Worms/Viruses - Is Blocking Internet Access an Overreaction? 15
jjustice asks: "I am a Software Engineer at a company that makes financial software for the healthcare industry. We got hit hard by Nimda last week and lost a few days of productivity. Some parts of management are now convinced that the Internet is too dangerous to allow us access from our LAN. They've completely the fact that most viruses/trojans/etc come in via email (which they don't plan to block). I don't know how I would do my job without at least Google Groups and Oracle's Technet/Metalink. They're considering an isolated subnetwork or a special 'lab' for Internet access only. I would hate to have to leave my desk to look something up on the Internet. It would totally disrupt my habitual workflow. Am I just being spoiled? Do other companies have similar Internet access policies? How can I convince them that this is excessive paranoia?" Wouldn't better security and virus checking be the more prudent solution in this case?
For those of you suffering from a similar problem, this submission from cpufreak might be the cure-all you are looking for: "A large number of people work in an environment where they're internet access is restricted, and they have to go through a proxy of some kind.This can be frustrating and inconvenient for you - but the employer aims to restrict your internet access in order to keep your focus on the work in hand.But can they actually do this? Chris Mason has written a little bouncer which supports most common intel based platforms, which lets you get out and quite simply do what you want, at the same time making it very difficult for them to know exactly what your doing.
more details can be found here."
Talk to them in person (Score:3, Insightful)
Oh, and speak to them individually. Management tends to be rather stupid when put together.
Dave.
A logical reply (Score:2, Interesting)
Re:A logical reply (Score:2, Insightful)
If they're going to block internet access, they must have a firewall anyway... either that or they are just going to change the router/gateway setting on every workstation. Not having a firewall is just kind of stupid, though.
It doesn't matter so much if you use NAT to protect the internal network, simply denying access to internal machines from the outside world would protect machines inside from getting hit by Nimda-type worms.
I'm not saying that NAT isn't a good idea (don't need all those IP addresses!), I'm just saying it's not necessary for security.
I think the root issue here is that many IT people, especially ones trained to run Microsoft servers, have no clue about security. (Well, Microsoft has no clue about security, but that's a whole 'nother rant...) This is especially bad since keeping a server somewhat secure is not that hard -- read Bugtraq, apply all security patches, and don't do anything stupid like give out the root password to people claiming to be from the ISP. Oh, and always try and keep access as low as possible. If someone needs a mail account, don't give them shell access too! Or, firewall the internal network so that the outside world can't get to it. Really, it's not all that hard.
Re:A logical reply (Score:2)
I have talked to quite a few managers and company owners in the last few weeks who are getting ready to just unplug the Internet connection - totally and forever. From a return on investment perspective it is becoming less clear that the Internet is a net gain for the typical business.
sPh
Re:A logical reply (Score:1)
That would be another way to do it.
But, apparently they're still going to get email.
Maybe they're going to print out all the email and distribute it that way. Actually, I know that at Reed College, that's the default way to get your email. Kind of a waste of paper, especially when you're trying to figure out why your 50 test messages aren't showing up on the IMAP server...
No Net == Productivity Disaster? (Score:4, Insightful)
Other than outlining the common sense arguments against blocking the net in your question, I cannot think of any arguments except to try it for a week/fortnight/however long you need to get sensible data. Then measure your current productivity against your productivity when you had net access.
Re:No Net == Productivity Disaster? (Score:2)
Books. MSDN (believe it or not).
I can sometimes loose chunks of time posting stuff to slashdot, surfing the web etc that is not really work related.
Don't worry, before the Internet there was staring out the window, drinking too much coffee... hundreds of ways of wasting time. On the flip side, if you feel your productivity is suffering because you're posting to slashdot, don't. Basically. All the firewalling, content filters and Nazi'ism from sysadmin's will not stop bored people from wasting time.
Speaking of which, I have stuff to do.
Dave
Secure Internet access (Score:1)
this results in everyone having email and internet access without the problem of virii.
kudos to the admin staff here!
E-mail attachments........and stuff.... (Score:2)
Another thing is that companies SCRIMP on training. Period. We used to have a perwson which offered volunteer training on various products. What noone EVER looked at or suggested was both policy and software training as a REQUIRMENT! Thus people are not only idiots about e-mail virii and stuff, they now can't use what they are paid to use. So they decided we needed a new one (more "pretty" and "PC LIKE" then the mainframe). A project got started by these exact folks. After our folks and some folks in other departments helped (usually the ones who help are not the ones who use the system), and we got a project approved and we can actually start to spend money, there's zero interest and they keep wanting to change our existing system. Now when the real work starts (RSN), noone cares and the higher ups don't want to lay a no changes mandate down and we are chasing a moving target. Why did I type all this? It displays the complete LACK of understanding of computers. Some people think, oh we need to change the way we do this and then don't think on how it affects the computer folks maintaining the current system who are trying to devlop a new system and maintaine the existing stuff. A simple policy change can wreak havoc on our lives. We have no way of billing them and they think that these kind of changes cost no money (to them) but it doesn't matter that we have to work overtime for weeks to implement their change. Ok I am rambling again, but it's this behavior is why users don't think when they click on executables. They think, oh well if I mess it up, IT will fix it. They take no responsibility for their actions.
I feel if most IT departments would just get the approval to bill other departments for things they do, then one: we'd have budget for the infrastructure upgrades and two: we'd have the budget and time to have enough admins to take control of the security problems and bottlenecks on the network. People have to realize that these are NOT their PC's and NOT their server's, they just happen to use them.
Use web and mail proxies (Score:1)
Also turn on mandatory authentication on the web proxy.
Sure people may complain. But this makes it harder for any trojans/worms that somehow slip past to get new potentially nasty instructions from remote websites, or from propagating to other sites.
That said IE is the weak link here, because it tends to store user passwords. So a next generation trojan could in theory retrieve those passwords and proxy settings and use those to access the web.
Still as long as only a few of us do such things, the trojan writers are unlikely to bother to deal with this scenario.
Funny thing is somehow a few idiots over here still go visiting dubious sites when signed in as themselves... Doh.
Up to them, but if they get even stupider and download huge movies the whole day and the bosses start wondering why checking their stocks erm ok "critical financial information" is taking so long...
Cheerio,
Link.