I have a meeting in less than a half hour, (surpise!), about web filters and if we should limit web access and what should be limited. My major question is a concern of our security and I believe web mail is a threat to that… What are your thoughts on anything and everything about limiting web access in the workplace?
3 Spice ups
From an admin perspective I think a lot of things should be filtered such as hotmail, yahoo, myspace, facebook and the list of websites and content goes on an on. This is probably because I spent too much time in corporate but here is my stance, you’re hired for a job you should be doing it, not surfing the web.
Webmail has always been a thorn in my side because I just don’t think it works right.
I hope that sheds a little light before your meeting. Can anyone else give some input?
Not sure if this is too late for your meeting or not but here’s my take… We’ve shut everything down, web mail and all. We only allow access to sites that are necessary to get the job done. We had some bandwidth issues at one point and found that there were enough people streaming music and such to cause quite a noticeable problem. We did consider the “employee morale” argument before limiting access but have found that not to be a huge issue. Employees know that they are paid to work and not surf.
We’ve built in several levels of access that allow managers and team leads full (or less limited) access but have limited most everything else.
Best of luck.
Just a little late on the matter but it makes total sense. We’ve decided that the way to combat employee morale but still do as you say is to set up “public terminals.” These terminals will be set up for employees to access sports and email or whatever else they wish during their lunch and break times.
My concern is exactly how to set it up so that they are not apart of our current network. How should I do this so that it is not apart of our internal network at all?
The company computers will be locked down to merely business use.
Thanks for the input!
–Mike
Hi Mike,
If you have a robust firewall in place setting up separate physical public terminals should be fairly easy. (Of course, nothing is as easy as it sounds, is it?) Using the firewall, all of our web access is controlled via IP address and which range they fall into. We have designated several IP address ranges for different levels of access. All of our network nodes have static IP addresses. You would set up the public terminals with IPs that are allowed access to the web resources you want to allow. Your other network user machines would be in a different IP range that has restricted or no access. Depending on your firewall, you can get very granular as to the access allowed.
I’m sure that there are other ways of doing this but I hope this helps some.
So if my company network was in, say, 10.17.17.1/254 and I wanted to place my public terminals on 192.168.1.0/24, then I do that and I can of course block web access to company via the firewall and allow web access to the public terminals. My question is, as I have never added more than one IP range in a single network… do the public terminals need to be running on separate lines to a separate switch in order to be on a separate range? If not, is this really secure in protecting our company data even if they run the same network lines?
Thanks!
An example similar to yours - I’ve got several networks/ranges set up on my firewall. Say, 192.168.0.### and 192.168.100.### and smaller ranges within those. All of our traffic flows through the same place (firewall). All of the IPs in 192.168.0.### are allowed full internet access. Others are restricted. Internet access (incoming and outgoing) depends on the IP address range the node is in. The firewall security policies (incoming and outgoing) apply to all networks and ranges defined. So, for my setup, security is a matter of how well I have my policies set up in the firewall. Both network ranges use the same switches, routers etc… No need for additional wiring and switches. If all your traffic is going through one firewall, you should be ok.
I really hope this is helping.
Ah, okay… So I just need to configure the computers I want as public terminals, (since there will be very few, those can be manual), and place them on a different subnet. Then, after configuring them to whatever IP range I feel like, I use that same IP range and allow web access. Let me know if I understood that right.
My biggest worry is that doing this route, where these computers are connected to the same network that my internal network is, that it poses a security risk.
Thanks a lot! It sure is helping… sorry I’m just being stubborn.
No sweat. You’re not being stubborn. I think you’ve got it now.
Again, a solid firewall setup is your best defense and can be used to keep your two network ranges separate from each other.
Let me know if I’ve left anything out. Keep me posted.
Also, another good idea for people managing networks our size is the question of DNS. While we run our own internal DNS, we just forward outside requests to our ISP.
However, I discovered OpenDNS which will do a few nice things, most of all map and report on all your DNS requests, blocking certain domains (good from a security standpoint also… ), and even fixing mis-typed domains on the fly. We don’t block everything non-work, just monitor. We do block a couple of nasty sites that are known for spyware etc etc
It can also be ‘branded’ to your own company. Best of all, it’s just like SpiceWorks - FREE!
One of the killer apps on OpenDNS for me is that they also now run DNS-O-Matic, which is a Dynamic DNS Update service. It will update 30-odd Dynamic DNS providers in one go (DynDNS, EasyDNS, the list is huge). This is great for remote DSL modems with ISPs that do not provide static IP’s.
Now if I could just get DrayTek to support DNS-O-Matic on their modems, I would be set!!
Okay, just to ensure clarification, i am attaching a network diagram of what I believe you are telling me to do. I use the firewall to restrict websites for one subnet that I wouldn’t for another. I suppose that I could simply use my DHCP for my internal network whereas I manually enter in the information for the public workstations. I just feel like I’m missing something and I still am really uncertain if this is the secure way, so hopefully you can visualize now what I am and telling me, “no you idiot… I said this!”
Thanks a lot!
You could also use Group Policy and set the “break room” computers in a different OU with different privileges.
I could if I wasn’t going to use linux 
My biggest issue is viruses… I know I can lock down users but you guys are telling me that for sure viruses can not get to the other subnet even while going through the same switch?
Aahaa!
I believe (someone correct me if I’m wrong) that if you have more than one subnet they can’t cross over.
Hi all,
I need to think about this a bit and look at your design. Can you email the diagram to me? I got an error trying to open it from your link.
Thanks,
Brent
( Brent@Liberts.com )
SW Team! I go the error too!
I will send it to you…
Me too! Let me see what we can do about that…
Myshell (Spiceworks) wrote:
Me too! Let me see what we can do about that…
There should seriously be some kind of reward or pay raise for you! I haven’t seen you miss a beat when it comes to these forums.
Good job!!
You can try to post the attachment again, one of the developers deleted it, apparently there was nothing in the file? We’re not sure exactly what happened so lets see if it works this time.
Thanks!
