In our company we have around 100 workstations with Internet access, and the day-to-day situation is getting worse and worse from the perspective of using Internet access for the purpose of doing private jobs, and wasting time on social sites.
Open hearted as I am I don't like blocking sites like Facebook, YouTube, and other similar sites but day by day my colleagues do not finish their tasks and any time I look at their monitors they are running Internet Explorer or Mozilla Firefox, chat and things like that. On the other hand I would like to block YouTube when we have a very low Internet access speed.
Here are my questions:
- Do other companies block social sites?
- Do I need a dedicated device for that, like a hardware firewall or a super expensive router? Or can I do that with my existing FreeBSD 6.1 self-made router with two LAN cards and configured NAT to act like a router?
I was trying to do that using ipfw and routerfirewall but without success. My code looks like:
ipfw add 25 deny tcp from 192.168.0.0/20 to www.facebook.com
ipfw add 25 deny udp from 192.168.0.0/20 to www.facebook.
ipfw add 25 deny tcp from 192.168.0.0/20 to www.dernek.
ipfw add 25 deny udp from 192.168.0.0/20 to www.dernek.
ipfw add 25 deny tcp from 192.168.0.0/20 to www.youtube.
ipfw add 25 deny udp from 192.168.0.0/20 to www.youtube.com
What can I do to fix this problem?
Yes, but that doesn't mean it is a good idea. The book Predictably Irrational has an interesting discussion and links to several studies that basically suggests that if you block minor personal usage, it can actually cost you in productivity. If people think their work place is friendly and home-like, they are more likely to work from home beyond their 40 hours.
If one individual is causing problems it may be better to work with the individual, then to use a technology solution to simply kill break things. Technology is not a replacement for a manager actually doing their job.
Most filters are easily bypassed, you really should try and avoid getting into an arms race with your coworkers. At some point you will just make your firewall so hostile they won't be able to get actual work done, and you still will probably have not blocked all the possible ways around the firewall.
You can install Squid+Squidguard and force all traffic through the proxy. You can setup ACLs to block sites you don't like.
I suggest you setup squid as a proxy, with no ACLs to block anything, and just watch the logs. Force everyone through the proxy (with notice). Then setup something like SARG to build reports. If someone is really having a problem having a good report will give the employee's supervisor the evidence the need to start addressing the problem.
This should be dealt with via your disciplinary procedure, not your firewall. It's a technical solution for a non-technical problem.
You know how the RIAA and MPAA publish these insane numbers on how much money piracy is costing them, based on the idiotic assumption that every unit of pirated content would be purchased if piracy were impossible?
You're doing the same thing by assuming that if 'wasting' time on social media were impossible, that time would be spent doing productive work. But unless these are data entry clerks you're talking about, we're probably talking about people with some kind of creative / knowledge-worker aspect to their job, which means that their productivity is a complex thing that doesn't look the same as that of a widget twister on an assembly line. Their use of social media may easily be a key component of their productivity, and attacking it may be attacking what enables them to make you money.
And that's even before we get into the morale impact of treating employees like prisoners on a chain gang.
Just sayin', dude.
We only block sites if browsing is interfering with productivity, and we accept the views of local management on the issue (even when we suspect they are exaggerating).
We block sites using a proxy server; usually SQUID, which should run fine on your firewall. We put a rule on the firewall blocking outbound port 80 (and sometimes 443) from all hosts except from servers and the proxy server. Then we use a group policy to configure the proxy in users' Internet Explorer.
Some managers ask us for usage stats. Most don't.
JR
Use OpenDNS. You should be able to block social sites using that. Otherwise, you should consider using a proxy server with filtering capabilties.
The best way to block stuff is to have the manager walk around, spending more time near those that don't get things done. If people get work done, why do you care what sites they visit or how much time they spend? If they don't, write them up, and let them move on.
Packet shaping to throttle streaming did our network a great deal of good. Nobody's quite as concerned with the social networking sites now that 3 people pulling YouTube videos doesn't interfere with MSDN downloads.
Make sure to find out what the real pain points are before deciding on a solution.
Most people wrongly assume the aim of web filtering is single-minded - it is not "just" about productivity - though I have seen numerous real world examples where productivity increases where output increases hugely when gentle controls are applied. I work for SmoothWall, a web filtering vendor - so whilst I might have a spot of bias, I am also well experienced!
Websense are even advertising "say yes" these days - and we (SmoothWall) agree. You need to be lenient. Using soft-block (just a reminder this is "non policy" or time bands are 2 ways of slackening things off.
In any case... as I was saying.. not just productivity - I have seen HR issues arising from misuse of social networking, from misuse of adult websites, and from lack of evidence when these happen.
Finally... worth pointing out that not everyone behaves like we expect them to - not everyone has "sysadmin/techie mindset" and will work harder because you give them facerbook.. many will take a mile given an inch - human nature i am afraid.
You are trying to block it backwards.
You shouldn't care about TCP/IP going TO the host, as you have it. You should block incoming traffic, that is:
OR just block the web traffic:
However, this won't block everything because the address
www.youtube.comgets converted to the first IP address your DNS finds and your blocking gets munged by load balancing. You can block the whole network if you want to get nasty.If your employees are choosing to waste time rather than do their job, why would removing one of the thousands of ways they can waste time matter?
Perhaps the problem is a work environment created by people who think they can treat their employees in this kind of manner.