On Mon, 10 Jan 2000, Miss Yvette Seifert Hirth, CCP, CDP wrote:
> Date: Mon, 10 Jan 2000 11:59:24 -0600
> From: Miss Yvette Seifert Hirth, CCP, CDP <[EMAIL PROTECTED]>
> To: "List Server, Firewalls" <[EMAIL PROTECTED]>
> Subject: Content Filtering
>
> Hi everybody!
>
> I would like to posit a question regarding content filtering. We have had
> several employees use IRC, ICQ, etc. as well as rather disgusting porno-type
> sites on company time. We'd like to prevent this.
Configure your firewall to not allow anything that doesn't specificly go
through it, and limit those services. If you don't have a business
reason for IRC and ICQ *why the heck are you letting the traffic through
your firewall?*
> It changes the office environment severly and disrupts productivity when
> management is put in a position of cop/father and has to walk around
> snooping over what one would expect to be "professional" shoulders checking
> out what's on their terminal. The bottom-line is we'd like to trust people,
> but sadly, we can't. Some commentary on corporate operations, huh. I'm
> sure we're not the only site where this has occurred nor continues to occur.
> A friend of mine told me that this is "a harbinger of a much more serious
> problem", but he can't find office staff that don't have a tendency to
> behave like this either! Seems like a sign of the times, I guess.
Make sure that your usage policy forbids this behaviour. Make sure that
it explicitly states that you *are* allowed to check traffic, monitor
usage and that _privacy is not going to happen_. If you don't do this,
and you start checking traffic, especially e-mail you'll find yourself on
the wrong end of Federal law in the United States. More specificly the
Electronic Privacy Communications Act. I'd have every employee *sign* a
copy of the usage agreement.
> We've even gone so far as to consider DOS-based email and then deny people
> the use of Mozilla, MS's Outlook Express, Netscrape, etc. We turned
> thumbs-down on that, as once they get email, they can download any browser
> they want, thanks to sites like "netbutler", etc.
If you block HTTP and FTP they can't.
> What I'm asking is - does anyone have any experience with content filtering
> software? I've seen these "screening" programs, and wonder what kind of
> effectiveness they produce. Are they a bear to maintain? Are any sites
> victims of "false-positive" testing (i.e., screened when they shouldn't have
> been)? How many sites, percentage-wise, continue to slip through?
You're probably allowing SSL out if you're allowing all that other crap.
In that case, it's trivial for someone to put up a proxy server on the
outside of the firewall and tunnel it all in through SSL.
>
> Is there something better, like softs that run on firewalls? The problem
> with most of these screening programs is that they install on a user's PC,
> which would imply, to me, that they could be disabled. Installing a
> filtering mechanism on a firewall that's locked up with a password only a
> handful of people know would seem to be more "indefeatable".
It stops casual abusers, you'll still need to monitor employee behaviour
and you'll still end up firing the stupid ones.
> I'd really appreciate any experience anyone had; we're growing, and the
> problem is getting worse!
Usage policy, proxy server with all non-essential services turned off, if
you *still* need to do filtering, you're better off firing a few managers.
If you make the lusers you allow Web access to log in to the firewall,
feel free to produce usage reports for their managers, then make sure the
managers sign a statement that they're responsible for keeping their
employees in line ;)
Paul
-----------------------------------------------------------------------------
Paul D. Robertson "My statements in this message are personal opinions
[EMAIL PROTECTED] which may have no basis whatsoever in fact."
PSB#9280
-
[To unsubscribe, send mail to [EMAIL PROTECTED] with
"unsubscribe firewalls" in the body of the message.]
