for ISA Server 2004 Enterprise Edition
http://www.microsoft.com/technet/prodtechnol/isa/2004/deploy/dgisaserver.mspx