Left uncontrolled, employees with unrestricted Internet access will waste time and open the network to viruses, spyware and other security problems. But you can't simply unplug from the world. Here's a guide to setting appropriate use policies, selecting and deploying security technology, and navigating ethical and legal concerns.

InformationWeek Staff, Contributor

October 28, 2005

4 Min Read

Beating The System
Can employees beat Web-control solutions? Arbor Networks' Raja says savvy users can easily use encryption to fool Web-blocking software. "Most blocking apps either look at the content or block based on port. Encrypted traffic is difficult to stop, since the content or the request for a URL is hidden and applications can use different ports to access the Internet."

Blue Coat's Vedati concurs that it is relatively easy to beat Web-blocking software: "Many solutions simply sniff Web traffic and terminate an unauthorized request. But because these deployments allow the request, they must send a reset message to the requesting client before the destination response reaches the client. Web-blocking software may be unable to keep up, allowing undesirable sites to be viewed." She adds, "Some software-based Web-blocking solutions tie authentication information to a specific IP address, which can easily be impersonated."


Kurt Shedenhelm, president and CEO of Palisade Systems

Not surprisingly, many vendors tout their own Web-control products as being more difficult to circumvent. For example, Palisade's Kurt Shedenhelm advocates appliances installed at the network gateway (such as his company offers). He asserts that passive appliances, unlike firewalls, are extremely difficult to detect, so there's really nothing for employees to circumvent.

Other experts note that employees can simply use third-party, anonymous proxy servers, which redirect requests to a destination and can bypass Web-blocked destinations and obfuscate the reports of Web-filtering alternatives. Another tactic employees might use is to set up dial-up network connections to bypass the corporate network. Other savvy users might wrangle privilege levels that forestall corporate policy. If there's a ray of sunshine in such exploits, it's that almost anything employees do can be traced back to them. But that may be too little, too late for the employer.

A final challenge for blocking and monitoring solutions is that many sites defy categorization. For example, is a visit to Microsoft.com a search for technical help or a personal shopping spree?

As these issues highlight, Web-filtering products are an important tool to augment your company's Internet-use polices, not a panacea.

When Employees Go Where They Shouldn't
You must be prepared to deal with employees who stray into unwanted Internet territory. The first and most important step is carefully crafting and communicating explicit corporate policies, including penalties for infractions.

Some experts say that displaying a simple "access denied" screen in response to blocked destinations by itself can be a big help. The employee will most likely wonder if IT or their manager knows about the online misstep, and think twice before straying again. But Blue Coat's Vedati argues that to be truly effective, such screens should identify users by name and provide details about the blocked site, including the reason for site denial. That makes for a strong deterrent, regardless of whether a specific Web surfing episode is logged and pursued.

If monitored employees do break the rules, first give them the opportunity to explain why they visited the sites in question. For continued violations, traditional personnel remedies for infractions are appropriate.

The Bottom Line
The vast majority of today's businesses can't deny their workers access to the Internet. The trick is to implement measures that protect the company while keeping workers satisfied. Establishing and communicating a comprehensive Internet use policy, backed up by Web-filtering controls, provides the most productive and safest use of your employees' Internet time.


Best Practices For Internet Security

  1. Set a strong Internet use policy to reduce downloading of inappropriate content, mitigate against possible lawsuits, increase productivity, and ease bandwidth bottlenecks.

  2. Constantly update security software from a central location that isn't changeable by users.

    Install a firewall that supports host-based intrusion detection, mitigates against network worms, and identifies potential security breaches, including attacks from outside the organization and misuse from within the organization.

    The combination of a hardware- and software-based solution may be best for many enterprises.

    Use digital signatures, which encrypt transmissions over SMTP and FTP. For enterprises affected by HIPAA regulations, digital signatures are required to send patient data and other sensitive information over public networks.

Source: CDW

J.W. Olsen has been a full-time author, editor, and freelance book project manager with more than 1000 editorial credits for IT publishers since 1990, and has provided computer, Web site, and editorial services to other clients since 1985. He welcomes feedback via the e-mail response form at www.jwolsen.com.

Never Miss a Beat: Get a snapshot of the issues affecting the IT industry straight to your inbox.

You May Also Like


More Insights