At 14:58 19/09/00 -0500, Henry Sieff wrote:
>Its terribly inefficient, but yes, you can. You can just add rules to
>your forward chain denying to specifiv destinations. However, you are
>going to spend a lot of time checking IP addy's and maintaining your
>list of blocked sites.
you can add to this the list of anonymisers.
>In general, blocking access to web sites is technical and political
>nightmare. We did it for about a year, using a commercial product
>which actually uses a combination of content rating and a list of
>URL's separated by categories. It worked pretty well, but it turned
>the IS department into everybodies mommy.
>
>You are MUCH MUCH MUCH better off logging all web traffic, and posting
>a list of who went there, and relying on tried-and-true SHAME to keep
>people from wasting time. We now use the same product to generate
>reports, which are sent to the managers of each department. That way,
>the annoying task of telling people who MAY be higher up than you in
>the totem pole that they can't surf porn sites on company times will
>fall on someone else.
I agree that this is better than adding rules/maintaining lists...
However, there are some problems:
- privacy: who is allowed to see the log reports? the admin is ok, but why
the managers? the FW is here for security not for "spying" the employees.
- managers may jump to bad conclusions. While the admin can understand
much things about networking, this is not necessarily the case of managers.
indeed, for a manager, the "lost tme" is the total time the user doesn't spend
on working. but this is not exactly the same as the one in the logs (just
imagine
automatic downloads and the like. one can work while his machine is surfing!).
also, if you receive messages from a mailing list, you'll be in the
top-mail-recipients,
even if you don't read them. ...
limiting internet access to improve productivity is inefficient. After all,
there are
a lot of ways to lose time, and that may be done in ways that manaers find it
good (give yourself a Dilbert reading).
The only reason I see for limiting access is for legal or reputation problems.
but that's a long long story. After all, I'm not a lawyer :)
regards,
mouss
-
[To unsubscribe, send mail to [EMAIL PROTECTED] with
"unsubscribe firewalls" in the body of the message.]
