At the core of decisions about Internet access, monitoring and content filtering are business policies that specify where, when and how users will access web content.
Understanding web usage is not only important to organizations that feel they need to control their users, but should be equally important to those that feel it's their employees' right to do whatever they want as long as the work is getting done.
Regardless of your stance, it has become clear that improper use of the Internet can cause more consequences than simply losing a couple of hours of employee productivity. Of equal or greater concern is the cost in terms of downtime, cleanup and service re-activation resulting from worms and viruses unknowingly downloaded from the web to an employee's PC - and ultimately to the entire enterprise network. According to Computer Economics, the worldwide economic cost of the Code Red virus exceeded $2.5 billion.
Some organizations, like elementary schools, clearly need to restrict the access rights of users. This comes down to the need to protect children from accidentally going to innocent sounding web sites like www.whitehouse.com. In the United States, it also allows the schools to have access to federal funding from programs such as eRate which require content filtering under the Children's Internet Protection Act (CIPA).
In the corporate world, network administrators generally trust their employees and only want to track their Internet usage to ensure appropriate use during business hours. After hours, activities like shopping, games, trading stocks and gambling are often considered acceptable.
But even in the most liberal of organizations, a certain level of control is still required. Certain activities are just not acceptable in any organization. For example, running non-work related streaming files at such high bandwidth that the entire network is impacted, downloading viruses that infect the entire company, or viewing pornography in open areas, exposing the company to unnecessary legal liability. While many IT organizations do not want to be perceived as the Internet police, certain measures must be taken to protect the company as a whole.
While organizations may have different approaches to web access policy, they tend to agree on this: what is easily written down in the employee handbook by the human resource staff is often very difficult to implement on the network by the IT staff. Translating business policy into network policy requires business and IT leaders to work together in ways they have previously not had to.
Understanding Business Policy
The first step to implementing a web access and monitoring policy is to understand the business policies that need to be put in place. Typically, business policies encompass requirements that state what kinds of content and which applications users need to do their job, as well as acceptable uses of company resources.
A corporate telephone usage policy serves as a good example of how an organization needs to strike a balance between providing a tool critical to productivity and controlling abuse of company resources. Most users in most organizations need access to a telephone. Some of those users also need access to long distance services. Of course, since long distance is not free, there is potential for abusing it in the form of employees making personal long distance calls in company time, using company resources. Different organizations respond to this issue in different ways. In some organizations, employees are issued billing codes for long distance calls, while in others long distance services are enabled for some phones and not others.
With regard to business policy surrounding networking resources, some of the important questions that need to be answered include: is logging Internet access and activity necessary? Do certain types of sites need to be blocked? Is it OK for users to visit some blocked sites after hours or during breaks? Are there groups in the organization that require multimedia content for training or other business purposes?
Some organizations define business policies at a content level. An example of content policy would be that content likely to expose the company to legal liability, such as pornography or hate speech, should always be blocked, but content like sports entertainment that isn't likely to be offensive, but is not productive, should be blocked during business hours only.
Typically, as a company defines these policies, administrators come to the realization that business policies are not one size fits all, but instead vary by user, department, country, and even time of day or other factors. For example, executives often want to be exempt from content filtering policies. Whatever technology is deployed must be flexible enough to define granular policies that can handle the inevitable one-off exceptions driven by business requirements. Just as important is the ability to be able to manage those policies, and exceptions to policy, in a simple and straightforward manner.
Understanding Network Policy
In addition to exceptions driven by business policy, organizations need to implement network policies that are based on resource constraints and security requirements (like virus scanning). Typically, these policies are subject to the same kinds of exceptions as business policies.
For instance, after the Code Red and Nimda worm viruses took down many corporate networks, most network operators now want to restrict potentially dangerous active content, like Java script or visual basic script, from entering the network. However, active content is often required for specific business applications, especially when users are interacting with a business partner, supplier or customer via the Internet. The result is a need for a policy that restricts active content except in the cases when business requirements justify the associated risks.
Likewise, many organizations need to allow some users access to streaming media content, but because of limited network resources, these organizations need to implement a practical bandwidth management policy. Such a policy might specify "At headquarters, limit streaming bandwidth to 100kbps per person, and 1Mbps total. Exceptions: (1) allow group Executives to view streams up to 300Kbps, (2) allow group Finance to view streams from certain financial sites up to 300Kbps. Finally, regardless of group membership, at remote office with only T1 connectivity, limit streams to 56Kbps per person and 200Kbps total." While this policy allows streaming on the network, it ensures that users are not able to adversely affect other critical network resources.
The Firewall Isn't Enough
Once the amount and types of control that are required within the organization are determined, then it is possible to look at alternatives for implementing business and network policies. Fundamentally, it comes down to having the required basic features - content filtering, access reporting, virus scanning and bandwidth management - and having the ability to provide granular policy on how those features are implemented and how exceptions can be made.
The traditional place for content and network policy to be implemented has been on the firewall. However, this approach has some inherent drawbacks owing to the fact that firewalls were not designed for operations on content, such as parsing HTTP pages to send objects to virus-scanning servers, or to limit the requested bandwidth for streaming content. Rather, firewalls are designed to examine packets and connections. Some set of protocols is allowed in, and some set of protocols is allowed out. As additional content-focused services are layered on top of core packet and protocol functionality, firewall scaling and performance problems are inevitable. In addition, the typical, 'exception-rich' environment puts additional load on policy infrastructure, making optimization for specific security functions a key requirement.
A New Class of Network Devices
Recently, a new class of devices, called security gateways, has emerged to address the need to translate business and security requirements into network policies. Security gateways optimize different security applications into a single platform. The result is a flexible environment that allows companies to define policies that make sense for their business environment.
As more enterprises realize the importance of a well-defined set of business policies, the significance of security gateways has increased. Now, more than ever, enterprises understand that some of the biggest threats to network resources come from the inside. Often these threats are the result of uninformed users bringing in viruses or taking down the network with inappropriate traffic. This fact is driving the requirement to translate business policies into a manageable set of network policies.
Steve House is product marketing manager for the Security Gateway product line, and Frank Cabri is director of marketing, for CacheFlow (www.cacheflow.com).