• Some users have recently had their accounts hijacked. It seems that the now defunct EVGA forums might have compromised your password there and seems many are using the same PW here. We would suggest you UPDATE YOUR PASSWORD and TURN ON 2FA for your account here to further secure it. None of the compromised accounts had 2FA turned on.
    Once you have enabled 2FA, your account will be updated soon to show a badge, letting other members know that you use 2FA to protect your account. This should be beneficial for everyone that uses FSFT.

Network Policy (need your thoughts)

rayoc79

Gawd
Joined
Dec 10, 2004
Messages
734
Ok, so I am the Deskside Support Technician at my company and along with the Net Admin, we have only been here for a little over 6 months. The previous regime was horrible and pretty much let the users do anything they wanted whenever they wanted to do it. We have cleaned things up alot and he is implementing SurfControl to obviously block certain content from making it through. An email was sent out stating this and there has been a little bit of an uproar. Now my first and strongest reaction is.....TUFF......in the nicest IT way you can communicate to the general public.

Here is the email with my company's info removed. More comments following.

Audience:

All Company Users

Event Details:

As part of the Network Infrastructure Improvement project, all Internet access will be filtered by the SurfControl application. Surfcontrol is designed to block unnecessary and/or harmful content while still allowing the maximum access to websites needed to do your daily job functions.

What to Expect:

On August 1st, 2006 the following types of Internet categories will be blocked by Surfcontrol: Adult Material, Illegal Drugs, MP3's, Gambling, Gaming, Illegal material, Hacking, Instant Messaging , Racism and Hate, Internet Radio and Streaming Video, Web-based E-mail (Yahoo, Google, etc), Tasteless sites , Violence, Weapons, and Peer-to-Peer sites.

Reason for Web Filtering:

To improve network response time for email and business related Internet access and to maximize the response time of Company's web servers. In addition, this effort will attempt to protect our network and computer assets from viruses and/ or attacks from hackers.

Action Required:

None.

After the Launch Date, please E-Mail an email address that was here if any work related Internet Web Sites are being blocked by Surfcontrol. We will be monitoring this e-mail box and determining what action to take for each site on a case by case basis.

Thank you for your understanding and cooperation,



Company IT




Now the real issue that people are having is with the Web-based E-mail (Yahoo, Hotmail, e.t.c) and some of their concerns are legitimate. We also have class instructors who aren't company paid that come in and use our guest wireless network to access their web-based email. Since web-based email is going to be blocked company/network-wide, this may pose some issues/concerns.

Even though I am part of IT, I feel that web-based email shouldn't be blocked. Now I can understand that Internet Radio and Streaming Video should be blocked because its takes up alot of bandwidth, but web-based email? I guess maybe I just can't comprehend how much bandwidth web-based email takes up. I do understand that viruses can come through this format but we haven't seen any yet and we run symantec enterprise throughout.

We have only 50 employees and a single T1 line is available for data bandwidth. So the need to free up bandwidth is of utmost importance. But I've been with companies (Ford, EDS/GM) who have not blocked web-based email and just don't understand why we have to.

What do you think? What does your company do? And what do you feel about company policies like this?
 
My company only blocks well known download sites and programs (Limewire, etc) but allows full access to everything. They control traffic by blocking certain ports between the intranet and the internet. We are allowed to stream radio, use AIM, etc. I think the policy you have implemented is a bit too restrictive. That being said, having this access at my company does not affect productivity and I am sure they would tighten down if it did. Was productivity suffering due to the open network policy at your company?
 
zyonuf79 said:
I think the policy you have implemented is a bit too restrictive.

Without knowing what business the company does I'm not sure if you can definately make that statement.

Thanks to HIPAA and SarBanesOx things like IM and Email have to be closely monitored, for all we know this company still isn't doing enough to restrict traffic out of the corporate network.
 
I prefer to block email that is not part of the enterprise solution. The resoning is:
- Viruses, Malicous Content, etc. - Just because it comes from Yahoo doesn't mean you should trust them.
- Productivity - Email should be work related. Checking personal email is not a work related task.
- Confidentiality - Confidential information could be transfered little knowledge of the IT department.
- Support - If you allow it, you must support it. You can reduce help desk calls by blocking it.
 
We had 80 people on a T1 and didn't block anything. A few years ago we installed GFI DownloadSecurity to block content by file type - this achieved the main goal of preventing spyware/adware/trojans from being downloaded & installed. Aside from that we don't do any content filtering - our policy is that everyone is a grown up. We discourage the use of streaming radio/video because of bandwidth concerns, but it hasn't been a big problem. As long as people get their work done, what you do on the web (short of porn) won't matter. In fact, we ENCOURAGE the use of webmail - it keeps our company e-mail clean and makes bayesian filtering much more effective.
 
The big problem with Web Based E-Mail is security. At my company, we got hit hard by "Melissa" a few years ago. The corporate outlook servers blocked it just fine, but some genius opened the infected attachment on his hotmail account, and that's all she wrote. After that, we locked down all access to Web Mail. Most of the Web Mail providers do a good job of filtering, now, but are you willing to trust your corporate network to them?

-PP
 
Malk-a-mite said:
Without knowing what business the company does I'm not sure if you can definately make that statement.

Here is an excerpt.

To provide an open forum where members cooperate in developing and promoting solutions that enhance the prosperity of the automotive industry. Our focus is to continuously improve business processes and practices involving trading partners throughout the supply chain.
 
zyonuf79 said:
Was productivity suffering due to the open network policy at your company?

From what I gather, not really. The Net Admin and I have been here for over 6 months now and it seems that people aren't really non-productive. They are just use to things being a certain way. I am all for change, but I just don't understand restricting web-based mail. I understand that viruses can come through and that we have to protect the network, but I'm trying to find out if there is a valid reason to block it or if it is being blocked because the Net Admin feels that he can.
 
PixPirate said:
Most of the Web Mail providers do a good job of filtering, now, but are you willing to trust your corporate network to them?

This would be a main reasoning for blocking it and I agree totally.
 
You have to ask your self how much it would cost if something does get through. You said you use Symantec. They update their definitions once a week. What will you do the day after the definition updates, a new virus is released and it brings down your network? How much downtime is OK? How much downtime is OK when it could have been prevented?

The old fable holds true: An ounce of prevention is worth a pound of cure. Also, a default allow security model is inherently insecure. You will always be reactive. To achieve better security, you must be proactive. This means using a default deny security model.

After managing several large infrastructures, I can assure you I do not set up any system so that users by default have access to it. It a good security practice to say the least.

We can give you many good reasons to implement a default deny model, but plenty of reasons have already been given. You can lead a horse to water, but you can't make them drink. It's up to you. It's your network, and your ass when something goes to hell. You decide how much that ounce of prevention is worth.

EDIT: Not trying to insult anyone here. Some things I speak passionately about, and security is one of them.
 
PixPirate said:
The big problem with Web Based E-Mail is security. At my company, we got hit hard by "Melissa" a few years ago. The corporate outlook servers blocked it just fine, but some genius opened the infected attachment on his hotmail account, and that's all she wrote. After that, we locked down all access to Web Mail. Most of the Web Mail providers do a good job of filtering, now, but are you willing to trust your corporate network to them?

-PP

If you don't let users download all filetypes under the sun, it's not a problem.

The same goes for IM.
 
ok, put some major thinkin into this question because we all are faced with it.

50 computers should not be putting a burden on a T-1. We manage over 300 computers in 4 countries sharing a single T-1 and barely reach 80% utilization for any substantial periods of time. Is the bandwidth really being taken up, is the T-1 not performing at its peak, do you have poor network design, or is that an excuse for imposing tough restrictions? They should monitor who is consuming the bandwidth, and what ports they are using so that they can see what changes would have the real impact on network utilization. If one person is using all of the bandwidth to download photos from their friends site, no amount of control is going to help. Another tool is simple bandwidth metering, with 50 computers you should have your firewall avoid giving anyone more than 25% of the bandwidth and you may throttle this back so that they only get 5% of the bandwidth after 10 minutes. You can also do more complex stuff by only cutting them back when the bandwidth utilization is over 75%.

As general rules… putting decisions in the proper hands, the problems that this company faces would not be IT’s.

IT should only be pushing the company to block content dangerous to the computers and network itself as part of its security policy. This is content that is clearly dangerous to the computer such as sites likely to contain spyware, viruses and other bugs. Executive management or HR should agree with IT’s control of these items. (Adult Material, MP3's, Gambling, Hacking, Downloading through Instant Messaging)

Some sites fall in the middle and are very likely to push resources too far. Whoever holds the purse strings saying that IT cannot put in a second T-1 should be the one to make decision on things that fall into this category. Sometimes its IT, sometimes its executive management and sometimes it’s a matter of IT stating its concerns and IT and management agreeing together. (Internet Radio and Streaming Video)

Any content filtering beyond that, that is content specific and not a gross misuse of networking resources should be determined HR or executive non-IT management and not IT. IT should not be making these decisions, and should not be letting people judge them by these decisions. That way it is corporate management or HR and not IT that takes the blunt of the punishment. IT is a service to the company, and it is detrimental to allow any concept to foster that IT somehow is a bunch of anal retentive geeks that are power hungry and locking the company down for non financial reasons. Illegal material, Web-based E-mail (Yahoo, Google, etc), Tasteless sites , Violence, Weapons, and Peer-to-Peer sites. Illegal Drugs, Racism and Hate, Gaming,
 
I used to work for the USAF as a desktop support technician and the helpdesk. Everything was blocked, even humor.. Go figure. I guess humor is frowned upon in the Air Force! We were to block any and all traffic that was NOT work related. If for some reason you needed access to a website you had to submit a form and then access would be granted or denied based on the reasons given. Now that being said, I don't say that I completely agree with their policies. But I do understand the reason behind locking everything down and then giving permissions to those who really need access to a particular service.

One of the issues that we ran into with email at the helpdesk is the customer that calls and says "I am not receiving email from off base". Without having access to webmail and third party emails, troubleshooting this problem is very dificult.

I now run a consulting business and by default we lock everything down and then give the client access to the things that they ask for. If they ask for us to allow IM services, we discuss with the client about security risks about allowing IM services and try to offer an alternate solution. We also block webmail, as most of the time there is no need for webmail as it is not part of their daily job and therefore there is no reason that the company should pay for John Doe to check on his ebay auctions through his webmail. As stated before we (IT) has no control over content and viruses that could come across webail.

I agree with the posts before me about security, as it should be held to the highest level.
 
Here at work, I block all web mail. Everything from GMail to Verizon. Our reasoning was that an employee shouldn't need access to those services as work email should come through out email system.
 
Emphasize that these measures are in place to protect the company against any liability bullshit (downloading copyrighted material, illegal material (child porn,ect)

The last thing you want is the RIAA coming down on you because an employee is running a server off of a client machine or main server of copyrighted material.

My college had to deal with child porn. :eek: I don't know if it was downloaded or viewed, but it could have had some serious legal consequences if it got out to local officials.

My dad likes browsing Yahoo Fantasy Sports, and that was blocked on a governent computer because of the word "Fantasy". Thats fine, he should have been working anyways :)

Emphasize that these restrictions are in place for the common good of the company.
Network downtime, depending on your industry, can be devestating and cause losses.

Working in my college's IT department has exposed me to a small portion of bull shit that IT has to deal with.

A lot of people will probably complain that they will have nothing to do during slow times at the office. Slow times will exist where there is simply not much to be done, and having one's Internet browsing capabilities limited during slow times will drive some insane.

Also, I dunno if you have such a policy in effect, but a measure against those who damage network hardware, client computers, or servers should be included.
We had staff at my college who would no lie, destroy computers through random abuse (massive music downloading, strenuous computing activities, spamming servers with random bull shit files). Sounds far fetched, but it happens, and my college has seriously considered taking away a staff's computer priviledges for destroying (seriously) two computers and causing unnecessary stress on network resources.

My thoughts, best of luck with the implementation.
 
I work in the aerospace defense industry. We have very strict security measures in place when it comes to what goes in/goes out of our network.

Web-based email is a no-no. Company email should suffice for employees who are working. If an employee needs to take work home, they either have a laptop to do that with, or vpn from home using a SecurID card and use our web-based email through our intranet portal.

Where I work, I needed to request a security exception to send email outside of our corporate domain. When you send something over the net, you don't know where it's going or who will access it. ITAR and any export controlled data needs to be encrypted with our company standard. Classified program information isn't connected to the internet anyways, and that's a whole 'nother story.

Again, web-based email should not be allowed. There is no "legitimate" reason why web-based email is ok to use.
 
benzino_86 said:
A lot of people will probably complain that they will have nothing to do during slow times at the office. Slow times will exist where there is simply not much to be done, and having one's Internet browsing capabilities limited during slow times will drive some insane.

I used to run into this.. What I do now is I walk around the office and start striking up conversations with different people, finding out what it is they do, what they've been working on lately, etc.. Time goes by a lot quicker when you're joking and having fun.

Also, this may cause you to receive more work because people see you're not as busy. Could be good or bad....
 
Stang Man said:
Again, web-based email should not be allowed. There is no "legitimate" reason why web-based email is ok to use.

True, there's no work related reason. However, if the company doesn't deal with sensitive information and the company's policy is to treat people like adults, it's fine. As long as people get their work done on time and aren't doing anything illegal (application level firewall & download content type filters help ensure this), there isn't much downside to allowing relatively free use of the web. There's also the added bonus of keeping personal correspondence out of our exchange server.
 
da sponge said:
True, there's no work related reason. However, if the company doesn't deal with sensitive information and the company's policy is to treat people like adults, it's fine. As long as people get their work done on time and aren't doing anything illegal (application level firewall & download content type filters help ensure this), there isn't much downside to allowing relatively free use of the web. There's also the added bonus of keeping personal correspondence out of our exchange server.
Security is but one reason. Productivity is another. Confidentiality is another. So, you treat your users like adults. Would you treat every web site and every email from every source the same way you trust your employees? If you don't trust the internet, why would you trust the content that comes from it?

Default deny is a basic security principle. If a person doesn't understand why, no offense, but I really wouldn't want them working on security at my company. This type of attitude is what leads to the headlines in the papers about security breaches and the loss of personal information.

Complacency is security's enemy.
 
da sponge said:
True, there's no work related reason. However, if the company doesn't deal with sensitive information and the company's policy is to treat people like adults, it's fine. As long as people get their work done on time and aren't doing anything illegal (application level firewall & download content type filters help ensure this), there isn't much downside to allowing relatively free use of the web. There's also the added bonus of keeping personal correspondence out of our exchange server.

I can't trust 40,000 employees. I can't even trust 1000 to be good.

The company I work for rakes in about $10 billion in revenue each year, and growing. If we had a security breach that resulted in sensitive (both financial and classified technical) data being released, we could be out of business within the year... we're not going to just throw away something we've worked hard at and been the best now for over 80 years.
 
MorfiusX said:
Security is but one reason. Productivity is another. Confidentiality is another. So, you treat your users like adults. Would you treat every web site and every email from every source the same way you trust your employees? If you don't trust the internet, why would you trust the content that comes from it?

Default deny is a basic security principle. If a person doesn't understand why, no offense, but I really wouldn't want them working on security at my company. This type of attitude is what leads to the headlines in the papers about security breaches and the loss of personal information.

Complacency is security's enemy.

I don't trust any of the content that comes from the web. That's why I filter it. I just don't see reading webmail or doing some occasional shopping on Amazon as a security threat. Confidentiality? Possibly, but there are innumerable ways for a determined insider to disclose confidential information. Productivity? Again, possibly, but it's not my job to ensure productivity of my coworkers. If there are productivity issues, it's management's responsibility. I can provide reports that can back up disciplinary action, but the rest of the employees who can manage their time effectively need not be blocked from the occasional non-work related browsing.

All other access is default deny. People can browse the web via proxy and that's it. The proxy filters all incoming traffic so that only browsing related content is allowed through. Webmail isn't much of a security threat if people can't download dangerous attachments (although it could be a confidentiality problem). Web browsing also isn't much of a security threat if all executable payloads/activex is blocked. I default deny content, not destinations.

Of course what constitutes a threat varies by company & business types. A company with trade secrets, financial data, personally identifiable information, etc may need to take additional steps. I'm still making a tradeoff, but for my company and the type of business it does (research utilizing a wide variety of sites), it makes sense. I'm not saying it makes sense for everyone, especially those with highly sensitive data, risks can be significantly mitigated with proper precautions without completely castrating useability.
 
I'm going to have to agree, in part, with da sponge.

As part of my company culture, I think discussions about good/bad "content" are misplaced.

On my network, I don't filter any content, save for "network edge" AV scanning in my FortiGate firewall. While this may not work for some, it works great for us.

I don't filter IM. I don't filter webmail services. I don't filter file sharing applications, FTP or downloadable executables.

This works for one reson: inappropriate use of business technology isn't a technology problem - it's a people issue. Therefore, the solution isn't to distrust everyone. The solution, for us, is to make sure that your business expectations are clear, and employ trustworthy people. After you hire good trustworthy people, let them do their job how they see fit.

If they end up surfing porn at work, the problem is not that they had electronic access to it (after all, they could just read some porn magazines or call a sex hotline, and you haven't solved the issue by keyword filtering on a web proxy). The problem is that they believe what they are doing is OK to do. That's where a strong, accountable business culture comes in. If that person's manager belives it is unacceptable, then actions are taken at that level.

It's not to say that we don't ever have people who abuse the privledge. It happens. When it does (as did recently when I discovered some inappropriate content in an e-mail message while training the spam filter), the managers (and HR) worked it out, and I don't have to be the police, judge, and jury.

Again, technology was the medium, but the message was the problem. That same message could have been delivered by snail mail, phone or a note on their car. Technology was not at fault, so I don't depend on technology to keep people honest.

J
 
Question.

At my site, we have other company's personnel and various instructors come in and access their corporate network through a VPN connection using our guest wireless network. It is restricted to internet only usage.

Say they connect to their corporate network through VPN and they can get to whatever webmail system they access. If you have a download filter blocking various file types, it wouldn't block what attachments they downloaded through thier VPN connection right?

If that is the case, they could download an executable if their coporate network allowed it and save it locally and then run the executable while on the guest wireless network and still possibly infect our network depending on the kind of damage that file could do.

Follow me?
 
from rayoc79

Say they connect to their corporate network through VPN and they can get to whatever webmail system they access. If you have a download filter blocking various file types, it wouldn't block what attachments they downloaded through thier VPN connection right?

Correct - the VPN data is encrypted. Any data transmitted across the VPN tunnel makes sense to only the two tunnel end points - not any device in between. It would be seen as an unrecongizable (but permissible, if you allow VPN traffic out/in) data stream by the firewall.

However, you said:
...access their corporate network through a VPN connection using our guest wireless network. It is restricted to internet only usage.

When they downloaded any nefarious executable to their local machine, how would it ever get into your local network, given the above information?
 
RedOctober said:
When they downloaded any nefarious executable to their local machine, how would it ever get into your local network, given the above information?

That's my point. If they didn't know what they were downloading, couldn't that virus, trojan, worm or whatever, if programmed however it was programmed, eventually break through however many levels it needed to break through to make its way onto our internal network?

You'll have to excuse me with the noobie sounding questions. While I am not a networking noob or boob or whatever, I've just always been in the Deskside Support end of IT my whole career so far. So my questions may come across as unrefined. :D
 
Bottom line should be this

They are at work to do work, not chat to friends on IM, or to check personal Email.

They are being paid to work during the hours they are in your offices and using your resources.

If people dont like this policy, then those are the people sitting on IM all day chatting away with all their friends, completing tasks in twice as much time because they are doing other "personal" things.

If they want to do those things, tell them to do it on their lunch break at an Inet cafe or get a laptop with wireless and hit starbucks.

The company i am in is in for a rude awakening themselves, the T1 we have for 17 people is getting abused, but not for long.
 
MrGuvernment said:
The company i am in is in for a rude awakening themselves, the T1 we have for 17 people is getting abused, but not for long.

That's our situation. While I am not the Net Admin, all of us in the new regime are making changes for the better. The old regime didn't care or stopped caring after awhile. We have a new Executive Director who is cleaning out the "ol'boy" mentality and bringing in the people who can do their job effectively and do it well. Thus a new IT Director, a new Net Admin, and myself to take care of Deskside related issues. This includes computers, phones, mfp's, e.t.c.

We have brought many ideas to the table and are implementing alot of them because all three of us have come from places where things are done the right way. Plus a sizeable budget has allowed us to think big.

The T1 we have has 50+ people on it at any time. We have a members only website with downloadable and uploadable content and things like radio stations and streaming audio/video have got to go. I was absolutely flabbergasted at the amount of people who listen to internet radio stations. Its not that the T1 is bogged down greatly, we just have to change that "culture" that someone mention earlier so that people don't do other things to waste valuable bandwidth.
 
Yeah, that is the problem, people dont like change.

With the company i am in, people dont want to spend money, yet they complain, so i have to make do with what i can :(, Now, being here for 5 years, and being the only one with some knowledge of networks and security, now i just implement things and dont ask until it is done. I do this because one owner, my former boss till i got him semi demoted, always finds ways to tell me "no, the ceo wont like this or that" - simply becuase HE didnt think of it, now i just do it, inform the CEO the advanatges and not once has he not liked the ideas. (he gets annoyed when he see's people talking on IM's and not doing work as well)

Our company has always been fairly laxed and laid back, but people now are using Skyp which sucks up easily 40Kb on it's own! and staying late after work to talk to friends on web cams and such and downloading tv shows i caught someone else with, and stupid commercials and crap.

We host a site here for outside affiliates so we need to watch our usage, the site is basic, so it doesnt require alot of bandwidth but none the less.

i did catch one person with a p2p - slimewire, he is our web guy and he has a laptop and sure enough one night, when he left his laptop here, he had torrents downloading like mad, so much so i could only get 6kb from our T1 off a 100MB line i can max us out on at 177KB any other time.

Being in Costa Rica, from what i have seen, many jobs here who work in American imported companies, alot of customer service centeres et cetera, they hire people in the IT area who know other people and they dont bother locking anything down, or they are the power hungry ones and they block everyone else so they can download their illegal crap faster and they lie about what it is they know to get the jobs, which becomes very apparent when you ask them to lock down a cisco router and do port forwarding for X and they just forward the ENTIRE range to the internal ip!

it is annoying, and if anyone tries to tell me off it will be simple, as i stated above

While you are in thie office for 8 hours a day, you will be working for 8 hours if you want to do personal stuff, do it at your home, on your connection you pay for, not works resources.

i have seen enough studies on how much money companies lose on workers using their resources for personal usage.

It would be nice if companeis did things right the first time, cause it would end with so fewer headaches.


Good luck on your change over, seems like you have the support from who matters :)

Will be keeping up in this thread, it has good info, and this is all new to me as well.
 
A couple comments mention brought up some very valid points:

Some have said they block based on signature, file type, etc. What if you can't read that information? What if you don't know because it's encrypted? Do you allow SSL/HTTPS? I bet you answer yes. I can log onto Yahoo mail using HTTPS/SSL and you will never know what information is being transfered because it's encrypted. By the time you scan it on the PC, the bad things that are contained with in are already on your network.

Any way, I think I've maid my point. I hope someone who may not have understood now do. If not, good luck...
 
MrGuvernment

While you are in thie office for 8 hours a day, you will be working for 8 hours if you want to do personal stuff, do it at your home, on your connection you pay for, not works resources.

Bottom line should be this

They are at work to do work, not chat to friends on IM, or to check personal Email.

They are being paid to work during the hours they are in your offices and using your resources.

If people dont like this policy, then those are the people sitting on IM all day chatting away with all their friends, completing tasks in twice as much time because they are doing other "personal" things.

If they want to do those things, tell them to do it on their lunch break at an Inet cafe or get a laptop with wireless and hit starbucks.

The company i am in is in for a rude awakening themselves, the T1 we have for 17 people is getting abused, but not for long.

Hopefully, that works for your company. I can't say that I'd like to work there. It's a company culture issue. I am in complete control of my network without needing to use technical lock-downs. This is, in part, because I refuse to buy into the "us vs. them" mentality that many admins employ. My co-workers reward my trust by respecting the resources they are given.

It also has to do with conflict resolution. It's very tempting, as an admin, to employ the controls and restrictions that are so readily available. Then the problem is solved, right?

No - you've just managed to add one more thing that could frustrate a trustworthy, hard-working employee. Not to mention, screwing off at work is not for IT to police. If it was, then you would be responsible for confiscating paper airplanes and prohibiting water cooler talk, too. It goes back to culture - a manager is ultimately responsible for his/her employees actions. It should be up to them to decide if checking personal e-mail during the day is excessively wasteful.


Why can't the IT personnel provide the technology, then get the hell out of the way?

Technology exists to enable business, not restrict it.
 
rayoc79 said:
That's my point. If they didn't know what they were downloading, couldn't that virus, trojan, worm or whatever, if programmed however it was programmed, eventually break through however many levels it needed to break through to make its way onto our internal network?

You'll have to excuse me with the noobie sounding questions. While I am not a networking noob or boob or whatever, I've just always been in the Deskside Support end of IT my whole career so far. So my questions may come across as unrefined. :D

No problem, man... Here's the scoop:

In theory, if you have internet access outbound from the wireless access point, then anything on that AP is no closer to your network than the anything on the internet already is. (Make sense?)

You are kind of making a "demilitarized zone" (DMZ). This zone is neither on your local LAN, nor completely external. The caveat to this is that you must ensure that no traffic is permitted from the DMZ to the local LAN in your firewall rules. If so, you are good to go!

J
 
RedOctober said:
No problem, man... Here's the scoop:

In theory, if you have internet access outbound from the wireless access point, then anything on that AP is no closer to your network than the anything on the internet already is. (Make sense?)

Makes Sense. Gotcha.

RedOctober said:
You are kind of making a "demilitarized zone" (DMZ). This zone is neither on your local LAN, nor completely external. The caveat to this is that you must ensure that no traffic is permitted from the DMZ to the local LAN in your firewall rules. If so, you are good to go!

J

We do have a DMZ. I understand what that is for, but I don't believe our guest wireless network is located within the DMZ. So it is as close to our internal network as it can get I believe. Again, I don't control any of this stuff, I just hear alot about it and am trying to make sense of it all.
 
People dedicated enough will 100% of the time find ways around whatever blocks people decide to put in place. I run the network at a small business (maybe 20 employees in the main office) off a small cisco router and a decent Comcast business cable connection -- it's plenty fast for people here to stream radio (XM and Sirius online are popular), get their personal email, and do whatever else they want to do.

I have a SPI firewall setup on the inbound and outbound interfaces, along with Cisco IPS and up-to-date signatures on the inbound and outbound outside interface. I watch the NAT translations closely and look for people using lots of ports or lots of connections, and I run NetFlow top talkers to see what computers are sucking up the most bandwidth.

I catch people here on QVC, WeatherBug, yahoo news, etc, and I don't care. It's not my job. If someone's got a trojan horse, or downloading music, or doing something else that puts the company in jeopardy, I tell the bosses what's going on and let them take care of it.

MrGuvernment, you need to realize that corporate culture now is tremendously different than it was in the past -- a truly forward looking company is almost always going to have employees spending at least some of their time doing things that aren't work related. To me, if 80% of the employees here are spending 10% of their time doing things that aren't work related, but it keeps them sane (bear in mind most of what we do in this office is matching invoices and updating price sheets), nobody gives it a second thought.

If you're looking to become the IT Sheriff then by all means, aggrivate your users and foster a corporate attitude of distrust and policing. We don't have any IT gnomes here, and if we did they wouldn't last a day. There's only one type of situation where that kind of attitude is acceptable, and it's when you're dealing with highly sensitive, classified (company or even government?) information, and even in that circumstance it should be on an entirely seperate network.
 
We do have a DMZ. I understand what that is for, but I don't believe our guest wireless network is located within the DMZ. So it is as close to our internal network as it can get I believe. Again, I don't control any of this stuff, I just hear alot about it and am trying to make sense of it all.

There's other ways to do it, also. In theory, you could put the WAP on a different subnet and not permit cross-traffic between the two subnets (by programming a VLAN, for instance, on a switch).

Were I'm at, I've simply placed an unsecured AP right outsite my office door that is connected to "dirty" internet above my firewall. That way, vendors, guest and visitors can all get to the internet, but I don't have to keep an eye on anything (as they are no closer to my network than anything else on the internet). They get to fend for themselves! :p
 
RedOctober said:
MrGuvernment

Hopefully, that works for your company. I can't say that I'd like to work there. It's a company culture issue. I am in complete control of my network without needing to use technical lock-downs. This is, in part, because I refuse to buy into the "us vs. them" mentality that many admins employ. My co-workers reward my trust by respecting the resources they are given.

It also has to do with conflict resolution. It's very tempting, as an admin, to employ the controls and restrictions that are so readily available. Then the problem is solved, right?

No - you've just managed to add one more thing that could frustrate a trustworthy, hard-working employee. Not to mention, screwing off at work is not for IT to police. If it was, then you would be responsible for confiscating paper airplanes and prohibiting water cooler talk, too. It goes back to culture - a manager is ultimately responsible for his/her employees actions. It should be up to them to decide if checking personal e-mail during the day is excessively wasteful.


Why can't the IT personnel provide the technology, then get the hell out of the way?

Technology exists to enable business, not restrict it.


IT people cant get out of the way because people abuse it and find ways around it to do things they should not be doing and then IT has to come back in an fix it because people can not follow simple basic rules


How would you like it if you had gardeners coming to your house, and stopping every 10 mins to jump in your pool, then back to work, then jump in your pool.

I do feel strongly that while you are on WORK time - you should be working.

The problem is so many people today think "oh, i will just take 2 secs to check my person email on work time cause it is so important" 2 secs turns into 5 mins and so on.

Now, i have no issues if your job is getting done, with socialising, you can not lock people down and expect them to be happy, i dont want that. But people also have to realize they are not being paid to talk to people all day long outside of work or send pics, or check out some websites like myspace or something.

I am very flexible, i should have been more clear, those people who are abusing the resources, will be limited, since after warnings they still do not go by the rules in place.

The biggest issue for me, is the main piece of software everyone in our company runs, will only run under admin rights :( and our developers wont change it, after many requests and explinations of why they should, it is just not a priority for them.

I am not going to turn this into a boot camp. i am just going to be more "putting" my foot down. I am a very nice guy, everyone at works loves me, we are a very small and personal company, but when you get woken up at 4am because someone clicked on a link over MSN saying "look at my pics on myspace" when you tell them all the time, DO NOT click on links - it gets annoying after 5 years.

restrictions i plan to do are things like implement Ms communcations server, or something similar, we use MSN for contact between our office and other people who work for us, but when you have say accounting "oh, i cant do your expenses today" and 5 mins later you turn around to see them photoshoping a picture to send to someone one msn...... ?? gimmy a break.

Or people sucking up bandwidth using Skype or P2P or downloading 120Mb movie trailers and spending all day on youtube.....


The problem with the company is when we moved 3 years ago to CR, we never had a real network admin, things were just dumped on me and i have been learning as i go along to do what i can with what little i have.


Technology exists to enable business, not restrict it.

That is fine - i am, more then happy to let technology help our company, but letting people chat on msn and do other things, does not help buisness.



Also, i am not just IT, i am head of support, and have been with this company and started the companies office 5 years ago, the only other person who has been here as long as me is the CEO, so my title is kind of everything in the company. The CEO is already behind me on doing what i need too as he often complains about how things dont get done when they should.



In the end - i do hope the system i am able to put into place will improve production, but still keep an environment with in work where people are happy to work but also enforce people ti know that when you get to work the first thing you do is something personal related, but get to work.


{EDIT] Looking back my first response was very hitlerish, i njust get so furious about this subject, i tend to make my self looks like a boot camp sargeant drilling people into the ground, that is the furthest! thing from what i am.
 
MrGuvernment said:
IT people cant get out of the way because people abuse it and find ways around it to do things they should not be doing and then IT has to come back in an fix it because people can not follow simple basic rules


How would you like it if you had gardeners coming to your house, and stopping every 10 mins to jump in your pool, then back to work, then jump in your pool.

I do feel strongly that while you are on WORK time - you should be working.

The problem is so many people today think "oh, i will just take 2 secs to check my person email on work time cause it is so important" 2 secs turns into 5 mins and so on.

Now, i have no issues if your job is getting done, with socialising, you can not lock people down and expect them to be happy, i dont want that. But people also have to realize they are not being paid to talk to people all day long outside of work or send pics, or check out some websites like myspace or something.

I am very flexible, i should have been more clear, those people who are abusing the resources, will be limited, since after warnings they still do not go by the rules in place.

The biggest issue for me, is the main piece of software everyone in our company runs, will only run under admin rights :( and our developers wont change it, after many requests and explinations of why they should, it is just not a priority for them.

I am not going to turn this into a boot camp. i am just going to be more "putting" my foot down. I am a very nice guy, everyone at works loves me, we are a very small and personal company, but when you get woken up at 4am because someone clicked on a link over MSN saying "look at my pics on myspace" when you tell them all the time, DO NOT click on links - it gets annoying after 5 years.

restrictions i plan to do are things like implement Ms communcations server, or something similar, we use MSN for contact between our office and other people who work for us, but when you have say accounting "oh, i cant do your expenses today" and 5 mins later you turn around to see them photoshoping a picture to send to someone one msn...... ?? gimmy a break.

Or people sucking up bandwidth using Skype or P2P or downloading 120Mb movie trailers and spending all day on youtube.....


The problem with the company is when we moved 3 years ago to CR, we never had a real network admin, things were just dumped on me and i have been learning as i go along to do what i can with what little i have.




That is fine - i am, more then happy to let technology help our company, but letting people chat on msn and do other things, does not help buisness.



Also, i am not just IT, i am head of support, and have been with this company and started the companies office 5 years ago, the only other person who has been here as long as me is the CEO, so my title is kind of everything in the company. The CEO is already behind me on doing what i need too as he often complains about how things dont get done when they should.



In the end - i do hope the system i am able to put into place will improve production, but still keep an environment with in work where people are happy to work but also enforce people ti know that when you get to work the first thing you do is something personal related, but get to work.


{EDIT] Looking back my first response was very hitlerish, i njust get so furious about this subject, i tend to make my self looks like a boot camp sargeant drilling people into the ground, that is the furthest! thing from what i am.

Great Post, Computer's are nothing more than files and regiestry keys, the less crap is on them, the less problems you will have. Limit user's so they cant download crap or listen to streaming radio, that sort of stuff. You can control all of that threw AD. If your company is not using AD i would look into it, and if they are, just have them tighten everyone's secuirty so they dont have access to all the crap.
 
Wow. Absolutely WOW! [H]ardOCP'ers are the best. Thanks to everyone for making this a great thread. I learned alot and love how people have just really put effort into this topic. You all have helped me in forming my own views with some great points. I need to start posting more........

...Thanks again!
 
RedOctober said:
MrGuvernment





Hopefully, that works for your company. I can't say that I'd like to work there. It's a company culture issue. I am in complete control of my network without needing to use technical lock-downs. This is, in part, because I refuse to buy into the "us vs. them" mentality that many admins employ. My co-workers reward my trust by respecting the resources they are given.

It also has to do with conflict resolution. It's very tempting, as an admin, to employ the controls and restrictions that are so readily available. Then the problem is solved, right?

No - you've just managed to add one more thing that could frustrate a trustworthy, hard-working employee. Not to mention, screwing off at work is not for IT to police. If it was, then you would be responsible for confiscating paper airplanes and prohibiting water cooler talk, too. It goes back to culture - a manager is ultimately responsible for his/her employees actions. It should be up to them to decide if checking personal e-mail during the day is excessively wasteful.


Why can't the IT personnel provide the technology, then get the hell out of the way?

Technology exists to enable business, not restrict it.

Since it is a culture thing, how about implimenting the most strict rules against only the M ANAGERS. That way they will actually MANAGE, and maintain this "culture" you speak of
:D
 
from MrGuvernment:

The problem is so many people today think "oh, i will just take 2 secs to check my person email on work time cause it is so important" 2 secs turns into 5 mins and so on.

Now, i have no issues if your job is getting done, with socialising, you can not lock people down and expect them to be happy, i dont want that. But people also have to realize they are not being paid to talk to people all day long outside of work or send pics, or check out some websites like myspace or something.

My take:

Hey man - unless it's clearly within your job description to prevent all types of screwing off, I think you are taking way to much ownership of this issue. It's readily apparent that it is affecting the quality of service you offer your customers, too.

You'd do much better to not own that issue and take it so personally. Remember, before you came around - before IT - before computers - before typewriters - people screwed off at work. Who was responsible then?

You aren't doing your company any favors by locking down the ways they can screw off with technology. They just push back by working around your limitations (you can't win that one) or finding a different non-technology ways to slack off. To effect real workplace effeciency, the company culture has to address the "screw-off" mentality and its source. What message do you send by saying "waste company time and resources all you want, just don't do it using a computer"? In any case, what authority do you have to discipline the worst offenders anyway? Why would they stop if there are no consequences from those that manage them?

My suggestion? See the department managers and let them know the issue occurs, and it's up to them to see that their employees are as effecient as they can be. The managers have goals of their own, and I'm sure they'd like to know the potential barriers that prevent them from success.

{EDIT] Looking back my first response was very hitlerish, i njust get so furious about this subject, i tend to make my self looks like a boot camp sargeant drilling people into the ground, that is the furthest! thing from what i am.

One of the most important lessons I have ever been taught:

Perception is reality.

This is such an important concept in a service-oriented position. It does not matter what you think about how you treat others. You customer's perception is their truth - no matter how much you explain it away.

My mentor that taught me this was responsible for perhaps the single most important lesson I've learned in my professional career. Study that concept deeply.


rayoc79 said:
Wow. Absolutely WOW! [H]ardOCP'ers are the best. Thanks to everyone for making this a great thread. I learned alot and love how people have just really put effort into this topic. You all have helped me in forming my own views with some great points. I need to start posting more........

...Thanks again!

Well - it's a hot topic around the business world. As you can see, there are no easy answers here. While I respectfully disagree with some, we try to keep it civil. I keep telling myself that what is true for me may not be true for others., so everyone has different challenges to face.
 
Back
Top