.:aaron.helton:.

If you’re like many employers, especially the federal, state, and local government kind, you may have in place technological measures, including web filtering (content and destination based) and port blocking (to keep certain kinds of programs from operating correctly) to curb casual internet use by employees on the job.  And just like every one of those employers, you have some grand vision of how these will keep people productive, prevent network bandwidth strains, and protect your critical networks from malicious infection and your data from unauthorized disclosure.  In this article, I will outline some of the many reasons why these are not incredibly efficient and in some cases do at least as much harm as good.

Before we get started on the reasons why such measures are doomed, let’s take a look at some of the possible reasons why employers implement them in the first place.

1. Casual surfing/chatting/internet use is seen a drain on productivity.
2. Unrestricted internet use opens the company to liability for things like copyright infringement, illegal activities, or any other set of unsavory or disreputable things.
3. Users are going to watch YouTube videos and stream internet radio, leaving no bandwidth for actual job related traffic.
4. Unknown and unauthorized internet programs can expose confidential data and risks introduction of malicious software includind viruses and spyware.

Next let’s take a quick look at what measures are usually employed to tackle these risks.

Web Filtering

Ranging from simple domain restriction to real time traffic or content inspection (read: cheap to expensive), web filters attempt to shape the Web that employees can access according to the employer’s values.  Most companies (rightfully) agree on not wanting porn on their networks, so that’s the first thing that gets blocked.  Next up are bandwidth hogs such as streaming radio, music download sites, streaming video sites, and the like.  Time wasting sites such as certain kinds of humor sites and personal email often follow.  Finally, sites that provide instant messenger programs are also usually included.  This isn’t a comprehensive list, but it illustrates the kinds of things proxy server administrators look for when evaluating sites for inclusion on a list.

Web filtering technologies run a whole range of cost and feature sets, but in general, the less sophisticated the filter, the cheaper it is.  These are almost always employed as proxy servers that dictate what traffic may pass to requesting hosts (as opposed to the kind that simply makes certain web browsing faster by caching frequently requested data).  Simple ones manage a list of blocked domains and IP addresses (blacklist), but do not have the ability to inspect incoming and outgoing content.  Simple proxy servers and firewall software can be obtained free of charge as open source software, so they represent the cheapest of the web filters.  More sophisticated filters can do what the less powerful ones do, but can also attempt to inspect some portion of incoming data for further investigation or proactive blocking.  These are generally not free, and the level of sophistication is usually reflected in the price.

Now, I mentioned that sophisticated filters can attempt to inspect data, but that doesn’t mean they really can.  Web content over an encrypted channel (HTTPS) can’t be inspected without being decrypted, and if decryption were that trivial, nobody would use the Web for banking.  Plain text content can be readily inspected for keywords, which might flag the site for human investigation.

Firewalls

To keep employees from using unauthorized network services (like instant messengers or peer to peer clients) within the employer controlled network, companies usually block the ports that those services use to communicate.  Typical (and wise, unless you need them) services to block include FTP and Telnet.  Such a setup could operate under an “Allow All Except” policy where every service is open unless specified in the list, but the more common approach is to “Deny All Except,” where only the service ports specified are able to connect.  More sophisticated network devices can perform this on a per-host basis, so that certain groups of computers can still use the otherwise blocked services and programs.

Computer Account Policies

Most employer computers are operating with Windows XP, although some have begun a migration to Windows Vista.  Both of these operating systems include user permissions schemes that allow pretty restrictive use policies to be applied on the computer.  Windows XP, for instance, is capable of stripping an average user of the ability to install almost any kind of software (including, as I have seen, the Office 2007 compatibility packs).  This not only keeps users from being able to install software that is not specifically approved by the company, but also helps keep the computers standardized to a great degree and may prevent viruses or malware from propagating.

Why They’re Useless

I am going to do the controversial thing and suggest that all of these methods, while having at least SOME merit, are nonetheless useless against someone like me.  This is not an argument against using them; rather, it is intended to serve a cautionary function.  Just because you employ these measures does not mean you are safe from the threats they were designed to prevent.  Their proper use should be as augmentations to clearly defined employer policy regarding the acceptable use of company resources, and should in no way replace such a policy.  Note that this also does not serve as a recommendation for users to find creative ways to circumvent your carefully placed controls (they will do that anyway, without my help).

Domain/IP Blacklists

Let’s make something clear.  Blacklists are only as good as your ability as a company to actively maintain them (i.e., they aren’t).  While they are partially capable with lists of known malware sites (you can subscribe to these from third party security firms), they fail miserably once you start considering almost any other kind of site.  Sure, it’s easy to knock out the low hanging fruit; after all, most people only know about a mere handful of sites you might want to block, but that’s not enough.  The Internet, and the Web in particular, move and change at a phenomenal rate.  New sites appear all the time offering snazzy new widgets, social tools, and eye candy.  No matter how tech savvy your proxy administrator is, he/she has not heard of all of these sites.  I am constantly surprised by new sites and services that, by the time I get to them (and I read tech news incessantly), already have sizeable user bases.  In short, there is no way that any small group of people can be fully aware of all of the new ways web developers come up with to collaborate, chat, share files, and/or waste people’s time.  Additionally, some web sites allow access in various ways, so for instance if a site allows both SSL and non-SSL connections, blocking the non-SSL option is only halfway effective.  I will reiterate: maintaining awareness of this and continually applying it is probably impossible.  Escalated efforts to do so will undoubtedly incur increasing costs while providing diminishing returns.

Content Filtering

While we’re on the subject of web filters, we can’t forget about the (over-hyped) promises made by content filters.  First off, they are completely useless against encrypted data, as mentioned above.  Second, even keyword matching and rudimentary context matching are guaranteed to produce false positives and keep proxy administrators running circles investigating news sites.  In short, this technology has a long way to go, and unless it can decrypt SSL traffic, it is easily circumvented.  Gmail is a perfect example.  Since Gmail allows users to turn on SSL access, filters that rely on text-based analysis will fail.  Blocking domains in conjunction with content filtering can be effective, if you know all the permutations of a site’s URL structure, but as I stated in the previous section, it’s unlikely that any one person will know all of these.

Firewalls and Computer Account Policies

These are the preferred methods of preventing users from abusing their systems, as long as such controls make sense.  In essence, they are “set once, then forget” kinds of measures, and consistent with the nature of such measures, they can be heavy handed.  Firewalls simply block incoming or outgoing (or both) communications on certain ports, like blocking off roads into or out of a city to shape traffic flow.  Only open ports will allow traffic; firewalls either discard data destined for a blocked port or log the incident for further inspection.  Since many programs, such as instant messengers and file sharing/transfer applications, rely on specific open ports, cutting off acccess to the ports they use means the programs will not operate.  That is, unless they can bypass firewalls by masquerading as other kinds of traffic, the allowed kinds (many programs can do this).  In cases like this, prevention at the firewall level may be inadequate (though not wholly so, since firewalls can be quite sophisticated and include their own IP-based blacklists).  To augment this control, users are often restricted from installing new software on their employer-provided computers.  Such restrictions come at a price and still may have little effect on the introduction of unapproved applications in the enterprise network.  First, they are costly because tasks that users may be fully capable of doing (like installing printers and other hardware) now have to be done by the company’s IT help desk; this can mean lost productivity on the employee’s part plus the salary to staff the IT help desk with enough people to handle these issues.  Second, such policies do nothing to curb the introduction of programs via portable media, especially those that run directly from USB drives (PortableApps and the like).  Technically it is possible to restrict these as well, but such restrictions may also impact the user’s ability to connect hardware that has already been installed (USB can be funny like that).  Plus, if the assumption is that users with USB drives are only carrying documents (most are), then it’s likely that the designer of the policy has not considered the implications of allowing USB drives.  Granted, not all applications can be made portable (some rely very heavily on the Windows registry), but there is a growing list of programs that can.  Many of these are network-aware and capable of routing themselves around your firewall; you may or may not be able to stop them from communicating.

What to Do

After reading this, you may come away with the impression that technological measures that restrict users’ access to various resources and services are not worth the effort.  In large part, that was the point.  But all is not lost here.  The most important point is that technology is not a panacea, and sometimes high technology is easily subverted by the most low-tech workarounds.  Such approaches require a sufficient understanding of what it is you are trying to prevent coupled with the right set of technological and non-technological measures to prevent the threat.  Users have an unlimited capacity for rule-bending, internal justification, and creativity with regard to system use.  There are a few things that companies can do to limit the risks posed by employees’ unrestricted use of the Internet.

Company Policy

First and foremost, companies should have a well-documented, enforceable (and enforced), and above all well-communicated policy that details what can and cannot be done on company time and with company resources, including computers and the network; also, the policy should specify what the company’s rights are and inform the employee whether monitoring occurs (this is permissible in the US; in other countries such laws vary).  This is the most effective method of limiting risk.  Will employees still engage in behaviors that put the company at risk?  Almost certainly.  But they will think twice about it if they clearly understand the consequences of getting caught.  To make the policy binding like a contract, simply have the employees read it and sign their agreement with it AT LEAST ANNUALLY, but also each time it is revised.  Is it cumbersome?  Maybe, but it also provides a clear communication channel to the employee about what is expected of him or her, and moreover, such contracts, when properly administered, have been held as enforceable in the United States.

Technology

Only now is it appropriate to mention technology, and while the previously mentioned tools can fill important gaps in a company’s security policy, they are not the primary ones that should be evaluated.  As outlined above, the technology-based risks to the enterprise network primarily revolve around resource use, malware infection, and disclosure of sensitive data.  The most effective tools to combat these things are a combination of discussed (and other) methods.  First, good antivirus software is an absolute must.  These days, AV software is capable of real time monitoring for other kinds of malware in addition to viruses, making it one of the best investments a company can choose.  Second, firewalls should block inbound and outbound services that are not needed.  While this does not mitigate the risk posed by programs that can bypass firewalls, it does mitigate risks posed by malware programs that communicate with one another or a central server.  Third, well constructed computer account policies should strike a balance between users being able to install any program they like (they shouldn’t) with the reality that many such programs can be run portably anyway.  Fourth, implement monitoring of Web activities that can be audited and used to generate usage reports when needed (this should be specified in the policy along with a schedule for random audits and the method for determining who gets audited).  And fifth, use web site blocking tools that subscribe to published malware blacklists to keep users from inadverently visiting malware sites (especially the kind that like to show up in one’s email).

This combination of policy and technology represents the best a company can hope for in terms of security from internal threats.  Proactive blacklisting has little impact on actually improving such security and can even drive users to create new risks through creative approaches and workarounds.  The best technology in the world cannot anticipate everything a user can do, and people are certainly not capable of keeping up with the march of innovation and progress on the Internet.  So my advice is that, if you rely on web site blocking to keep employees in line, you should reevaluate what it is you are trying to accomplish; the procedure above will be sufficient to address your needs most, if not all, of the time.