1. OCAU Merchandise is available! Check out our 20th Anniversary Mugs, Classic Logo Shirts and much more! Discussion in this thread.
    Dismiss Notice

Whitelisting of Internet at company

Discussion in 'Business & Enterprise Computing' started by Nyarghnia, Dec 14, 2009.

  1. Nyarghnia

    Nyarghnia (Taking a Break)

    Joined:
    Aug 5, 2008
    Messages:
    1,274
    Hi All,

    Just wondering if anyone else has done this, we're about to give up on blacklisting and webmonitorins of employees here and are going to whitelist the internet.

    We're going to block all websites except for those specific websites that are needed for that employee/departments specific job.

    To keep staff hapy we're going to provide an internet access station PC that doesn't have a CD/DVDwriter, will have USB disabled (USB sticks are disabled on our network by default anyway) and will not be connected to the internet network.

    Staff can then use this PC for "Non Work" related internet access, we've been monitoring web usage lately and the number of 'nasties' that are being stopped by the AV antivirus/spyware and even on one or two occassions by desktop AV/ASW has prompted us to lock things down further.

    Also, if a desktop reports an infected file, even if it is reported as cured/cleaned we nuke it anyway.

    We're trialing this to see how it goes, but staff are not too thrilled at this prospect.

    Anyone else in this situation?

    Personally i'm in two minds about it, the general 'internet access PC' is not on my internal network so monitoring it will not be easy or even possible, but if people want to go to google and randomly wander the 'net, at least the damage is contained.

    The whitelisting will include online banking sites though.

    Too harsh? Is the internet now too dangerous to allow staff at a company access to it? I tend to feel that is has become too dangerous, that as much technology and policies as we throw at it, the bad guys are getting better.

    -NyarghNia
     
  2. Gunna

    Gunna Member

    Joined:
    Dec 25, 2001
    Messages:
    7,945
    Location:
    Brisbane
    End of the day the firewall/desktop AV is doing it's job, thats why you pay licensing and renewal for the software.

    Locking it down to much can be a pain, especially at the start while all sites are blocked and users start to find sites they need blocked.

    Personally, I don't block any sites, until management tell me it is affecting productivity i'm not going to bother. What users do on their own lunch break in terms of internet is their business.

    I think blocking .exe in emails, not allowing users to install software via GPO, good desktop AV and some education is all thats needed really. It's not up to you to make sure workers are doing their job, thats for their managers, in terms of security, sure do what you need to, but don't try to rule with an iron fist.
     
  3. NSanity

    NSanity Member

    Joined:
    Mar 11, 2002
    Messages:
    18,582
    Location:
    Brisbane
    Yeah, whitelisting sounds a whole lot more trouble than its worth.

    Then again if Management are behind it, driving it - its their choice, I just don't see IT wanting to instigate it.

    Do you have serious issues with employee time management (that management is asking for a solution for) and/or warez/porn/virii/malware/etc?
     
  4. cs-cam

    cs-cam Member

    Joined:
    Oct 17, 2007
    Messages:
    741
    Location:
    Brisbane, QLD
    If you're whitelisting due to malware/virus/general dodgy stuff then you should be recommending a solution that involves educating the staff because clearly they're doing something wrong. If it's strictly productivity then thats a different story, I don't necessarily agree with it but if you've got a younger workforce I could see why you'd want to :p
     
  5. BluBoy

    BluBoy Member

    Joined:
    Jan 20, 2006
    Messages:
    1,899
    Location:
    Brisbane
    We have white listed before, and it caused all sorts of headaches.
    Can I ask if there has been an incident yet that is causing this or is this management being 'proactive'?

    First of all, you'll be amazed at how many sites require data from additional domains. This causes pages to be slow to load, and can be a headache debugging what additional sites need to be allowed here.

    Then, you WILL need some type of formal request approach to add sites to whitelists. Management will be the worse at this, as they will randomly bug you about allowing www.disney.com for their kids when they are in the office. (Meanwhile, you open that up, and Manager #2 complains about it).

    Internet use PCs are often neglected and turn to shit very quickly. Make sure you have a plan for the maintenence of these.

    I hope people dont use google to assist in their daily roles.
    You will not have any friends in the office once this comes in :)
     
  6. OP
    OP
    Nyarghnia

    Nyarghnia (Taking a Break)

    Joined:
    Aug 5, 2008
    Messages:
    1,274
    Its the whole 'Proactive' thing, also in the industry I am in the whole issue of internet access (even access to E-mail) is being reviewed. The internet is rapidly becomming virtually useless, our firewall stopped 250,000 spam e-mails in the last MONTH alone :(

    Plus there's a ton of stuff being blokced by gateway antivirus, I suspected infected 'adds' on websites might be the culprit from log analysis.

    The 'net is just starting to look at lot worse than it was a year or two ago, so the management team have decided to clamp down on the 'net, also there's a staff productivity issue to think about as well with more and more Gen-Y comming onboard.

    -NyarghNia
     
  7. NSanity

    NSanity Member

    Joined:
    Mar 11, 2002
    Messages:
    18,582
    Location:
    Brisbane
    No Offense, but thats fuck all. Ironport here for our small company (~160 email addresses) reckons about 1.2 milion for the month.

    Yeah, Advertising based malware/trojans seems to be the new popular flavour of attack now.
     
  8. kombiman

    kombiman Dis-Member

    Joined:
    Dec 3, 2006
    Messages:
    13,338
    Location:
    viva brisvegas
    what industry are you in?
     
  9. orgone500

    orgone500 Member

    Joined:
    May 29, 2003
    Messages:
    181
    Location:
    Northern Rivers NSW
    Sounds like 2 seperate issues here. Spam email and spyware/virus. Locking internet access down isn't going to solve your spam issues, unless that is going to a whitelist model as well. Hate to be you if it is...
     
  10. Gumby

    Gumby Member

    Joined:
    Jun 27, 2001
    Messages:
    1,743
    Location:
    Brisbane
    I run a mix of both whitelist and blacklist depending on user, based on machine, not login.

    Simple linux setup with squid and squidguard.

    Squid setup with a couple of rules. One file contains pc's based on name that are allowed 'open' access. Can access anything that's not in the blacklist. Second file of websites that is the whitelist for all users not in the first list. Up to 480 lines now.

    Squidguard is the blacklist with usual porn lists, social networking and anything else management wishes to block. This affects all users from CEO down. Squidguard is prefered for these larger lists for performance reasons.

    Also squid set to cache which returns between 15-20% bandwidth saving per month.

    Network is 140 desktops/laptops.
     
  11. Rampage101

    Rampage101 Member

    Joined:
    Jun 27, 2001
    Messages:
    2,034
    Location:
    Country NSW
    Gumby,

    Any chance you can PM me with some details on how your white listing works? Is it done with squidGuard? As I had trouble getting whitelists to work for some reason.
     
  12. Iceman

    Iceman Member

    Joined:
    Jun 27, 2001
    Messages:
    6,647
    Location:
    Brisbane (nth), Australia
    Nyarghnia your questions appear to indicate you're unfamiliar with the nature of the internet and that someone with a vested interest in selling you something in the security area (firewall, av, etc) is doing a bit of scaremongering.

    Please be careful where you're obtaining your advice from. Taking all the basic security precautions is required. However, going to extremes such as white listing based on the number of hits on your firewall.. but without any other reason to suggest that anyone has managed to penetrate your defences appears to be unnecessary.
     
    Last edited: Dec 14, 2009
  13. Gumby

    Gumby Member

    Joined:
    Jun 27, 2001
    Messages:
    1,743
    Location:
    Brisbane
    Had this all ready as a PM but figured why not throw it in here. Feel free to pick apart all the bad things i'm doing :)

    Also just to stipulate, our whitelisting is a decision by management for productivity reasons.

    ---

    For my white list i'm simply using acl lines within squid itself. Given it's a relatively small list (480 lines) I didn't see there being any speed improvement in pushing it into squidguard. It means you just have to add the line and give squid a reload, unlike squidguard which you have to rebuild the db file.

    Thus:
    Code:
    acl open_users_fqdn srcdom_regex -i "/etc/squid/acls/open_users_fqdn"
    
    acl global_websites dstdom_regex -i "/etc/squid/acls/global_websites"
    acl global_ip dst "/etc/squid/acls/global_ip"
    
    http_access allow open_users_fqdn
    http_access allow global_websites
    http_access allow global_ip
    http_access deny all
    
    open_users_fqdn is a list of users allowed 'open' access.
    Code:
    pc-1.example.com
    pc-2.example.com
    global_websites is sites everyone can visit.
    Code:
    # Banking Websites
    suncorp.com.au$
    suncorpmetway.com.au$
    commbank.com.au$
    boq.com.au$
    commonwealthbank.com.au$
    netbank.com.au$
    global_ip is sites that few things access by ip, not domain name.
    Code:
    210.120.123.38
    Then just the allows and denies. Real config has many more, but that's the basics of it.

    With url_rewrite_program set to squidguard, all requests also go through it, which I utilise as the blacklist.

    I also throw users to a custom 'this page is blocked' page with a click me link which forwards to myself the entire url they are trying to access. Got sick of users telling me incorrect url's :)

    Ontop of all that I run calamaris which is a basic squid reporting tool. Pretty ugly but i've got it customed quite well now. Shows usage by site plus my top 10 users for the day/month.

    Been running all that for a few years now. Haven't bothered hooking AV into it yet as our desktop and mail av has been good, although it's on my list of things to do in my 'spare' time :)
     
  14. fR33z3

    fR33z3 Member

    Joined:
    Jul 16, 2001
    Messages:
    2,164
    Location:
    Perth
    have you thought of the cost of whitelisting? Is your management aware of this cost?

    You also have to include the non-tangible costs such as staff morale.

    Chances are once senior management see the cost of whitelisting, they will shy away from it.

    Most successful businesses are moving to a business model that embraces the "internet generation". It'd be interesting to know what industry you are in for you to be thinking of running against the trend.
     
  15. Gumby

    Gumby Member

    Joined:
    Jun 27, 2001
    Messages:
    1,743
    Location:
    Brisbane
    What costs do you think are involved? System was already in place for caching and blacklisting. Administrative costs in terms of time is minimal.

    Correct, however majority have no issue with the policy.

    It is a tough one to define a real cost for. Once you factor in cost of implementation and administration, staff morale, bandwidth savings, productivity increase, the figure would be a best guess. You would probably spend more time investigating all that than it takes to implement :)

    Industry is sales based. Staff have a habit of surfing the web instead of chasing customers.
     
  16. dave_dave_dave

    dave_dave_dave Member

    Joined:
    Mar 17, 2004
    Messages:
    2,917
    Location:
    Gold Coast
    When you get your whitelist sorted it is much easier to maintain than a blacklist.
    We have had problems with a few 0 day virus's in the past, staff viewing sited they shouldn't, etc. When you get past 50 users a blacklist is just too hard to maintain, unless you have someone on it all the time.

    The key is to have several old pcs in the staff lunch room that have unrestricted internet access.
     
  17. [KEi]SoVeReIgN

    [KEi]SoVeReIgN Member

    Joined:
    Feb 20, 2002
    Messages:
    8,636
    Location:
    Sydney
    Sounds like a huge headache that will win you no friends anywhere.

    Firewall + Good AV/Application management + No admin users = Most threats stopped.

    An internet access PC sounds good in theory, but I bet in practice it would never be used. We'd be lynched at our work if we tried to go down this road.

    IMHO this is a management problem, not an IT problem.
     
  18. cvidler

    cvidler Member

    Joined:
    Jun 29, 2001
    Messages:
    16,078
    Location:
    Canberra
    Easy and safe enough (with proper config), to setup a second interface on the internet PC's to allow firewalled admin access to them from the internal, or better yet a DMZ. Ensure you've got remote desktop, AV server, and have it tied down to only admin workstations etc.

    No point letting the internet PC's fall apart, or get infected. You wouldn't want your company PC to turn into a zombie or spam relay etc.
     
  19. seefarr

    seefarr Member

    Joined:
    Sep 1, 2005
    Messages:
    179
    Location:
    Londinium
    Sounds like a lot of trouble! What do you use for blacklisting at the moment - you'd be surprised how granular you can be with a proxy server. We use Bluecoats that admittedly are a pig to manage but you get daily updates for the different categories and an antivirus box that scans everything going past for nastys and blocks them before they get to the user. I reckon if you block webmail and facebook and maybe news, you'll lose a massive portion of your web traffic - we did!

    I agree with you that most of the nasties we're seeing are from ads - and you still get ads on many legitimate websites so you might still be in the same boat!

    Don't forget that if someone goes to a kiddy porn or terrorism site from your internet access PCs, you'd still have the reputation risk to your company of having it dragged through the media. And how will you log which user is on the PCs at any one time so that you can pin this sort of behaviour back to users? AND someone else has already pointed out that these PCs could become spam bots, which besides not being nice for other internet users could also effect your company's reputation.

    Plus everyone will hate you. :tongue:
     
    Last edited: Dec 15, 2009
  20. GiantGuineaPig

    GiantGuineaPig Member

    Joined:
    Oct 23, 2006
    Messages:
    4,027
    Location:
    Adelaide
    Way too harsh. Firstly, if your computers are up to date, running good AV, and the users don't have admin access then that eliminates most of the problems.

    There was yet another study a few days ago saying employees are more efficient and happier when they can browse the net, sadly I can't find the link :(

    Anyway I think it's a way to destroy a company by pissing off all the employees, and punish everyone for poor system setup.
     

Share This Page

Advertisement: