I have been instructed to look into internet access abuse in our workplace. I know there are a few .orgers that may have some pointers on this. So please give me some feedback on what I can take to my MD to prevent the facebook/ebay/twitter brigade between 9am to 5pm. When its outside these hours he is happy for staff to use the internet, but not during working hours.

I have been instructed to look into internet access abuse in our workplace. I know there are a few .orgers that may have some pointers on this. So please give me some feedback on what I can take to my MD to prevent the facebook/ebay/twitter brigade between 9am to 5pm. When its outside these hours he is happy for staff to use the internet, but not during working hours.

Loads of options...

1) Proxy server on a non-standard proxy-server port, and your firewall/router set up to block all port 80/443 (web and secure-web) traffic that does not originate from the proxy, this will mean you can see what sites are bieing used AND then redirect them to a "page not available" message - if done on a Linux box you can have a CRON job to load a restricted config @ 9am and then a more permissive one @ 5pm.

Should cost a couple of hundred for the server and take a day or so to set up.

If you dont have a hardware firewall (the best solution for blocking the traffic out rather than the router) then add a couple of hundred for one of those too.

I have been instructed to look into internet access abuse in our workplace. I know there are a few .orgers that may have some pointers on this. So please give me some feedback on what I can take to my MD to prevent the facebook/ebay/twitter brigade between 9am to 5pm. When its outside these hours he is happy for staff to use the internet, but not during working hours.

The irony being that I try to hide your avatar in work ;)

hardware firewall... pfft. You're funny SK ;)

I am with SK. However, I would advice to block all out going traffic except that through a proxy, not just the named protocols above. Obviously allow outgoing SMTP from your mail server etc.

Then get some analysis done of usage through the proxy. Look at the use of published black lists etc.

I agree with SK too. I just don't like the description "hardware firewall". All firewalls run in software, even if you have a dedicated box for it.

Just me being pedantic. :albino:

And don't listen to arguments between techys. A bastion firewall is a necessity. depending upon your business use on the net, you may need to have at least a fail over pair with state database sharing to ensure smooth fail over.

We use Nokia hardware with Checkpoint NG firewall. Expensive but worth it. you then probably need devices for prioritising certain traffic etc. (packet shaping, profiling whatever)

I agree with SK too. I just don't like the description "hardware firewall". All firewalls run in software, even if you have a dedicated box for it.

Just me being pedantic. :albino:

OK so Dedicated Firewall...... Mr Pedant :p

its a pet hate. I'll pull my head in now.

We require to allow certain access due to being a mail order department in the warehouse they need to raise, track and view deliveries which are all web based applications. There are no email requirements at all. Just looking to give a name of some applications to investigate for this purpose.

For the record we do have a dedicated area for internet access which all staff have use of. We decided to put two internet workstations in so that people would have complete freedom during break and lunch times. In the hope it would be used in break times and therefore they would (we hoped) not want to be doing it while working. But nah, nah just got to be looking all the time eh!

We require to allow certain access due to being a mail order department in the warehouse they need to raise, track and view deliveries which are all web based applications. There are no email requirements at all. Just looking to give a name of some applications to investigate for this purpose.

Ok the keywords you need for the filtering are

Dedicated server running
Linux Operating System with
Squid Proxy Server

Dedicated Firewall (a small Cisco PIX (hate them but...) would do the job)

And thats it - just need a geek to come put it together for you, maybe take a day or so - less to set up, longer to train someone else to be able to do the routine maintainence stuff on it, to avoid constant calls to said geek.

I'd say a PIX was overkill. Iptables could be run on the same linux box. I'd buy Tim's beer for a week if he could hack through it.

Also the risk doesn't sound very high as from the description, it sounds like only client machines on the internal network. No servers or sensitive data etc. Correct me if I'm wrong here.

Squid works well. But if you are going all linuxy. why bother with a firewall simply another linux box, lock it down with off the shelf armour scripts and then learn IPTables.

Or simply install smoothwall etc.

Squid works well. But if you are going all linuxy. why bother with a firewall simply another linux box, lock it down with off the shelf armour scripts and then learn IPTables.

Or simply install smoothwall etc.

I just like to separate stuff as much as possible...

But an all in one box would work too.

What you do depends on the trade off between time and money.

If you've got plenty of time and not much money, set up a linux firewall, DMZ and a proxy to the internal network. If you're going to implement whitelists (allowed site lists) during office hours that will probably be sufficient.

If you've got a decent budget and less time, look at some of the commercial offerings for a proxy server (I think we use Bluecoat) which include blacklists that are regularly updated.

I agree where function outways cost I too would advocate breaking the functionality accross multiple platforms. however, this sounds very much like a company that has decided it needs to get control. But doesn't know what of.

Tools like smoothwall are quick to deploy. get instant results. May not be the ideal long term solution. but would give breathing space.

TBH their current setup would scare the pants off me

Oh and setting up Squid is REALLY easy - how do you think I manage to get on the org through my companies firewall - they just see POP3 traffic to my mailserver...

Hence the reason why I said to block all outgoing traffic except for known protocols from known sources. Although if the guy responsible for the firewall management is a mate, well.

Unfortunately the UK guy has had to explain quite a few times why certain individuals have personal VPN connections to the corporate network

Cant you just block the ips of the sites like twitter/facebook etc?

You need a HR Policy in place that your boss is prepared to enforce. This needs to be documented and written down as part of peoples contracts. Then when you enforce it they cant complain about it.

We use a product called "Websense" I dont know naff all about it, as I dont really look after it, but it will easily do what you want and it will give the ability to produce historical reports based on peoples browsing history. That way you give your boss historical reports when to back up what he is saying if he takes people to discplinary etc etc

Thats what we have. We call it FunStopper!

If you are not linuxy type person, look at Sonicwall NSA units, not too expensive and they are very good now. Full IPS/GAV/AntiSpam/ContentProtection/VPN/SSL-VPN are all available and not that expensive. They also have a product that can monitor traffic levels from your desktop, there is also a way to restict access based on policies to individual users.

We use them at work as its just what the office has had for ages. I have them in an HA setup and also in the US offices. No problems with the old PRO series or the new NSA series, stay away from the TZ series as they are just too underpowered and nearly EOL.

I'd say a PIX was overkill. Iptables could be run on the same linux box. I'd buy Tim's beer for a week if he could hack through it.

Does that offer extend to me? :D I don't have the time right now, but the free beer will be worth it when I do. :) It wouldn't be the first time I've beaten an IPTables setup.

You need a HR Policy in place that your boss is prepared to enforce. This needs to be documented and written down as part of peoples contracts. Then when you enforce it they cant complain about it.
+1. Some form of HR/Internet Usage policy is required, and it needs enforcing from high up in management. Let them deal with the implimentation of that, unless you're high up in management, but if you are, you shouldn't really be here asking the .Org for advice!!

I'm with the others pretty much in how to go about things. I'm assuming that you have some half decent ADSL modem/router. So...

Plug one machine (and physically only one machine) into the router. It doesn't have to be fantastic, but I'd say you're looking at 512Mb RAM tops. CPU doesn't matter. This is your 'gateway' machine - install your favourite flavour of linux (without a GUI will be better for CPU/memory resource usage), and setup IPTables on this.

Run another ethernet cable from the gateway machine to another machine, again, install your favourite linux distro. On this one, setup Squid (read into how to set it up as a transparent proxy), so this is your proxy machine. You'll need to install IPTables on this to be able to alter the packets enroute suitably.

Run another ethernet cable from the proxy machine to a switch (a hub if your company is small/cheap), and from there to the rest of the machines in the network.

Initially, setup Squid to only cache & generate reports on what people are looking at. This will allow you to report to management about what people are doing, and what they shouldn't be doing. It'll also buy management time to enforce the paperwork/legal side of things.

Physical side done, software side. The proxy machine wants to intercept & log all outbound HTTP traffic, easy enough. Depending on config it can restrict content. It wants to also forward all other (non-HTTP) traffic to the gateway machine. The proxy doesn't need to concern itself with border controls. When it comes to restricting access to the 'net, I wouldn't use a blacklist. I'd use a whitelist. In other words, they can't access ANYTHING other than what you specifically allow!! BOFH? Me? :)

As Tim said, the gateway machine needs to DROP any outbound traffic that you don't specifically allow. Easy config. You'll need to allow things like DNS outbound (but only to your nominated DNS server(s)), email out (IMAP/POP3/SMTP - for the bosses if not the employees, I'd even go so far as to state which workstations could use emails!!), HTTP out (from the gateway machine ONLY) and then you should be pretty set.

Costs (roughly)? Two machines, £150 each (consider doubling this for failsafe reasons). Cable, depends how far, shouldn't be more than £50. Software? Free. If you're not sure how to set this up, you're looking at a day's worth of geek wages (plus travelling costs), as I won't be able to do it (time restrictions), I can't comment on that really.

So including redundant setup, you're looking £650 ish + the cost of a friendly geek perhaps. As the others said, it should take less than a day to setup.

EDIT: I'll put this bit in bold...

DO NOT USE THE SAME PHYSICAL MACHINE FOR BORDER CONTROL AS YOUR PROXY. DO NOT RELY ON SOFTWARE RESTRICTIONS, ALWAYS USE HARDWARE.

If you fail to adhere to the above, you'll find out some time next year that you have someone like one of us geeks working for you, and s/he found a way around your setup within days. You'll only find this out when they hand their notice in. Then you'll get it in the neck!

Does that offer extend to me? :D I don't have the time right now, but the free beer will be worth it when I do. :) It wouldn't be the first time I've beaten an IPTables setup.
I did specify Tim :p

I'll buy you beer for one evening, as long as I get to write the rules and you beat it on an iptables vulnerability.

Hi

If you want a cheap option then go for

www.opendns.org (http://www.opendns.org)

Loads on offer (free even for enterprise)

and includes web filtering

http://www.opendns.com/solutions/enterprise/filtering/

You can easily test from a single box - just point your dns queries to their servers.

Have tried it at home and seems to work ok

im abusing the internet at work now

Hi

If you want a cheap option then go for

www.opendns.org (http://www.opendns.org)

Loads on offer (free even for enterprise)

and includes web filtering

http://www.opendns.com/solutions/enterprise/filtering/

You can easily test from a single box - just point your dns queries to their servers.

Have tried it at home and seems to work ok

not that good, it allows blocking of sites, but not granular monitoring of the users in the company
Also if anyone knows how to change their DNS servers or the hosts file then they can get around it.

A proper filter will work by proxying the data and looking for particular info in a page to block it

Thanks for pointing that out but the customer did not imply that he wanted individual monitoring and I was offering a cheap and cheerful solution.

We can all go technical, block dns requests to only the opendns servers will stop users doing requests elsewhere.

A good HR policy to let people know you are monitoring/blocking, any steps taking to avoid blocking/monitoring will be treated as disciplinary offence etc will stop most people contemplating avoiding (even if you don't monitor)

Spend money - firewalls, websense etc all recognised and expensive options - Being in IT Security I have seen and used many to protect an enterprise company.

Small companies may not have expertise in all areas required and therefore opendns is a quick and cheap win (IMHO)