Is your network for work or for play?
by Michael Mullins CCNA, MCP
Letting employees access social networking and streaming media Web sites doesn't just put a drain on your bandwidth—it can also open up your company to a host of risks. Mike Mullins tells you how to become the most unpopular person in your company by shutting down access.
This might be an unpopular statement, so I'll go ahead and get it out of the way: Your company might be a bank or it might be a travel agency, but whatever it is doesn't change the purpose of your network—it's still there for work.
If you ask any company officers whether the corporate network is for employee recreation or work, odds are really good that they'll tell you its purpose is to support the business objectives of the company. If that's the case, why do you allow users to swallow up resources for the sake of their amusement?
Social networks and Web sites that host streaming media are a drain on your computing environment and staff. Their continued availability to employees can leave the company vulnerable to a host of problems. Here are some examples:
- Introduction of malicious code (e.g., JS/QSpace virus)
- Client-side applications actively targeted by attackers for data exodus (e.g., Microsoft Security Bulletin MS-06-078)
- Posts that could potentially result in embarrassment to the organisation
- Lost productivity
- High bandwidth usage for streaming content
If these are the pros of allowing employees to access social networks and streaming media, then you should probably do something about it. And while you're at it, update your usage policy to clarify what is and isn't acceptable behaviour in the organisation.
Blocking entertainment is difficult—and not just because it's not going to win you any popularity contests. There's a wide variety of Web sites out there, and new ones pop up on a regular basis. For social networking, check Wikipedia for a list of social networking sites.
I recommend dividing up your efforts among the different types of culprits—mainly, social networking, photo sharing, and streaming media. To help you get started, here are a few suggestions of networks to block at your outer security boundary.
- 22.214.171.124 (hi5.com)
- 126.96.36.199 (hi5.com)
- 188.8.131.52/24 (My space.com)
- 184.108.40.206 (hi5.com)
- 220.127.116.11 (hi5.com)
- 18.104.22.168/22 (My space.com)
- 22.214.171.124/20 (MySpace.com)
- 126.96.36.199/29 (Photobucket.com)
- 188.8.131.52/20 (Photobucket.com)
- 184.108.40.206/20 (Live365.com)
- 220.127.116.11 (Metacafe.com)
- 18.104.22.168 (Metacafe.com)
- 22.214.171.124 (Metacafe.com)
- 126.96.36.199 (Metacafe.com)
- 188.8.131.52/22 (YouTube.com)
- 184.108.40.206 (1.FM)
- 220.127.116.11/27 (Pandora.com)
- 18.104.22.168 (Metacafe.com)
- 22.214.171.124/18 (MTV.com, ifilm.com)
- 126.96.36.199/22 (MTV.com, ifilm.com)
- 188.8.131.52/24 (StupidVideos.com)
- 184.108.40.206 (FileCabi.com)
Now that you've become the most unpopular person in your company, make sure you stay updated. Revise your list as you uncover new networks, and block them once you've identified them as nonproductive.
And once you've blocked a network, monitor! If you run Snort, you can use or modify these Snort rules provided by Cory Bys to detect traffic to social networking sites.
In addition, after you start restricting traffic like this from your network, you need to keep an eye out for users trying to go around your rules to get their entertainment fix. Start looking for anonymizing applications, network traffic through anonymous proxies, or terminal service connections going to home networks.
Before you begin blocking anything that's going to upset your user population, you need to have an established policy that people are aware of that forbids or restricts such activity. All of your security efforts should follow these four steps: