> -----Original Message-----
> From: mouss [mailto:[EMAIL PROTECTED]]
> Sent: Tuesday, September 19, 2000 4:11 PM
> To: Henry Sieff; 'Jeremy'; Firewalls
> Subject: RE: blcking sites
>
>
> At 14:58 19/09/00 -0500, Henry Sieff wrote:
> >Its terribly inefficient, but yes, you can. You can just add rules
to
> >your forward chain denying to specifiv destinations. However, you
are
> >going to spend a lot of time checking IP addy's and maintaining
your
> >list of blocked sites.
>
> you can add to this the list of anonymisers.
>
>
> >In general, blocking access to web sites is technical and political
> >nightmare. We did it for about a year, using a commercial product
> >which actually uses a combination of content rating and a list of
> >URL's separated by categories. It worked pretty well, but it turned
> >the IS department into everybodies mommy.
> >
> >You are MUCH MUCH MUCH better off logging all web traffic,
> and posting
> >a list of who went there, and relying on tried-and-true SHAME to
keep
> >people from wasting time. We now use the same product to generate
> >reports, which are sent to the managers of each department. That
way,
> >the annoying task of telling people who MAY be higher up than you
in
> >the totem pole that they can't surf porn sites on company times
will
> >fall on someone else.
>
> I agree that this is better than adding rules/maintaining lists...
>
> However, there are some problems:
>
> - privacy: who is allowed to see the log reports? the admin
> is ok, but why
> the managers? the FW is here for security not for "spying"
> the employees.
No, its not. And I wouldn't recommend trying to do this at the
firewall. But, this isn't a privacy issue; not in the least. The
managers are allowed to see the report because they can use them in
conjunction with employee performance to identify problems.
> - managers may jump to bad conclusions. While the admin can
understand
> much things about networking, this is not necessarily the
> case of managers.
> indeed, for a manager, the "lost tme" is the total time the
> user doesn't spend
> on working. but this is not exactly the same as the one in
> the logs (just
> imagine
> automatic downloads and the like. one can work while his
> machine is surfing!).
True.
[SNIP]
> limiting internet access to improve productivity is
> inefficient. After all,
> there are
> a lot of ways to lose time, and that may be done in ways that
> manaers find it
> good (give yourself a Dilbert reading).
Funnily enough, tDilbert is what shamed me into advising the IT
director to stop trying to limit access. We still keep logs though;
its only prudent.
Henry
-
[To unsubscribe, send mail to [EMAIL PROTECTED] with
"unsubscribe firewalls" in the body of the message.]
