There are several reasons why you need to limit Internet access on the network. Perhaps your company is experiencing a problem with individuals’ productivity. Or Human Resources has determined that there is an issue with certain employees’ web access. Maybe your coworkers are not doing anything wrong; but you want to block access to malicious websites. There could even be contractual or regulartory obligations requiring that you limit Internet access. If you need to limit Internet access there are a few things you need to get in place.
Create a written policy defining what is appropriate, what is not, and that informs all users that measures exist to limit Internet access. Involve management, Human Resources, and Legal to ensure that all stakeholders have input, and that your policy meets all requirements and doesn’t infringe on any preexisting policy or law.
In order to limit Internet access, you have to be able to control your users’ outgoing traffic. If all users are in a single office, deploy a transparent solution on the gateway that is inline to all traffic. If users are spread out across several locations with their own Internet circuit, it’s better to treat each location as its own independent network, rather than trying to funnel all Internet access through a single location. This will require more hardware and software, but ensures that single outage in the “main” site doesn’t take down Internet access for all the remote offices. If you cannot deploy a gateway solution, use a proxy solution to service client requests. You will have to configure the clients; see below for more on that.
There are several products on the market that can limit Internet access for clients. The typical way to limit Internet access is by filtering based on categories of URL lists, inspecting traffic for malicious content as it is downloaded, or both. In either case, make sure your egress filtering is set up at your border(s) to block outbound client traffic so that your users cannot bypass your protective mechanisms.
Gateway based solutions are transparent to the user and don’t require any client configuration. These solutions are able to limit Internet access for any device that connects to your internal network. Proxy devices wait for requests from the clients’ browsers, so you must configure those browsers to use the proxies. Group policies can configure Internet Explorer for domain joined machines, but you have to manually configure other browsers, or use a script to set them up. Remember to run web filtering to prevent clever users from bypassing the proxy.
A common reason to limit Internet access is to protect corporate assets from malware. Make sure you protect remote users by having them connect via VPN to the corporate network before accessing the Internet. This protects them from Internet threats and any malicious users on open wireless networks.
Solutions that limit Internet access improve the security of your network and protect users from malicious or inappropriate content. Incorporating a good policy with the technical solution ensures that limiting Internet access can be done smoothly and without adding to administrative overhead.