A firewall protects your network by enforcing what network traffic is allowed for both inbound and outbound traffic. Appropriate types of traffic can be determined from the Internet Acceptable Use policy.
The Internet Acceptable Use policy not only contains security-related poli-cies, it may also specify rules about what is considered unacceptable Web content, for what purposes the Internet may be used, and how to represent the company in Internet newsgroups or mailing lists.
Although personal telephone calls are generally treated as acceptable
employee behavior, an employee’s personal use of company Internet access is another matter entirely because it can easily lead to legal issues and cause a financial loss to a business. Therefore, clearly describing what kinds of Internet access are acceptable and what kinds of access are unacceptable is important.
If you create a policy that’s too restrictive, users may not be able to do their jobs, or may try to circumvent the policy. On the other hand, if your policy is loose, users’ productivity may suffer due to too much private Internet use or incidents such as sending excessive e-mail chain letters. The network may even face software viruses. You have to balance between being too restrictive and too loose.
If your job is to define the Internet Acceptable Use policy for your company, be sure to do the following when you write the policy:
Define all available services: The Internet Acceptable Use policy must define what programs and protocols that company employees can use when they access the Internet. This section allows users to understand what programs they can use, and perhaps prevent requests for new pro-tocols to be implemented. For the firewall administrator, this section gives a good idea of what “approved” protocols should be configured to pass to the Internet.
Determine who can access the Internet: Not everyone requires access to the Internet or should be allowed to access it. By describing who, or better yet, what company positions need Internet access, you can pre-vent a lot of conflicts over Internet access. A firewall administrator can use authentication at the firewall or at the proxy server in order to limit access to defined groups. In addition, groups can be limited to specific protocols when they access the Internet.
Define ownership of resources: When you write the Internet Acceptable Use policy, you must ensure that you define who owns the files on the net-work. Defining ownership allows a company to inspect employee com-puters in the event of a security breach. In addition, ownership may allow the company to identify improper behavior that affects the security of the network. Make sure that the resources that you describe include the data on the employees’ computers and the contents of e-mail as well.
Privacy laws of different countries can make it difficult to implement strict rules about scanning employee files and e-mails. Make sure that your company’s legal department reviews the Internet Acceptable Use policy to ensure that the contents adhere to local laws. Privacy laws can be very complex.
Establish the responsibilities of the employees: You must include the responsibilities of the users in the Internet Acceptable Use policy. By defining responsibilities, you familiarize the employee reading the policy with the company’s expectations regarding use of company network resources. You may include best practices for employees for protecting passwords, such as keeping passwords confidential, reporting suspi-cious behavior on the network, or reporting any actions by their account that did not follow the Internet Acceptable Use policy.
Define all unauthorized use of the Internet: This is probably the most important part of the Internet Acceptable Use policy. If you don’t spend the necessary time on this section, you may hear, “But I didn’t know I wasn’t allowed to do that.” Some of the areas that you may want to address in this section include:
•Define for what purposes e-mail is expressly disallowed: When you design this, think of what e-mails you receive that you wish never existed. This should at least include chain letters and spam e-mail. Be sure to specify what e-mail practices are not allowed when using the company’s e-mail system.
•Define which protocols and applications can’t be used when accessing the Internet:When drafting the list of protocols, you need to consider a few different categories. For example, many pro-tocols, such as Telnet or FTP, have known security weaknesses due to their use of cleartext passwords. Cleartext passwords allow an attacker who intercepts network traffic to view the user’s pass-word and account information in cleartext as it is transmitted on
the network. You also may want to prevent protocols that may have legal implications, such as peer-to-peer music sharing appli-cations like KaZaa. KaZaa and many other such appliappli-cations allow you to search the Internet for MP3s (music files) and download them to your computer. The music industry has taken the makers of these applications to court because their users are not paying for these MP3 data files. A company may want to prevent the use of these file-sharing applications to ensure that illegally obtained music isn’t stored on company servers.
•Define what Web content may not be accessed: Be sure to address this topic in your Internet Acceptable Use policy. Typically, a com-pany won’t want its employees to access Web sites that contain pornography, nudity, violence, or profanity.
•Define what types of files can’t be downloaded from Internet sites: The last thing you want is for your company to be charged with using pirated software because an employee downloaded it from a Warez site. Warez sites typically provide pirated software and software keys to unlock the software. (Warez is a hacker-style term for pirated software. Hackers like to use the letter zinstead ofs.) By explicitly stating that the use of software acquired in this manner isn’t allowed, the company can easily delete any software it finds that was obtained in this manner.
•Define unacceptable Internet access attempts: Employees who have restricted Internet access at work but not at home may try to bypass the company’s security mechanisms. For example, an employee may want to download MP3s using her laptop. Finding that the firewall prevents the use of KaZaa, she could attempt to dial-in to her personal ISP by using a company computer. By clearly stating that attempts such as this are unauthorized, the company can prevent such attempts, or at least discourage them.
•Define what actions may not be performed on the Internet: This is kind of a catchall category. It allows you to restrict employees from misrepresenting the company on the Internet. This part of the policy should include elements that ensure that an employee does not send or post content that reflects badly on the company.
I always include a disclaimer in any newsgroup posts that I create stating that the opinions in my posts are mine alone and do not reflect the opinions of the company for which I work. It enables me to answer questions honestly, and without fear that a mistake I may make in a post reflects poorly on my company.
Define all authorized use of the Internet:
You can’t dwell on what’s disallowed. You also must include what is allowed when users access the Internet. For example, you can include the following information:
•Define the maximum size for e-mail attachments:With faster Internet connections becoming more widely available, people are sending larger and larger attachments. Who among us hasn’t sent a Christmas-time video clip or a large MP3 attachment to a friend?
These large attachments can rapidly use up disk space on the com-pany’s mail server.
•Define what purposes e-mail can be used for:You should be sure to specify what purposes are allowed for company-owned e-mail services. Typically, you include all business purposes, but exclude most personal purposes.
•Define acceptable Web usage:In the policy, be sure to specify what sites are considered acceptable for business. This can depend on your company’s type of business. Acceptable Web sites may be defined either by content or by rating systems. Of course, you don’t have to spell out a list of every acceptable Web site.
Define what can be downloaded from the Internet: We all
download various programs, utilities, documents, videos, or music from the Internet. Each download exposes the network to potential hazards, such as virus infection. The policy must define what can be downloaded.
In addition, virus scanning should be implemented to reduce the chance of computer viruses.
Define the actions that are taken if the Internet Acceptable Use policy is not followed: This is the tough part of the policy. You, or the company, must decide what the punishment will be if the Internet Acceptable Use policy is broken. Be careful not to be too harsh on small transgressions.
The punishments that you set up must match the crime. The actions may include revoking Internet access from the employee, termination of the employee’s employment with the company, or informing local legal authorities.
By defining the Internet Acceptable Use policy, the company can ensure that the firewall is configured to reflect the policy when you configure firewall rules. The Internet Acceptable Use policy acts as a guide to the firewall administrator to enable that person to design firewall rules that reflect the policy of the company.
After you determine the content of the Internet Acceptable Use policy, be sure to produce an Internet Acceptable Use policy document that must be signed by both the employees and management. This document ensures that both parties agree to the content and actions defined by the policy.