To Visit Or Not To Visit?

Now is the time for companies to set policies on Internet use and implement Web-control measures
Blocking software takes a more active role in helping employees avoid undesirable sites, but it can require more setup work than monitoring software. For example, you'll need to determine what content you want to block. You'll also likely need to determine different policies for different users. And employee productivity can be affected if essential sites are inadvertently blocked.

Monitoring software is less costly than blocking software, at least initially. But don't forget to factor in follow-up costs, such as IT time to analyze and prepare reports of improper Internet activities, as well as the potential morale and legal issues when those activities pop up on displays around the company.

Monitoring versus blocking isn't necessarily an either/or situation. The best solution may be to combine the two methods: Block sites that clearly are against corporate policy and monitor other Internet usage to better define that policy or to take action against employees who abuse their privileges.

Savvy workers can use encryption to fool Web-blocking software, says Sanjay Raja, senior project manager for network-security vendor Arbor Networks. "Most blocking apps either look at the content or block based on port. Encrypted traffic is difficult to stop, since the content or the request for a URL is hidden and applications can use different ports to access the Internet."

Blue Coat's Vedati concurs: "Many solutions simply sniff Web traffic and terminate an unauthorized request. But because these deployments allow the request, they must send a reset message to the requesting client before the destination response reaches the client. Web-blocking software may be unable to keep up, allowing undesirable sites to be viewed." She adds, "Some software-based Web-blocking solutions tie authentication information to a specific IP address, which can easily be impersonated."

Not surprisingly, many vendors tout their own products as being more difficult to circumvent. Palisade's Shedenhelm advocates appliances installed at the network gateway, like what his company offers. Passive appliances, unlike firewalls, are difficult to detect, so there's really nothing for employees to circumvent, he says.

Other experts note that employees can simply use third-party, anonymous proxy servers, which redirect requests to a destination and can bypass Web-blocked destinations and obfuscate the reports of Web-filtering alternatives. Another tactic is to set up dial-up network connections to bypass the business network. Others might wrangle privilege levels that forestall company policy. If there's a ray of sunshine in such exploits, it's that almost anything employees do can be traced back to them. But that may be too little, too late.

When Employees Go Astray
You must be prepared to deal with employees who stray into unwanted Internet territory. The first and most important step is carefully crafting and communicating policies, including penalties for infractions.

Displaying a simple "access denied" screen in response to blocked destinations can be a big help, some experts say. Such screens should identify users by name and provide details about the blocked site, including the reason for site denial, Blue Coat's Vedati says. If monitored employees do break the rules, first give them the opportunity to explain why they visited the sites in question. For continued violations, traditional remedies for infractions are appropriate.

The majority of businesses can't deny workers access to the Internet. The trick is to implement measures that protect the company while keeping workers satisfied. Establishing and communicating a comprehensive Internet-use policy, backed by Web-filtering controls, provides the most productive and safest use of your employees' Internet time.

Illustration courtesy of Getty Images

Editor's Choice
Brian T. Horowitz, Contributing Reporter
Samuel Greengard, Contributing Reporter
Nathan Eddy, Freelance Writer
Brandon Taylor, Digital Editorial Program Manager
Jessica Davis, Senior Editor
Cynthia Harvey, Freelance Journalist, InformationWeek
Sara Peters, Editor-in-Chief, InformationWeek / Network Computing