Security tools to control Facebook use in your organization

Security tools to control Facebook use in your organization

Controlling  employees' use of social networking sites is becoming more of a challenge for IT managers. According to Facebook, at any given moment, about 30 million people are playing Farmville and other games across its network. Earlier this year, an Army grunt posted the location of his next mission in Afghanistan on his Facebook status page, and within moments, the mission was scrubbed and the soldier was being sent back home.

Although your own security mission may be less a matter of life or death, now is the time to take a closer look at how to manage Web-based applications, and reclaim some network bandwidth for more professional purposes, block Web apps entirely because of corporate policies or create a more nuanced defensive strategy to keep people from using the site.

Several products and strategies can help you control enterprise apps. The products include a wide range of control points:

  • Traditional firewalls that are used to block particular

    Requires Free Membership to View

    Login

    SearchConsumerization.com members gain immediate and unlimited access to the latest on tablet and smartphone operating systems and applications, enterprise device management strategies for consumerization, and tips on securing mobile devices in the enterprise -- all at no cost. Join me on SearchConsumerization.com today!

    Colin Steele, Senior Site Editor

    By submitting your registration information to SearchConsumerization.com you agree to receive email communications from TechTarget and TechTarget partners. We encourage you to read our Privacy Policy which contains important disclosures about how we collect and use your registration and other information. If you reside outside of the United States, by submitting this registration information you consent to having your personal data transferred to and processed in the United States. Your use of SearchConsumerization.com is governed by our Terms of Use. You may contact us at webmaster@TechTarget.com.

  • URLs, ports and protocols

  • Web application firewalls that can be used for more granular control over individual Facebook components such its chat feature

  • Content-inspection and data leak prevention tools that can block specific corporate data being transmitted over social networks

  • Bandwidth-monitoring tools that can control how much Internet and network capacity can be devoted to particular applications such as Facebook

  • Universal threat management (UTM) tools that can combine a series of security policies

Some products that can be used are McAfee Firewall Enterprise, Palo Alto Networks Web Application Firewall, the Global Velocity GV-2010 content inspector and the Blue Coat Systems PacketShaper bandwidth monitor, as well as the SonicWall Network Security Appliance and Fortinet FortiGate UTM products.

More desktop management tips
Using virtual technologies for desktop management 

Cleaning up PCs with Sysinternals

Best third-party tools to simplify desktop management

At the most basic level, you might want to block all access to Facebook.com. While most firewall and URL-filtering products can do this, there are two problems with this approach. First, it's binary: Either you allow users 100% access, or they are completely blocked. Second, some users are determined to get around these blockades and are using anonymous proxy services such as Tor and UltraReach's UltraSurf.

A better solution is to use a firewall that has specific application-aware intelligence built in, such as the McAfee Firewall Enterprise. McAfee has done the heavy lifting of determining the particular application signatures. Its Facebook-aware policies can allow general access to the social networking site as well as access to specific apps such as Farmville and Mafia Wars. Select an app from a long list, shown in Figure 1, and set the appropriate allow or block policy.

Figure 1: McAfee Firewall has two different Facebook rules. (Click to enlarge.)

But this may not be enough granularity for your purposes: What if you want to block access to Facebook by particular users or groups according to policies, or prevent Facebook chats and posts by your employees. Palo Alto Networks goes a step further than McAffee and offers six policies covering different aspects of Facebook, as shown in Figure 2.

Figure 2: Palo Alto Networks offers six policies. (Click to enlarge.)

A nice feature of Palo Alto Networks' offering is its large application-behavior database, Applipedia, where you can examine particular characteristics, such as whether users transfer files, require excessive bandwidth or tunnel applications through other apps.

Speaking of excessive bandwidth usage, let's say you're a university IT manager and can't completely block Facebook to students for political reasons. However, you want to limit how much bandwidth it uses across your network so that staffers can get some of their work done, too. What you want to do is to slow down access to Facebook pages during the workday but leave access wide open in the evening. This is where products like BlueCoat's PacketShaper come in handy. This product can assess your Internet connection and report the amount of bandwidth in both directions is being consumed by each app, as shown in Figure 3.

Figure 3: PacketShaper reports how much bandwidth an app consumes at any time of day. (Click to enlarge.)

With PacketShaper, you can set specific policies for each application in terms of bandwidth utilization by time of day and other factors.

UTM products such as SonicWall's Network Security Appliance and the Fortinet ForitGate series combine many of these features, including the ability to control bandwidth by application and to exert some granular control over specific tasks. SonicWall has about a dozen Facebook-related signatures to control account registration, general browsing, Farmville and various aspects of chat. This means you can block users from registering for new accounts but allow them to use the basic pieces of Facebook once registered.

Fortinet also has a few Facebook signatures, although none are for controlling Farmville explicitly. But you can limit bandwidth for a particular signature of one application.

Finally, you may be concerned about confidential data that may be inadvertently leaving your network through Facebook and other means. Data loss prevention products such as the Global Velocity GV-2010 can help track and prevent these situations. It has specific controls for six Facebook activities, including chats, posting comments and status updates.

 

Figure 4: With Global Velocity's product, you several controls over various Facebook behaviors. (Click to enlarge.)

A variety of methods and products can help you get control over Web-based applications and bring some sense of sanity to your enterprise networks.

ABOUT THE AUTHOR
David Strom is a freelance writer and professional speaker based in St. Louis. former editor in chief of TomsHardware.com, Network Computing magazine and DigitalLanding.com. Read more from Strom at Strominator.com.


This was first published in August 2010

Join the conversationComment

Share
Comments

    Results

    Contribute to the conversation

    All fields are required. Comments will appear at the bottom of the article.

    Disclaimer: Our Tips Exchange is a forum for you to share technical advice and expertise with your peers and to learn from other enterprise IT professionals. TechTarget provides the infrastructure to facilitate this sharing of information. However, we cannot guarantee the accuracy or validity of the material submitted. You agree that your use of the Ask The Expert services and your reliance on any questions, answers, information or other materials received through this Web site is at your own risk.

    Back to top