We currently have a SonicWall firewall, which does a pretty good job a blocking Social networking websites like Facebook and Bebo. The problem we are having is that sometimes we need to temporarily disable our firewall blocklist so we can update our company's page on Facebook for example. Whenever we do this, have see an avalanche of users logging on to their Facebook pages during work time. So what we need a way to block access while the firewall is down.
For the sake of argument, we have two groups of users - "management" and "standard users". "standard users" would have no access to Facebook, but "management" users would have access. Perhaps something like a host file redirect for non-management users. This could probably be enforced via group policy that would call a bat file to copy down the host file, depending if the user was management or not. I'm keen to hear any suggestions for what the best practice would be for this in a Windows/AD environment.
Yes, I know what we're doing here is trying to solve a HR problem using IT. But this is the way management wants it and we have a lot of semi-autonomous branch offices that we don't have a lot of day to day contact with, so an automated way of enforcing this would be the most preferable method.
Buy a 3G USB dongle thing - put it in a safe, give it to a user when they need to update the blocked content, take it from them when they're done.
Ghetto yes, but simple.
So your company maintains a current Facebook page, yet prevents your users from accessing it? Bizarre. If your AUP discourages access to non-work (although "non-work" is debatable considering you have a FB page) sites during outage periods you could just collect the traffic logs. Provide management the list of users violating the AUP during the outages. A brief, personal, talk from HR/Management goes a long way.
Maintaining a host file
for lots of usersis painful. If you provide DNS for your clients you can easily blackhole anything you want. Proxies would still be an issue but I'm assuming your AUP would already address the use of them.Sounds like a terrible jury rig. Firewalls are designed to block certain machines, and let certain others through. Just give your managers static IPs, and allow access from those IPs, and your problem is solved. Sonicwall has a CFS exclusion list for this exact purpose.
Of course, your managers are probably also going to use Facebook, once they have free access, but that's life. You'd be better off allowing everyone and monitoring their usage. If it gets to be a problem, fire them. Blocking policies aren't much of a solution, and they tend to make people bitter.
I'm addressing this question solely on a technical level.
Perhaps you should considering building a device specific for this purpose instead of using the SonicWall feature.
Default policy of drop is generally recommended for traffic going outgoing. At the very least, 80, 443, 8080, and 8443. Then require a proxy to access the Internet.
I'd recommend SQUID and SquidGuard, which can filter access to Web sites. Configure it to require authentication, which can even be integrated with AD. A privileged group would be able to bypass the filtering. For reporting, something like MySar or SARG works.
The solution can be simple and quick or more involved depending on your requirements but this technology will solve all the problems.
My recommendation would be to look into a centralized content control system that can block access based on user\group.
EDIT
Also, how is it that your users can still access the internet when the firewall is down? Doesn't the firewall provide NAT for your internal ip addresses? Is the firewall not "in line" with the router?
My topology looks like this:
Internal Network--->Firewall--->Router--->Internet
So if my firewall is down, the internet is not accessible.
In the end we used a GPO to push out a hosts file that blocked Facebook, Bebo, Myspace etc and also prevented users from modifying the hosts file.
Along the lines of @Chopper3's answer, I would suggest providing an alternate means of accessing the Internet for users that you don't want to filter.
If an aircard isn't how you want to do it, perhaps you could have a special network port that is connected tot he Internet before the firewall. This way, the authorized Facebook updaters could bring their laptops over to this port in the rare occasions that they need to update Facebook for work purposes.
Perhaps setting up a password-protected proxy that bypasses the firewall would also work. This way, the authorized Facebook updaters would not have to move from their desks; they could just alter their proxy settings.
You could even have IT enable/disable these options as needed, so even the authorized Facebook users would be unable to use it without intervention from IT.
I don't currently have access to a SonicWall, but my recollection is that you could setup users in the blocking scheme and when they got the 'this page blocked by SonicWall' you could give them an option to enter a username and password to access the page. So you give authorized FB updaters an account that allows them to access FB, and if you want to, you can enable/disable the account when the page needs to be updated.
I worked at a private school and we solved this issue for free by using OpenDNS.com. Go to the website and sign-up for an account. You'll need to specific the source network or IPs and then configure your firewall to user OpenDNS's DNS servers. From the admin interface you can block specific types of traffic like Internet proxies and specific websites like facebook.
We created a firewall rule for internal network that we allowed to these sites to user our ISP DNS servers.