Best practices to block social sites

firewall freebsd webfilter

26,912

Solution 1

Do other companies blocking social sites?

Yes, but that doesn't mean it is a good idea. The book Predictably Irrational has an interesting discussion and links to several studies that basically suggests that if you block minor personal usage, it can actually cost you in productivity. If people think their work place is friendly and home-like, they are more likely to work from home beyond their 40 hours.

If one individual is causing problems it may be better to work with the individual, then to use a technology solution to simply kill break things. Technology is not a replacement for a manager actually doing their job.

Most filters are easily bypassed, you really should try and avoid getting into an arms race with your coworkers. At some point you will just make your firewall so hostile they won't be able to get actual work done, and you still will probably have not blocked all the possible ways around the firewall.

Do I need dedicated device for that like hardware firewall, super expensive router Or I can do that whit my existing FreeBSD 6.1 self made router with two lan cards and configured nat to act like router.

You can install Squid+Squidguard and force all traffic through the proxy. You can setup ACLs to block sites you don't like.

I suggest you setup squid as a proxy, with no ACLs to block anything, and just watch the logs. Force everyone through the proxy (with notice). Then setup something like SARG to build reports. If someone is really having a problem having a good report will give the employee's supervisor the evidence the need to start addressing the problem.

Solution 2

This should be dealt with via your disciplinary procedure, not your firewall. It's a technical solution for a non-technical problem.

Solution 3

You know how the RIAA and MPAA publish these insane numbers on how much money piracy is costing them, based on the idiotic assumption that every unit of pirated content would be purchased if piracy were impossible?

You're doing the same thing by assuming that if 'wasting' time on social media were impossible, that time would be spent doing productive work. But unless these are data entry clerks you're talking about, we're probably talking about people with some kind of creative / knowledge-worker aspect to their job, which means that their productivity is a complex thing that doesn't look the same as that of a widget twister on an assembly line. Their use of social media may easily be a key component of their productivity, and attacking it may be attacking what enables them to make you money.

And that's even before we get into the morale impact of treating employees like prisoners on a chain gang.

Just sayin', dude.

Solution 4

We only block sites if browsing is interfering with productivity, and we accept the views of local management on the issue (even when we suspect they are exaggerating).

We block sites using a proxy server; usually SQUID, which should run fine on your firewall. We put a rule on the firewall blocking outbound port 80 (and sometimes 443) from all hosts except from servers and the proxy server. Then we use a group policy to configure the proxy in users' Internet Explorer.

Some managers ask us for usage stats. Most don't.

Solution 5

The best way to block stuff is to have the manager walk around, spending more time near those that don't get things done. If people get work done, why do you care what sites they visit or how much time they spend? If they don't, write them up, and let them move on.

View more solutions

26,912

adopilot

Hello ! I am coming from Bosnia and Herzegovina,Sarajevo capital, I work in family firm as an IT administrator, My primary task is to eventing works well and lot of other stuff such as buying software, buying equipment, administrating SQL servers and much more. Our Company business is retrial and We have shops all around country with more than 300 working station with more than 1000 employed. In free time I try to learn programing in .NET and I having fun driving motocross bike, some time by summer I do a solar gliding flaying as sport pilot. If You fund my English is bad do not be maid my education was mostly during the war in Bosnia, in that time we did not have to study much for good ratings. Best regards Admir

Updated on September 17, 2022

Comments

adopilot over 1 year
In our company we have around 100 workstations with Internet access, and the day-to-day situation is getting worse and worse from the perspective of using Internet access for the purpose of doing private jobs, and wasting time on social sites.

Open hearted as I am I don't like blocking sites like Facebook, YouTube, and other similar sites but day by day my colleagues do not finish their tasks and any time I look at their monitors they are running Internet Explorer or Mozilla Firefox, chat and things like that. On the other hand I would like to block YouTube when we have a very low Internet access speed.

Here are my questions:
- Do other companies block social sites?
- Do I need a dedicated device for that, like a hardware firewall or a super expensive router? Or can I do that with my existing FreeBSD 6.1 self-made router with two LAN cards and configured NAT to act like a router?
I was trying to do that using ipfw and routerfirewall but without success. My code looks like:
```
ipfw add 25 deny tcp from 192.168.0.0/20 to www.facebook.com
ipfw add 25 deny udp from 192.168.0.0/20 to www.facebook.
ipfw add 25 deny tcp from 192.168.0.0/20 to www.dernek.
ipfw add 25 deny udp from 192.168.0.0/20 to www.dernek.
ipfw add 25 deny tcp from 192.168.0.0/20 to www.youtube.
ipfw add 25 deny udp from 192.168.0.0/20 to www.youtube.com
```
What can I do to fix this problem?
- Zoredache almost 15 years
  
  So are you going to block serverfault.com as well? It is somewhat social in nature. :)
SpaceManSpiff almost 15 years

Except you need the technical solution to figure out who is doing it unless you catch them in act.
SpaceManSpiff almost 15 years

We use open DNS to block but we don't attempt to monitor who attempted to go there. Personal use except for, social networking, chat and email is ok, those are the biggest time wastes that were found.
David Pashley almost 15 years

If they're not performing, then it's obvious. If they are performing sufficiently, what does it matter if they're looking at websites; they're still getting the work done.
Rob Moir almost 15 years

I'm with David here. It isn't like there's something magical and awful about not getting your work done due to web use as opposed to not getting your work done due to spending all day doing the times crossword or reading the latest issue of Time magazine.
SpaceManSpiff almost 15 years

define performance...If you are not working you are "wasting" the company's money. Most companies are ok with minor personal surf, myself included since I catch up on the news first thing usually, but what about someone doing it for 3 hours a day, but still getting "all" their work done?
Jim March almost 15 years

Totally agree with David. More and mroe I find myself answering emails at home, or even while at the lake with the family. I work quite often on MY time, and if I decide to take a break at work and browse social networking sites, it shouldn't matter so long as my job is getting done.
Zoredache almost 15 years

In the case of FLSA exempt people performance is getting the assigned tasks done. I am not paid by the hour, and I am expected to work 50-60 hours if something is broken, why shouldn't I expect some flexibility from my employer.
Zoredache almost 15 years

@LEAT, setting up monitoring may be a good idea (with proper notice). Trying to solve personnel performance issues automatically is probably not.
Rob Moir almost 15 years

LEAT, that would certainly be an issue. It's still something to be addressed on a personal/personnel level rather than solely by technology though isn't it? Something about coaching them to "reach their full potential" (can't believe I typed that with a straight face) might work better than punishing them for "wasting" time. I don't have a problem with filtering, heck I'm the guy who mentioned websense... I just think it needs to be part of an overall computer policy rather than a game of cat and mouse between the sysadmin and the users.
Rob Moir almost 15 years

@Jim - In your opinion the sites shouldn't be blocked, but what about the opinion of the person responsible for configuring it? A default install of Websense doesn't block anything except obvious stuff like pr0n, and if sites are mis-categorised by websense then your local websense admin can re-classify them. For example, working in a college, I've re-classified websense's educational category as business use instead of "producitivy loss" as per their default. Neither category was actually blocked, this was just to make reports clearer to our PHBs
Antoine Benkemoun almost 15 years

What a horrible thing ! Taking screenshots of user's desktop ... jeez !
ansonl almost 15 years

Re: Your #4, Tor can run in a standalone method, launched from USB stick. I would suggest that if you were having a hard time finding Tor, watching for network activity on TCP 8118 and 9050, (both Tor ports.)
Admin almost 15 years

@LEAT If he's getting all of his work done whilst still spending three hours a day reading the news, give him more/harder work. Or have a talk with him and praise him for always being on top of everything, and encourage him to be more proactive in seeking out problems that need to be solved.
KPWINC almost 15 years

What a horrible thing... employees being paid $20/hr++ to play solitare for 2-4 hours a day. (No, I wish I was making this up.) In today's economy there are people lined up who want to WORK. Why should an employeer tolerate an employee who is merely there to collect a paycheck?
Martin Schlagnitweit almost 15 years

Greg, I might be mistaken, but 8118 port is for privoxy and 9050 - for tor socks proxy that run on users pc and tor is able to use other ports for communication. So basically if I want to monitor 8118 and 9050 ports - I have to monitor users pc in general. Also these ports can be changed very easily.
Oskar Duveborn almost 14 years

+1 Seems like most recent research supports this as well, and many even quite large companies are going all-out enabling and encouraging full private<->work-related social networking at work. As you said, the more involved one is, the more work will occupy one's mind - for good and bad (usually company-good, personal-life-bad ;) If someone is just wasting time surfing and not really getting things done, they'd probably waste time some other way if those sites are blocked... it's a people problem, not a technical problem imo
Oskar Duveborn almost 14 years

As long as employees produce what they should or more, why does it matter? If someone can finish the same set of tasks in a tenth of the time it takes his co-worker - why should that person be punished by having to do 10 times the work because of some old-school "sit through your hours" mindset? (and probably only have 1-2 times the hourly salary at most if tools/processes even exist for it to be recognized) ^^
John Gardeniers almost 14 years

Look for the user who is happy, then make him unhappy? You're such an inspiration!
KPWINC almost 14 years

Shouldn't an employee work as hard as they can (within reason) for the money they earn, regardless of the amount? I can tell you I personally know who the "workers vs slackers" are in my organization. The biggest problem with "slackers" is that they tend to bring down others until you have a least common denominator scenario. A more common thing I see is the worker who is paid $25/hr and is pissed because the front desk girl (who is paid $10/hr) is slacking off. This is an apples-oranges comparison but employees don't always see it. Pretty soon everyone wants to slack off equally.
Philip over 13 years

+1, You'll notice people who are screwing around on the net too much; they wont have work done, they'll quickly minimize whatever's on their screen as you walk up, other time wasting issues. 5 minutes here and there is almost universally made up for as studies have found.
Tom O'Connor over 13 years

I massively disapprove of blocking everybody's access to social sites. 1) marketing teams may need facebook, twitter, etc. 2) You should trust your staff not to take the piss. 2a) If you don't trust them, why were they hired. 3) Treat people like adults, and you'll get respect. 4) Using technology to solve social problems is never a good idea. 5) Try educating them on why what they're doing is bad/wrong.
Sirex over 13 years

I know from personal experience if we unblock facebook it becomes the #1 bandwidth using website instantly, and around 80% of the users visit several times a day (several hundread users). It gets totally out of hand the second its unblocked. We've tried it several times. Same goes for youtube, imho.
Zoredache over 13 years

@Sirex, but did blocking it actually change the behavior of the employees, or did they just find something else to distract them from work. It is easy to think you have solved something by looking at a usage report, but from a perspective of real productivity you may not have made any difference, and you probably have annoyed people, meaning they are more likely to screw around in the future. Have you considered investigating alternate methods for motivation?
Sirex over 13 years

the motivation wasnt to avoid slacking off work, it was to prevent large bandwidth using sites. In that regard yes, its worked hugely. If people avoid works in other ways its up to their departmental heads to deal with it.