Controlling employees' use of social networking sites is becoming more of a challenge for IT managers. According to Facebook, at any given moment, about
Although your own security mission may be less a matter of life or death, now is the time to take a closer look at how to manage Web-based applications, and reclaim some network bandwidth for more professional purposes, block Web apps entirely because of corporate policies or create a more nuanced defensive strategy to keep people from using the site.
Several products and strategies can help you control enterprise apps. The products include a wide range of control points:
- Traditional firewalls that are used to block particular URLs, ports and protocols
- Web application firewalls that can be used for more granular control over individual Facebook components such its chat feature
- Content-inspection and data leak prevention tools that can block specific corporate data being transmitted over social networks
- Bandwidth-monitoring tools that can control how much Internet and network capacity can be devoted to particular applications such as Facebook
- Universal threat management (UTM) tools that can combine a series of security policies
Some products that can be used are McAfee Firewall Enterprise, Palo Alto Networks Web Application Firewall, the Global Velocity GV-2010 content inspector and the Blue Coat Systems PacketShaper bandwidth monitor, as well as the SonicWall Network Security Appliance and Fortinet FortiGate UTM products.
At the most basic level, you might want to block all access to Facebook.com. While most firewall and URL-filtering products can do this, there are two problems with this approach. First, it's binary: Either you allow users 100% access, or they are completely blocked. Second, some users are determined to get around these blockades and are using anonymous proxy services such as Tor and UltraReach's UltraSurf.
A better solution is to use a firewall that has specific application-aware intelligence built in, such as the McAfee Firewall Enterprise. McAfee has done the heavy lifting of determining the particular application signatures. Its Facebook-aware policies can allow general access to the social networking site as well as access to specific apps such as Farmville and Mafia Wars. Select an app from a long list, shown in Figure 1, and set the appropriate allow or block policy.
But this may not be enough granularity for your purposes: What if you want to block access to Facebook by particular users or groups according to policies, or prevent Facebook chats and posts by your employees. Palo Alto Networks goes a step further than McAffee and offers six policies covering different aspects of Facebook, as shown in Figure 2.
A nice feature of Palo Alto Networks' offering is its large application-behavior database, Applipedia, where you can examine particular characteristics, such as whether users transfer files, require excessive bandwidth or tunnel applications through other apps.
Speaking of excessive bandwidth usage, let's say you're a university IT manager and can't completely block Facebook to students for political reasons. However, you want to limit how much bandwidth it uses across your network so that staffers can get some of their work done, too. What you want to do is to slow down access to Facebook pages during the workday but leave access wide open in the evening. This is where products like BlueCoat's PacketShaper come in handy. This product can assess your Internet connection and report the amount of bandwidth in both directions is being consumed by each app, as shown in Figure 3.
With PacketShaper, you can set specific policies for each application in terms of bandwidth utilization by time of day and other factors.
UTM products such as SonicWall's Network Security Appliance and the Fortinet ForitGate series combine many of these features, including the ability to control bandwidth by application and to exert some granular control over specific tasks. SonicWall has about a dozen Facebook-related signatures to control account registration, general browsing, Farmville and various aspects of chat. This means you can block users from registering for new accounts but allow them to use the basic pieces of Facebook once registered.
Fortinet also has a few Facebook signatures, although none are for controlling Farmville
explicitly. But you can limit bandwidth for a particular signature of one application.
Finally, you may be concerned about confidential data that may be inadvertently leaving your network through Facebook and other means. Data loss prevention products such as the Global Velocity GV-2010 can help track and prevent these situations. It has specific controls for six Facebook activities, including chats, posting comments and status updates.
A variety of methods and products can help you get control over Web-based applications and bring some sense of sanity to your enterprise networks.
ABOUT THE AUTHOR
David Strom is a freelance writer and professional speaker based in St. Louis. former editor in chief of TomsHardware.com, Network Computing magazine and DigitalLanding.com. Read more from Strom at Strominator.com.
This was first published in August 2010