As the security admin for a large law firm, we recognized that content filtering
packages were not going to be as effective as logging and policy enforcement. But we
had to include it more from a "due dilligence" perspective as opposed to stopping any
prohibited surfing. In the event of a law suit we have to provide evidence that we
have done all we can to prevent this type of access, and the few thousands of dollars
to implement it, could save much much more in the event of a suit.
So, basically, the content filtering people make alot of money off the fear getting
sued!
In addition I do proxy logging and use sessionwall to get some real data.
Regards
James
>>> <[EMAIL PROTECTED]> 02/28/00 05:10pm >>>
Sorry Bennett, I have always made it pretty obvious that I work for a
vendor when I sumit to the list, but I'm happy to include a disclaimer at
the top.
To wit: I work for a provider of a content filtering application. I also
manage a corporate network.
You wrote:
>How is this different than the same idiot employees bringing
>in books or magazines to read, or games to play? Do these same
>employers search them on the way in and out every day looking for
>such non-work-related contraband?
What's your point, that because employers don't search employees for books
they
shouldn't prevent them from surfing porn??? Seriously, the legal cases on
hostile environment center on the fact that the employer provided access to
the offensive
material by providing the network and internet connection...it *is*
different than something the employee brings in to the workplace
themselves.
>I've known employees to use the company telephones to conduct large
>amounts of private business, at least briefly; they didn't remain
>employees for long. Amazingly, this didn't require special analytic
>systems in the telephone switch, either.
74% of the corporations in the U.S. use call accounting software (according
to one of those vendors). Serves pretty much the same function, though it
doesn't tell a manager whether the calls were personal or business. The web
has static (relative to phone conversations) content, so it's a possibility
in web blocking and content filtering products. Either way, if someone is
going to be terminated for cause, as you suggest, you'd better document
their abuses.
>> Companies that are concerned about workers spending too much time
>> on recreational surfing, have a right to limit how their network
>> is used.
>
>Sure, but is that a good idea? Yes, it will catch people who don't
>take the trouble to sidestep the screening software.
>
>But it's far, far better to treat the problem as what it is, a
>people problem, and not try (and fail) to kludge up a technical
>fix.......
You're assuming management can detect the problem before it becomes
a lawsuit, or before the employee has spent a few hundred hours surfing
not realistic in many cases, in my experience....
>Far, far better to simply instrument what everyone does, and
>advertise widely that the instrumentation is directly visible to
>anyone and everyone. Put a simple proxy in place, digest its logs
>into a database, and provide a nice CGI so anyone can ask who
>browsed any URL containing a string, and what URLs any user
>downloaded.
So it would be OK for all your co-workers to know when someone has
developed
breast cancer and is researching potential treatments? Or went shopping at
Victoria's Secret during their lunch hour? Interesting....
>I do like some kinds of content filtering; I definitely favour e.g.
>http proxies that strip out all java, javascript, and active-x.
Agree
>Enforcing appropriate use policies, though, that's a breathtakingly
>stupid thing to do in code. Use people, they're better at it.
Your solution doesn't scale, and people aren't objective.
>> The company is also better served if it is prepared to manage
>> its employees. Simply blocking access with a block list or an
>> appliance doesn't change behavior, it even presents a challenge
>> to the more technically inclined. But the technology exists to
>> provide feedback to managers, and allow them to tell employees to
>> knock it off,... before a small problem becomes a big problem.
>
>Yup, in fact the block list and "inappropriate content screening"
>are a bad idea, and the only useful part is the information
>reporting. And that's well done with off-the-shelf open source
>components.
Let's remember, the original request came from an admin that didn't have
the time to keep track of offensive URLs. The kind of solution you are
suggesting works if 1) you don't care if you miss a lot of offensive
websites
2) you're willing to spend a lot of time customizing your solution to allow
sites
that commonly show up as false positives on the crude string matching
available
as off-the-shelf open source.
Regards,
Duncan
Elron Software, Inc.
(yes we're a content filtering software vendor)
-
[To unsubscribe, send mail to [EMAIL PROTECTED] with
"unsubscribe firewalls" in the body of the message.]
