Become a fan of Slashdot on Facebook

 


Forgot your password?
Close
typodupeerror
×
The Internet

Worms/Viruses - Is Blocking Internet Access an Overreaction? 15

Posted by Cliff from the chopping-off-your-arm-to-spite-your-finger dept.
jjustice asks: "I am a Software Engineer at a company that makes financial software for the healthcare industry. We got hit hard by Nimda last week and lost a few days of productivity. Some parts of management are now convinced that the Internet is too dangerous to allow us access from our LAN. They've completely the fact that most viruses/trojans/etc come in via email (which they don't plan to block). I don't know how I would do my job without at least Google Groups and Oracle's Technet/Metalink. They're considering an isolated subnetwork or a special 'lab' for Internet access only. I would hate to have to leave my desk to look something up on the Internet. It would totally disrupt my habitual workflow. Am I just being spoiled? Do other companies have similar Internet access policies? How can I convince them that this is excessive paranoia?" Wouldn't better security and virus checking be the more prudent solution in this case?
For those of you suffering from a similar problem, this submission from cpufreak might be the cure-all you are looking for: "A large number of people work in an environment where they're internet access is restricted, and they have to go through a proxy of some kind.This can be frustrating and inconvenient for you - but the employer aims to restrict your internet access in order to keep your focus on the work in hand.But can they actually do this? Chris Mason has written a little bouncer which supports most common intel based platforms, which lets you get out and quite simply do what you want, at the same time making it very difficult for them to know exactly what your doing. more details can be found here."
This discussion has been archived. No new comments can be posted.

Worms/Viruses - Is Blocking Internet Access an Overreaction? More

Worms/Viruses - Is Blocking Internet Access an Overreaction?

Comments Filter:

  • Talk to them in person (Score:3, Insightful)

    by XoXus ( 12014 ) on Thursday September 27, 2001 @07:29PM (#2361392)
    This may sound obvious, but try talking to them in person, and explain that the biggest threat is email propogated trojans. If you put it to them simply, without jargon or condescension, they'll probably understand.

    Oh, and speak to them individually. Management tends to be rather stupid when put together.

    Dave.

  • A logical reply (Score:2, Interesting)

    by _typo ( 122952 )
    Tell them that lack of management got them the problem in the first place and that they should be looking to cure the problem instead of patching around it. I have a LAN, a NAT LAN that didn't get hit by worms or viruses. Why? Because the firewall was designed to be secure in the first place and make the rest of the network invisible to the outside world. As for email, dump outlook and use netscape/mozilla, that should keep you alot safer. Make *THAT* an enforced policy and not restricted net access.

    • Re:A logical reply (Score:2, Insightful)

      by Ziwdam ( 457273 )

      If they're going to block internet access, they must have a firewall anyway... either that or they are just going to change the router/gateway setting on every workstation. Not having a firewall is just kind of stupid, though.

      It doesn't matter so much if you use NAT to protect the internal network, simply denying access to internal machines from the outside world would protect machines inside from getting hit by Nimda-type worms.

      I'm not saying that NAT isn't a good idea (don't need all those IP addresses!), I'm just saying it's not necessary for security.

      I think the root issue here is that many IT people, especially ones trained to run Microsoft servers, have no clue about security. (Well, Microsoft has no clue about security, but that's a whole 'nother rant...) This is especially bad since keeping a server somewhat secure is not that hard -- read Bugtraq, apply all security patches, and don't do anything stupid like give out the root password to people claiming to be from the ISP. Oh, and always try and keep access as low as possible. If someone needs a mail account, don't give them shell access too! Or, firewall the internal network so that the outside world can't get to it. Really, it's not all that hard.

      • "If they're going to block internet access, they must have a firewall anyway... either that or they are just going to change the router/gateway setting on every workstation"

        I have talked to quite a few managers and company owners in the last few weeks who are getting ready to just unplug the Internet connection - totally and forever. From a return on investment perspective it is becoming less clear that the Internet is a net gain for the typical business.

        sPh

        • That would be another way to do it.

          But, apparently they're still going to get email.

          Maybe they're going to print out all the email and distribute it that way. Actually, I know that at Reed College, that's the default way to get your email. Kind of a waste of paper, especially when you're trying to figure out why your 50 test messages aren't showing up on the IMAP server...

  • No Net == Productivity Disaster? (Score:4, Insightful)

    by MrBlack ( 104657 ) on Thursday September 27, 2001 @09:05PM (#2361763)
    Sometimes I wonder how programmers worked before widespread use of the internet. Currently if I have a problem with something that I cannot solve myself a couple of minutes searching google + newsgroups will usually reveal the answer, or a viable alternative. The wealth of information is staggering (even if the signal to noise is a sometimes a bit low - you have to learn to be selective). On the flip-side I've noticed I can sometimes loose chunks of time posting stuff to slashdot, surfing the web etc that is not really work related. It seems obvious to me that the answer is better security and configuration of firewalls etc, but then I'm not a manager.

    Other than outlining the common sense arguments against blocking the net in your question, I cannot think of any arguments except to try it for a week/fortnight/however long you need to get sensible data. Then measure your current productivity against your productivity when you had net access.

    • Sometimes I wonder how programmers worked before widespread use of the internet.

      Books. MSDN (believe it or not).

      I can sometimes loose chunks of time posting stuff to slashdot, surfing the web etc that is not really work related.

      Don't worry, before the Internet there was staring out the window, drinking too much coffee... hundreds of ways of wasting time. On the flip side, if you feel your productivity is suffering because you're posting to slashdot, don't. Basically. All the firewalling, content filters and Nazi'ism from sysadmin's will not stop bored people from wasting time.

      Speaking of which, I have stuff to do.

      Dave
  • Where i work, just about everyone has internet access, but only through the proxy server. We were never hit by nimda/sircam/etc.. because of good admins. The email is filtered out and all emails containing anything executable is held in a "quarantine" with emails being sent out to the sender and reciever of the email notifing them of this and asking them to justify why the executable is being sent. this helps stop the spread of virii. As for internet explorer, i dont think the client copies on the workstations are patched up, but the proxy server is set up to block potentially harmful content. Plus, there is a virus checker running on every machine that is automatically updated.

    this results in everyone having email and internet access without the problem of virii.

    kudos to the admin staff here!
  • I think that just excluding web access isn't going to achieve their objective. Moving to a platform with less security faults and better security over all is something that needs to be done. Microsoft built some cool stuff, but the failed to realize that while you could actually use it for useful things, that it could actually be used for malicious intent and did not make it easy enough to fix. Linux and open sources OS's are good because there are thousands of eyes looking at the code every day. I know I am preaching to the choir here, but this is an idea who's time has come.

    Another thing is that companies SCRIMP on training. Period. We used to have a perwson which offered volunteer training on various products. What noone EVER looked at or suggested was both policy and software training as a REQUIRMENT! Thus people are not only idiots about e-mail virii and stuff, they now can't use what they are paid to use. So they decided we needed a new one (more "pretty" and "PC LIKE" then the mainframe). A project got started by these exact folks. After our folks and some folks in other departments helped (usually the ones who help are not the ones who use the system), and we got a project approved and we can actually start to spend money, there's zero interest and they keep wanting to change our existing system. Now when the real work starts (RSN), noone cares and the higher ups don't want to lay a no changes mandate down and we are chasing a moving target. Why did I type all this? It displays the complete LACK of understanding of computers. Some people think, oh we need to change the way we do this and then don't think on how it affects the computer folks maintaining the current system who are trying to devlop a new system and maintaine the existing stuff. A simple policy change can wreak havoc on our lives. We have no way of billing them and they think that these kind of changes cost no money (to them) but it doesn't matter that we have to work overtime for weeks to implement their change. Ok I am rambling again, but it's this behavior is why users don't think when they click on executables. They think, oh well if I mess it up, IT will fix it. They take no responsibility for their actions.

    I feel if most IT departments would just get the approval to bill other departments for things they do, then one: we'd have budget for the infrastructure upgrades and two: we'd have the budget and time to have enough admins to take control of the security problems and bottlenecks on the network. People have to realize that these are NOT their PC's and NOT their server's, they just happen to use them.
  • Use web proxies and email proxies that scan for viruses.

    Also turn on mandatory authentication on the web proxy.

    Sure people may complain. But this makes it harder for any trojans/worms that somehow slip past to get new potentially nasty instructions from remote websites, or from propagating to other sites.

    That said IE is the weak link here, because it tends to store user passwords. So a next generation trojan could in theory retrieve those passwords and proxy settings and use those to access the web.

    Still as long as only a few of us do such things, the trojan writers are unlikely to bother to deal with this scenario.

    Funny thing is somehow a few idiots over here still go visiting dubious sites when signed in as themselves... Doh.

    Up to them, but if they get even stupider and download huge movies the whole day and the bosses start wondering why checking their stocks erm ok "critical financial information" is taking so long...

    Cheerio,
    Link.

Slashdot Top Deals

He has not acquired a fortune; the fortune has acquired him. -- Bion

Close