Date: Thu, 22 Jun 2006 02:03:45 +0200 From: "Daniel A." <alive@dienub.org> To: Kevin Kinsey <kdk@daleco.biz> Cc: FreeBSD Chat <freebsd-chat@freebsd.org> Subject: Re: OT: Employee 'Net Usage, proxy server, restrictions, legal, etc. Message-ID: <4499DE61.3020202@dienub.org> In-Reply-To: <44984C2E.50602@daleco.biz> References: <44984C2E.50602@daleco.biz>
next in thread | previous in thread | raw e-mail | index | archive | help
Kevin Kinsey wrote: > Hello, fellow FBSDers.... > > I've had two clients in the last month or so call and ask about > limiting employee browsing (in addition to killing more spam, *sigh*) > on their networks. > > I've no problem implementing this sort of thing with Squid (just > finished setting it up at home; don't want the kids to learn any > four-letter words from the 'Net before the age of majority [wish > me luck!]), but I wonder if anyone could share experiences/insight into > the legal aspects, the employee dynamics and potential responses, other > issues that may arise, etc., if we proxy all the browsers and start > banning sites (or, in the contrary, only allowing business-related > sites) via a proxy server. > > IANAL. I also know that YANAL. This won't be written up in any > format other than "some experts agree that" 'foo'.* > > Any thoughts? TIA! > > Kevin Kinsey > DaleCo, S.P. > > *Unless, of course, you just *have* to have credit, copyright, etc. > OOPS! Did I just say 'copyright' ? > Hi Kevin, there are AFAIK absolutely no legal restrictions in limiting an employee's access to the web in his working hours. The company decides what the person is (not) allowed to see on the web, because the company pays for a) The Internet connection b) The employees salary. Limiting what users can see on the web is only problematic on the technical side of things. You can ban every website that contains the word "fuck" in them, but if the employee is motivated enough and is willing to attain the, relatively low, technical skills to bypass the filters - he will do it without any hassle. You can either set up every machine on the network to use a proxy in the web browser, and then deny web access to any unregistered browser (even computer), which is the hardest thing to do but yet the most effective. This will not work if your employees are allowed to, or need to, connect a lot of their own networking devices to the network, in which case you'll need some department in your company which will "register" all allowed devices and configure them to use your proxy. On the other hand, if the above case is true (A lot of "unknown" devices), then it is easier to set up a transparent proxy, in which any device regardless of its own configuration goes through the filtering proxy. But this arises the problem with the motivated person - They can use yet another remote proxy (Tor, for example, or just a public proxy with encryption, or maybe they can even set up their own proxy server at home, or..., or...) to sneak around your filtering. This can be efficiently prevented by disallowing secure (encrypted) streams through your network, but THAT would be a very big mistake on your behalf. I cant stress my previous sentence enough - it would be a VERY big mistake. The best way to prevent the employees from browsing "bad" sites on the web is to scratch down a clear company policy regarding web browsing in working hours. Write down some clear rules which state that any personal non-business related web surfing is disallowed, and most of your problems will just go away - Except for the few employees who are just not motivated enough to care; They are either expendable anyway or too important to let go over such a bagatel. This is also the case with your kids, Kevin. I know it's none of my business, but I suggest that you either be proud if your kids find ways around your filtering (They're clever, and are more likely to know good from wrong. You've raised them right to think independently and responsibly!), or just have a talk with them about surfing the web, and tell them that you would prefer them to keep away from pornographic material on the web. Either way, if they want it enough, they will always find a way. Hope you found my advise worth reading. Kind regards, Daniel A. Akulenok.
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?4499DE61.3020202>