Locking Down The Internet

Internet access is an undisputed business necessity these days. Managing that access is essential for all businesses -- especially with today's increasing regulatory requirements. The good news is that software and hardware solutions to block, monitor, or otherwise control employee Internet access have never have been better, but they must be balanced with legal, ethical, and related employee morale issues. This is a tightrope that IT must learn how to walk.

The Problems Of Unrestricted Net Access
Employees spend an incredible amount of time on the Internet -- and often what they're doing is totally unrelated to their job. Jose Negron, technical director of Layton Technology, a developer of IT auditing and helpdesk software, cites a recent study by Salary.com and America Online that found that employees squander an average of two hours of company time per day online, at an annual cost of $759 billion.

Productivity isn't the only Net-access issue -- unsupervised employees are a prime target for spyware. According to Frank Cabri, VP of marketing at security solution provider FaceTime Communications, spyware costs enterprises $265 per user annually. He adds that during a recent three-month period, spyware threats quadrupled, and that recent polls show that two-thirds of IT managers name spyware as the top threat to their network security.

There's also a growing variety of apps -- including those for instant messaging, peer-to-peer file sharing, IP telephony, and anonymizing -- that employees can readily download and install without IT approval, all of which pose risk and some of which are actively malicious. FaceTime calls them "greynets." Cabri observes that such programs often evade network defenses using such techniques as port agility (jumping around among open ports) and encryption. He adds that users often don't realize their computers are being hijacked, and a malicious application may be downloaded via a seemingly harmless site.

Finally, uncontrolled Net access lets employees view objectionable content that can create a hostile environment for other workers and increase your company's legal liability. Massive streaming audio and video files can also put a strain on network resources.

Setting An Appropriate Use Policy
As Negron from Layton Technology notes, you wouldn't take phones off everyone's desk as the solution to personal calls on company time. The solution to the Net-access conundrum clearly lies in establishing an Internet policy and enforcing it through monitoring or other controls.

Such methods may raise the specter of Big Brother. "Most enterprises aren't interested in being 'network nannies,' just as most employees aren't excited about being babysat," says JoAnne C. Vedati, senior product market manager at security appliance maker Blue Coat Systems. But because of the hidden dangers of uncontrolled Internet access, and the employer's rights and responsibilities when providing that access, the enterprise has the ultimate responsibility for monitoring and control.

When setting Internet policy, observes Kurt Shedenhelm, president and CEO of network security vendor Palisade Systems, "an organization shouldn't treat employees as children." Many companies, for example, permit access to certain categories of Web sites -- such as shopping or sports news sites -- during lunch breaks or after closing time.

Soliciting and embracing employee input, as well as educating users about your Internet policy, is key to reducing the perception of Big Brother. When employees are part of the process, an employee-versus-employer environment is decreased.

Web Blocking Vs. Web Monitoring
Web-blocking software prevents employees from visiting Web sites that the company deems harmful or offensive. Web-monitoring software, on the other hand, lets the employer monitor employees' Net use without actually barring access to sites. Together, these solutions often are referred to as Web-filtering or Web-control software.

The blocking versus monitoring question is hotly debated. Monitoring software doesn't bar employees from visiting undesirable sites, but employee productivity tends to improve when they know they're being monitored. As FaceTime's Cabri notes, "You don't tend to drive 10 MPH over the speed limit when the highway patrol is right next to you." And when an employer confronts monitored employees with evidence of their Web abuse, there isn't much argument from employees. Giving employees the option to voluntarily adhere to the company Internet policy permits employers to act against abusers without penalizing others.

Blocking software takes a more active role in helping employees avoid undesirable sites, whether deliberately or accidentally (through phishing or pharming attacks or simple mistyping of URLs). However, blocking software can require more setup work than monitoring software. For example, you'll need to determine what content you want to block, and when (all the time or just during business hours?). You will also likely need to determine different policies for different users. And employee productivity can be affected if essential sites are inadvertently blocked.The consensus among experts is that monitoring software is less costly than blocking software -- at least in initial outlay. But don't forget to factor in follow-up costs, such as IT time to analyze and prepare reports of improper Internet activities as well as the potential morale and legal issues when those activities pop up on displays around the enterprise.

But monitoring versus blocking isn't necessarily an either/or situation. The best solution may be to combine the two methods: block sites that are clearly against corporate policy and monitor other Internet usage to better define that policy or to take action against employees who abuse their privileges. Sanjay Raja, senior project manager for network security vendor Arbor Networks, goes further, advocating tracking all Internet usage, such as file transfers and peer-to-peer applications like instant messaging.

Software Vs. Hardware
Another key issue is whether to adopt a software-only or hardware-based system. Software-only applications can be complex to manage and often require their own server. Products installed on individual user desktops take time to install.

Hardware appliances can simplify setup -- for instance, many can block certain sites or categories out of the box -- and centralize ongoing management. But appliances are often significantly more expensive than software-only solutions, which can put them out of reach for smaller businesses.

A third option is to use a managed Web-control service, which reroutes Internet traffic through a Managed Security Service Provider (MSSP). Martin Brown, group product manager of security service vendor MessageLabs, elaborates: "With an appliance- or software-based solution, [a company] may have to acquire new appliances, other hardware, licenses, backup procedures, hot standby machines, networking checks, load balancing, and more. With a managed service, no additional hardware or software is required and updates or changes in policy settings can be managed by the MSSP."Costs

How much does a good Web-control solution cost? As any IT administrator or CIO who has been around the block for a budget cycle knows, pricing enterprise-class products involves many variables, including the number of seats, the specifically contracted features and services, and the phase of the moon.

Costs for your system will vary widely depending on the scale of your deployment, the type of solution you choose, and contract length. The bottom line is that you must do your homework, shop around, and negotiate well.
Beating The System
Can employees beat Web-control solutions? Arbor Networks' Raja says savvy users can easily use encryption to fool Web-blocking software. "Most blocking apps either look at the content or block based on port. Encrypted traffic is difficult to stop, since the content or the request for a URL is hidden and applications can use different ports to access the Internet."

Blue Coat's Vedati concurs that it is relatively easy to beat Web-blocking software: "Many solutions simply sniff Web traffic and terminate an unauthorized request. But because these deployments allow the request, they must send a reset message to the requesting client before the destination response reaches the client. Web-blocking software may be unable to keep up, allowing undesirable sites to be viewed." She adds, "Some software-based Web-blocking solutions tie authentication information to a specific IP address, which can easily be impersonated."

Not surprisingly, many vendors tout their own Web-control products as being more difficult to circumvent. For example, Palisade's Kurt Shedenhelm advocates appliances installed at the network gateway (such as his company offers). He asserts that passive appliances, unlike firewalls, are extremely difficult to detect, so there's really nothing for employees to circumvent.

Other experts note that employees can simply use third-party, anonymous proxy servers, which redirect requests to a destination and can bypass Web-blocked destinations and obfuscate the reports of Web-filtering alternatives. Another tactic employees might use is to set up dial-up network connections to bypass the corporate network. Other savvy users might wrangle privilege levels that forestall corporate policy. If there's a ray of sunshine in such exploits, it's that almost anything employees do can be traced back to them. But that may be too little, too late for the employer.A final challenge for blocking and monitoring solutions is that many sites defy categorization. For example, is a visit to Microsoft.com a search for technical help or a personal shopping spree?

As these issues highlight, Web-filtering products are an important tool to augment your company's Internet-use polices, not a panacea.

When Employees Go Where They Shouldn't
You must be prepared to deal with employees who stray into unwanted Internet territory. The first and most important step is carefully crafting and communicating explicit corporate policies, including penalties for infractions.

Some experts say that displaying a simple "access denied" screen in response to blocked destinations by itself can be a big help. The employee will most likely wonder if IT or their manager knows about the online misstep, and think twice before straying again. But Blue Coat's Vedati argues that to be truly effective, such screens should identify users by name and provide details about the blocked site, including the reason for site denial. That makes for a strong deterrent, regardless of whether a specific Web surfing episode is logged and pursued.

If monitored employees do break the rules, first give them the opportunity to explain why they visited the sites in question. For continued violations, traditional personnel remedies for infractions are appropriate.The Bottom Line

The vast majority of today's businesses can't deny their workers access to the Internet. The trick is to implement measures that protect the company while keeping workers satisfied. Establishing and communicating a comprehensive Internet use policy, backed up by Web-filtering controls, provides the most productive and safest use of your employees' Internet time.

J.W. Olsen has been a full-time author, editor, and freelance book project manager with more than 1000 editorial credits for IT publishers since 1990, and has provided computer, Web site, and editorial services to other clients since 1985. He welcomes feedback via the e-mail response form at www.jwolsen.com.