Internet access policy. Or why all these difficulties?

The complexity of Internet access policies, and what does this lead to?

Greetings to the distinguished community.

For four years I have been engaged in system administration of a corporate local area network, and all the time the question pops up one way or another: “What policies should govern Internet access for company employees?”, Every year personally my answers to this question constantly change. And today I would like to publish an article that will offer a discussion of this issue, as well as reflect my opinion on this issue.



At the beginning of my work as a system administrator, when I came to the company, I believed that Internet access should be very strictly regulated, that everything should be taken into account, and controlled. No one should receive social media in the workplace, I referred to such media social networks, video hosting, and everything else. When I started, I found understanding in the eyes of colleagues, and this understanding was also reflected in the server room by the presence of: squid with access control, with a complete reporting system, with a large set of dynamic restrictions for visiting sites. Speed ​​limited access groups. With traffic limits. With time limits. With restriction on downloading files. “And it seemed to me great, and very, very good.” After all, in this way employees work more productively, and system administrators become a kind of "Gods of the Internet", because it was so cool to hang everyone on sis day. administrator at the first entrance to the Internet page a stub of the form: "Congratulate your admins! Today is their day. ” And Vasya from the sales department for a bad face set the speed to 10kb / s. - All this was even before I joined the organization, and it seemed that this was what I needed. But in practice ...

At the last place of work, my boss always says wisely: “do not close social services. network, you do not need unnecessary restrictions and entities "- but I always exclaimed in response -" No! Necessary! They do nothing, they only go to social services. networks! It’s necessary to close everything. ” As time passed, and soon the old administrators began to leave, and their former duties began to fall to me, which is called "inheritance." At first I was very happy! “Ohhh ... I thought. So now, after all, I am the God of the Internet, now I have the circuit breaker. ”

But what came of it ..?

But in practice it turns out that: all these restrictions greatly interfere with the lives of ordinary people who don’t understand anything on computers and don’t visit anything especially, and they need to download documents, price lists, programs — for work, for lack of such opportunities, they constantly called the IT department and asked the "Gods of the Internet" to upload files to them. - After some time, I began to bother all this, and I had to give people full access to download files, as I simply did not want to do all this meaningless work. And what did I find in the configuration files ...? It turns out already a large part of the people and without me has long been transferred to full access.

And cunning people ..? - And the cunning ones can download anything and do not give a damn about various restrictions.
Viruses ..? - As there were many, there are many. Nothing will save from this at the proper level, except for a bright head and antivirus at the final workplace.
And network security ..? - But is there, with this approach? No. And that's why:

Port 443, and a number of other ports had to be opened, because it is obvious to everyone that a number of ports are simply impossible to proxy and even more so cache at a high level. - I really liked the situation when in a very large organization I needed to give a person access to our servers - and what was my surprise when I found for Windows a Portable version of the SOCKS proxy server that does not require any rights, and access was immediately granted our server on port 443. - And they convinced me that everything in this company is very complicated with security. - Needless to say, the Radmin client encrypts traffic, which means it is very unlikely that we will fall into this scheme. - But we do not indulge, we had once and not for long.

What happened next? - And then the management requested a report on the attendance of the site of one of the employees. - And I honestly provided beautifully designed squid logs, but who would have thought of looking at a 50-page report printed by me about the URLs visited ..? After all, everyone knows that visiting only one site leads to a lot of URLs. “They were limited to only the total amount of traffic - and it immediately became clear that, based on the duties of the employee, this amount of traffic clearly exceeds all reasonable limits.

Does caching help in modern Web dynamic content? - I think very little.

As a result, a few years later, I began to understand the wisdom of the words of my boss. And he came to the conclusion that there is practically no need to be clever and be God at the level of L7 traffic. And more and more I am inclined to the idea that it is much more efficient to count L2 / L3 traffic, and look at the total amount of traffic consumed by the host (week / month). The host - can be tied with this DHCP + MAC - in a normal network, this is enough. In extreme cases, you can configure smart switches with port filtering by MAC.

It seems to me that tough Internet access policies have lost their relevance, and filtering traffic at the L7 level brings more problems than benefits ... After all, this whole thing needs to be supported, something must always be allowed, something must be prohibited. And the dry residue is practically zero from all this.

PS Of course, with all this, you need to understand that sometimes simplicity is worse than theft. And it is necessary to maintain a sound balance and close everything that is clearly not required for the work of employees. We are talking about small office organizations that do not work with sensitive data.

And what does the reputable community think about this? Does a tough policy develop concierge syndrome, from which there is no use, except for a bunch of unnecessary problems of escort and complication? What are the benefits of all this sophisticated system of access policies? - The Windows domain is good, but more and more * Pad technology appears, so that the domains have already lost, you can tell your original meaning - a single landscape.