How to limit Internet access on the network
There are several reasons why you need to limit Internet access on the network. Perhaps your company is experiencing a problem with individuals’ productivity. Or Human Resources has determined that there is an issue with certain employees’ web access. Maybe your coworkers are not doing anything wrong; but you want to block access to malicious websites. There could even be contractual or regulartory obligations requiring that you limit Internet access. If you need to limit Internet access there are a few things you need to get in place.
Policy
Create a written policy defining what is appropriate, what is not, and that informs all users that measures exist to limit Internet access. Involve management, Human Resources, and Legal to ensure that all stakeholders have input, and that your policy meets all requirements and doesn’t infringe on any preexisting policy or law.
Networking
In order to limit Internet access, you have to be able to control your users’ outgoing traffic. If all users are in a single office, deploy a transparent solution on the gateway that is inline to all traffic. If users are spread out across several locations with their own Internet circuit, it’s better to treat each location as its own independent network, rather than trying to funnel all Internet access through a single location. This will require more hardware and software, but ensures that single outage in the “main” site doesn’t take down Internet access for all the remote offices. If you cannot deploy a gateway solution, use a proxy solution to service client requests. You will have to configure the clients; see below for more on that.
Filtering
There are several products on the market that can limit Internet access for clients. The typical way to limit Internet access is by filtering based on categories of URL lists, inspecting traffic for malicious content as it is downloaded, or both. In either case, make sure your egress filtering is set up at your border(s) to block outbound client traffic so that your users cannot bypass your protective mechanisms.
Client configuration
Gateway based solutions are transparent to the user and don’t require any client configuration. These solutions are able to limit Internet access for any device that connects to your internal network. Proxy devices wait for requests from the clients’ browsers, so you must configure those browsers to use the proxies. Group policies can configure Internet Explorer for domain joined machines, but you have to manually configure other browsers, or use a script to set them up. Remember to run web filtering to prevent clever users from bypassing the proxy.
Remote users
A common reason to limit Internet access is to protect corporate assets from malware. Make sure you protect remote users by having them connect via VPN to the corporate network before accessing the Internet. This protects them from Internet threats and any malicious users on open wireless networks.
Solutions that limit Internet access improve the security of your network and protect users from malicious or inappropriate content. Incorporating a good policy with the technical solution ensures that limiting Internet access can be done smoothly and without adding to administrative overhead.
Can’t tell you how many companies I’ve been to where they employ limitations on internet access, but don’t go the distance and cover all their bases. If you’re not diligent and thorough with setting up blocks to certain sites, you are merely tasking your more dedicated-to-browsing employees with a couple of extra steps before they spend their whole shift on Facebook, or worse.
Our company made sure that it has its Internet control policy stated on the Handbook. This way, all employees (both old and new) will know that limit on web access exists. There, our HR and legal departments listed all points related to Internet usage, online security, employee responsibility in relation to Internet use, and consequences.
I know most big and multi-national corporations have this kind of system in place. Although our office only has 70 employees, the written policy made it official and more professional.
Company handbooks are a good start, but it’s not the total solution you’re looking for Aaron. Limiting Internet connection in workplaces is so complicated. Trust me – I’ve been there. You have to juggle things just to keep up with government and federal policies.
In my my own experience, the best way to control Internet connection in a corporate environment is still through web applications or software. Install it in your network – to all employee computers, servers, etc. All systems are automated. You don’t have to micromanage anything. The best of all – it makes manager’s job easier.
@ Sean,
You’re right, your security is only as good as your weakest link. I always say it’s useless to have a bank vault door for your houses main door if you then leave the windows at the back of your house open!
@Aaron,
It’s always a good policy to have such conditions written down, even for the employees themselves, sometimes what’s good or bad is not clearcut and some might err on the side of convenience rather than security. With a written down policy they can simply check.
In my humble opinion nowadays most users are aware that free Internet at work is an illusion. Still, you are right that the limitations must be stated in a Policy document so that everybody knows about them.