I was recently asked this question ~ Which are the top apps for network admins to blacklist from enterprise networks?
Quite frankly, I think it’s wrong to look for the “top apps”. That said, organizations are going in that direction because they’re thinking in terms of application recognition, but in reality, it’s far more efficient to review this issue from a “type” of data standpoint.
First of all, our statistics on 5,000 installed Network Box devices (on a global scale) show that 90% of Internet traffic is HTTP/HTTPS. Spending too much time to block anything else will gain you very little; yes, it might be useful in terms of security, but no, not really in terms of bandwidth.
Of course, a good proxy will recognize if the traffic flowing on ports 80 and 443 is indeed HTTP/HTTPS or not; and any other port should be closed or well controlled (specify the source and destination wherever possible).
Further with our statistics, we see that of this web traffic, YouTube.com, Facebook.com and Twitter.com combined chew up no less than 80% of bandwidth, when allowed.
One aspect many fail to consider is the incidence of Microsoft updates; the larger your organization, the more fundamental it is to use an update server; you simply cannot allow 1000 computers to download 100MB of updates every month; it will kill your bandwidth! An update server allows you to download the updates only once, and then distribute them internally as appropriate. Microsoft updates from the Internet, without a local update server, usually account for another big chunk of Internet usage.
Streaming is bandwidth intensive as well, and should be blocked and well controlled. If you block Streaming and your web filtering database is half decent, you’d already have blocked Netflix, Hulu, Blockbuster and the like.
Do you allow Facebook per se but block the apps and games? Do you want to allow Skype?
Once all this is done, you can begin worrying about the “Apps”.
Do you block Youtube but still allow a few selected channels? (do note though that if you do this, you’ll still need to allow ytimg.com, which is where YouTube maintains the images).
The question here is, do you really want to “make a list”?
I personally believe that if it’s not business related, it should be blocked. However, if your company policy is such that you cannot block them, then perhaps a review of the policy as well as a lengthy chat with HR are called for. Recreational use of the Internet at work is irrefutably costly (for the company) but only a good HR policy can determine how much of it to allow and when.
So, which apps do YOU think should be blocked from the workplace?
One of the major drivers, in my opinion, is the adoption of the cloud. But the problem is, how do I manage user identification both in my own network and in my cloud without having to duplicate efforts? How can I be assured that the iPad being used to access company’s data in the LAN and in the cloud is legitimate, used by the actual and legitimate user, and all this without having to manage identities in 3 different places? And without asking the users to enter 3 different passwords?
In a way, this is an extension of the single sign on issue (never truly resolved completely); now I want to identify my users wherever they are, whichever device they are using, whichever server they are trying to access, local or in the cloud. The scale of the problem is rather daunting in some cases. Some major software vendors offer solutions that are specific for their own environment; for instance, you can get AIM for Oracle, AWS has its own version to integrate your local network with their cloud solution, etc.
HIPAA, SOC and PCI are forcing the hand on this issue as well, as these regulations require that access to data be closely controlled; the systems handling data must be able to account for WHOM is accessing that data. And again, IT departments do not want their users to get frustrated having to logon multiple times to multiple systems; they aim at having one place to identify users and correctly grant access data only on an as-needed basis, which is also called role based access – access only to the data your job requires you to have access to.
Several days ago, a Network Box USA customer received an email from a Yahoo account belonging to one of his colleagues. As the email was obviously spam, the customer was (understandably) concerned and quickly got in touch with me, asking me to find out what was going on.
An analysis of the email headers revealed that it had originated from Vietnam. Hence, my initial comment to him was, “unless your colleague is, right this very moment, in Vietnam, someone stole his account and is using it to send out spam”.
I know now that I was on the right track - that email address must have been one of those stolen in this latest attack against online email services. And, in fact, we’d just witnessed another one, barely a month ago, unleashed upon Hotmail accounts.
The appeal of such accounts is twofold – firstly, many people maintain their contacts online, so once a hacker gets a hold of their password, he can harvest new email addresses to which to send spam and viruses, smug in the knowledge that these are actual email addresses, so the emails _will_ reach their targets.
Secondly, the account itself can be set up to send out a bit of spam before Yahoo, or whichever other service was compromised, finds out and blocks it. It’s a free ride requiring minimal effort and barely any resources to speak of, and it is (almost) impossible to trace – I mean, seriously, unless the customer is prepared to board a plane to South East Asia, who will ever trace and determine the real sender, from Vietnam, who distributed the spam to which I referred earlier?
I was just reading this article posted today.
How very interesting; someone still gets amazed at the fact that people won’t do anything to fix their own issues. I’ve been seeing this sort of situation ever since I started doing this job - people do not take care of these issues; some out of genuine ignorance of the issue, an absence of knowledge on how to fix it; but largely (and very worryingly), out of nonchalance. In my conversations with non corporate users, I realize that many do not use an AV; that they find it clumsy and slow, and, get this, expensive ($20/year to help keep your computer clean and safe, does that sound expensive to you?)
What troubles me is when the author refers to enterprise users. I hope we are talking about small and med businesses here; because if Fortune 500 companies don’t fix these issues, then there is no hope that anyone will!
Incidentally, there is an easy way around this problem, that any company of any size would be able to afford and which would do it some good in other ways as well – the use of a proxy server!
If the server is in line with the internet traffic, so that no one can ‘accidentally’ bypass it, then the DNS resolution on the workstations becomes irrelevant because the proxy will do its own resolution. And, of course, assuming the proxy server itself is not compromised (thus the importance of not using Microsoft servers for doing this, in my opinion, a proxy server should be based on Linux not Microsoft; for numerous reasons, this being one of them), then this becomes a non-issue. No matter what IP the workstations resolve to, the proxy will resolve it to the correct one anyway.
Which is one more reason why it is important to use an inline proxy to filter internet traffic!
Have a good weekend ahead.
In response to this article, we have been saying the precise same thing for 13 years now. The idea for UTM has always been that an effective response against blended threats can only come from blended security; and that there is absolutely no way to blend security when you are dealing with 10 different devices ~ most likely originating from 7 different vendors, with not a single one of them integrated with each other.
We must be clear from the onset ~ there is no such thing as “an email attack”, or “a web attack”. Attacks come in many forms, via the network, through emails, from the web; a sound network defense must be able to understand all that the attack is trying to do, and stop it with any and all the possible tools available.
A word of caution though; UTM or not, a protection device that is not properly configured is, simply put, useless. Yes, useless, no matter how good the technology is. Security is not, and never will be, just a device.
The market will grow, but if all we are doing is replacing our set of firewall/IPS/VPN/email scanning/web filtering with one device, yet still leaving them poorly configured, we have resolved nothing.
As the UTM market grows, it is increasingly crucial that the managed security services market grows as well, to ensure such devices are adequately configured by expert hands who understand risks and best practices, and can go a long way towards ensuring the successful protection of a network.
Is your network safe?