Best practices to block social sites

firewall freebsd webfilter

Solution 1:

Do other companies blocking social sites?

Yes, but that doesn't mean it is a good idea. The book Predictably Irrational has an interesting discussion and links to several studies that basically suggests that if you block minor personal usage, it can actually cost you in productivity. If people think their work place is friendly and home-like, they are more likely to work from home beyond their 40 hours.

If one individual is causing problems it may be better to work with the individual, then to use a technology solution to simply kill break things. Technology is not a replacement for a manager actually doing their job.

Most filters are easily bypassed, you really should try and avoid getting into an arms race with your coworkers. At some point you will just make your firewall so hostile they won't be able to get actual work done, and you still will probably have not blocked all the possible ways around the firewall.

Do I need dedicated device for that like hardware firewall, super expensive router Or I can do that whit my existing FreeBSD 6.1 self made router with two lan cards and configured nat to act like router.

You can install Squid+Squidguard and force all traffic through the proxy. You can setup ACLs to block sites you don't like.

I suggest you setup squid as a proxy, with no ACLs to block anything, and just watch the logs. Force everyone through the proxy (with notice). Then setup something like SARG to build reports. If someone is really having a problem having a good report will give the employee's supervisor the evidence the need to start addressing the problem.

Solution 2:

This should be dealt with via your disciplinary procedure, not your firewall. It's a technical solution for a non-technical problem.

Solution 3:

You know how the RIAA and MPAA publish these insane numbers on how much money piracy is costing them, based on the idiotic assumption that every unit of pirated content would be purchased if piracy were impossible?

You're doing the same thing by assuming that if 'wasting' time on social media were impossible, that time would be spent doing productive work. But unless these are data entry clerks you're talking about, we're probably talking about people with some kind of creative / knowledge-worker aspect to their job, which means that their productivity is a complex thing that doesn't look the same as that of a widget twister on an assembly line. Their use of social media may easily be a key component of their productivity, and attacking it may be attacking what enables them to make you money.

And that's even before we get into the morale impact of treating employees like prisoners on a chain gang.

Just sayin', dude.

Solution 4:

We only block sites if browsing is interfering with productivity, and we accept the views of local management on the issue (even when we suspect they are exaggerating).

We block sites using a proxy server; usually SQUID, which should run fine on your firewall. We put a rule on the firewall blocking outbound port 80 (and sometimes 443) from all hosts except from servers and the proxy server. Then we use a group policy to configure the proxy in users' Internet Explorer.

Some managers ask us for usage stats. Most don't.

JR

Related

VPN server on Google Compute Engine with OpenVPN
Apache, use X-Forwarded-For for allow
Server 2008 email on Event variables
How to setup MySQL replication with minimal downtime
Debian boot to single-user mode
Sending audit logs to SYSLOG server
SSH sessions hang on shutdown/reboot
Auto-booting and Securing a Linux Server with an Encrypted Filesystem
Get rid of the power and accessibility options on Windows 8 logon screen
How do I find out which product key was used to activate Windows?
How do I rename a bunch of files in the Command Prompt?
Multiple web servers behind a single firewall