Internet access policy. Or why all these difficulties?

The increasing complexity of Internet access policies, and what does this mean?

Greetings dear community.

For four years I have been engaged in the system administration of a corporate local network, and all the time one way or another the question pops up: “And what policies should regulate access to the Internet for company employees?”, Every year my personal answers to this question constantly change. And today I would like to publish an article that will offer a discussion of this issue, as well as reflect my opinion on this question.


')
At the beginning of my work as a system administrator, when I came to the company, I believed that Internet access should be very strictly regulated, that everything should be taken into account, and controlled. No one should receive social media in the workplace, I referred to such media as social networks, video hosting, and everything else. When I first started, I found understanding in the eyes of my colleagues, this understanding was also reflected in the server room by the presence of: squid with access control, with a complete reporting system, with a large set of dynamic restrictions for visiting sites. Access groups with speed limit. With traffic limits. With time limits. With the restriction on downloading files. - And it seemed to me that it was great, and it was very, very good. After all, in this way, employees work more productively, and system administrators become a kind of "Internet gods", because it was great to hang everyone on a system day. admin at the first log on to the Internet page stub like: "Congratulate your Admins! Today is their day. ” And Vasya from the sales department for a bad face set the speed to 10kb / s. - All this was also before my arrival in the organization, and it seemed that this was what was needed. But in practice ...

At the last place of work, my boss always says wisely: “Do not close social services. network, do not need unnecessary restrictions and entities "- but I always exclaimed in response -" No! Need to! They do nothing, only go on social. networks! You need to close everything. ” Time passed, and soon the old administrators began to leave, and their previous duties began to get me what is called "inherited." At first I was very happy! - “Oooh ... I thought. So now because I am the God of the Internet, now I have a switch. "

But what came of it ..?

But in practice it turns out that: all these restrictions make it difficult for ordinary people to live, who do not understand anything in computers and do not attend anything, and they need to upload documents, prices, programs for work, for lack of such opportunities they constantly called the IT department and asked the "Gods of the Internet" to upload their files. “After a while, it all became boring for me, and I had to give people full access to download files, because I simply didn’t want to do all that senseless work. And what did I find in the configuration files ...? It turns out that most of the people without me have long been transferred to full access.

And sly people ..? - And the cunning ones can download anything at all without spitting on various restrictions.
Viruses ..? - As it was a lot, so there is a lot. Nothing will save from this at the proper level, except for the bright head and the antivirus at the final workplace.
And network security ..? - Is there any with such an approach? Nope And that's why:

Port 443, and a number of other ports had to be opened, because it is obvious to everyone that a number of ports are simply impossible to proxy and, moreover, cache at a high level. - I really liked the situation when in one very large organization I needed a person to provide access to our servers - and what was my surprise when I found a Portable SOCKS version of the SOCKS proxy server for Windows that does not require any rights, and immediately granted access to our server on port 443. - And I was convinced that everything in this company is very difficult with security. - Do I have to say that Radmin client encrypts traffic, which means that we are very unlikely to get on this scheme. - But we do not indulge, we had to once and not for long.

What happened next? - And then the management requested a report on the attendance of the site of one of the employees. - And I honestly provided beautifully designed squid logs, but who would have thought to look at the 50 pages that I printed out about the visited URLs ..? After all, everyone knows that visiting only one site leads to a lot of URLs. - All were limited to only the total amount of traffic - and immediately it came to be understood that, based on the duties of the employee, this amount of traffic clearly exceeds all reasonable limits.

Does caching help in modern web dynamic content? - I think very little.

As a result, a few years later, I began to understand the wisdom of the words of my boss. And he came to the conclusion that there is practically no need to be clever and be God at the L7 traffic level. And more and more I am inclined to the idea that it is much more efficient to calculate L2 / L3 traffic, and watch the total amount of traffic consumed per host (week / month). Host - can be associated with this DHCP + MAC - in a normal network is enough. In a pinch, you can configure smart switches with port filtering by MAC.

It seems to me that hard Internet access policies have lost their relevance, and filtering traffic at the L7 level brings more problems than good ... After all, this whole matter must be followed, something is constantly allowed, something is forbidden. And the dry residue is almost zero from all this.

PS Of course, with all this, you need to understand that sometimes simplicity is worse than stealing. And you need to maintain a healthy balance and close all that is clearly not required for the work of employees. We are talking about small office organizations that do not work with secret data.

What does a respected community think about this? Does a tough policy develop concierge syndrome, from which there is no use, except for a heap of unnecessary maintenance and complication problems? What are the benefits of this complicated access policy system? - The Windows domain is good, but * Pad technology appears more and more, so the domains have already lost, you can say your original meaning - a single landscape.