3.12 How can I restrict web access so users can't view sites unrelated to work?
A few years ago, someone got the idea that it's a good idea to block
``bad'' web sites, i.e., those that contain material that The Company
views ``inappropriate''. The idea has been increasing in popularity,
but there are several things to consider when thinking about
implementing such controls in your firewall.
- It is not possible to practically block everything that an
employer deems ``inappropriate''. The Internet is full of every sort
of material. Blocking one source will only redirect traffic to
another source of such material, or cause someone to figure a way
around the block.
- Most organizations do not have a standard for judging the
appropriateness of material that their employees bring to work,
i.e., books, magazines, etc. Do you inspect everyone's briefcase
for ``inappropriate material'' every day? If you do not, then why
would you inspect every packet for ``inappropriate material''? Any
decisions along those lines in such an organization will be
arbitrary. Attempting to take disciplinary action against an
employee where the only standard is arbitrary typically isn't wise,
for reasons well beyond the scope of this document.
- Products that perform site-blocking, commercial and otherwise,
are typically easy to circumvent. Hostnames can be rewritten as IP
addresses. IP addresses can be written as a 32-bit integer value,
or as four 8-bit integers (the most common form). Other
possibilities exist, as well. Connections can be proxied. Web
pages can be fetched via email. You can't block them all. The
effort that you'll spend trying to implement and manage such
controls will almost certainly far exceed any level of damage
control that you're hoping to have.
The rule-of-thumb to remember here is that you cannot solve social
problems with technical solutions. If there is a problem with someone
going to an ``inappropriate'' web site, that is because someone else saw
it and was offended by what he saw, or because that person's
productivity is below expectations. In either case, those are matters
for the personnel department, not the firewall administrator.