Your question is a good one, and one I see increasingly discussed in various
forums, especially since "how do I bypass a proxy filter" posts occur daily on
blogs and discussion boards (and in every issue of 2600!).
Web filters really should only have two and a half primary uses:
1) Improved security by disallowing dangerous sites. This isn't perfect, but it
should have a measurable effect with your desktop support staff. Stopping
pornography and other inappropriate surfing should fall into this bullet as
well.
2) Auditing of web browsing. While the filter itself shouldn't be playing
ethics police with your workers' surfing habits, it does provide reporting and
auditing for management/HR to use. If someone is addicted to gaming forums and
wastes 5 hours a day trolling them, you want to proof to back up disciplinary
actions.
2.5) Provide a little data loss prevention. For instance, do you allow
employees to utilize their gmail/hotmail accounts at work? How do you know
they're not siphoning off sensitive work docs through that email system? This
is a "half" bullet because you can only stop the big parties that everyone
knows, but you won't stop smaller mail portals or the one I can put up at home
on my own mail server. But it should help for casual crimes of opportunity.
Determined users will find ways through, unless the rest of your network
security posture is tight.
This is all balanced against worker happiness. A happy worker is a productive
worker. If you worked in a casual start-up, would you expect to have unfettered
internet access? What about at a government facility? These extremes can
illustrate that there is no universal answer to this question. It is very
situational.
It also depends on the personality of your security officer(s). Do they only
look at solutions that provide absolute security, or are they sympathetic to
solutions that are not perfect, but add some value incrementally? These are two
very different paradigms.
In a common SMB environment, I would use the above 2.5 points as the purpose of
a web filter.
As a tech/security-savvy SMB worker, I feel happiest when I am not under the
hard hand of a draconian web filter regime, and thus I also feel more
productive. Likewise, being in security, there are times I need to see some
questionable sites. And I definitely regularly pop up on web filter reports
because IP xx.xx.xx.xx was scanning me, so I poked back at it only to find it
hosted porn. Doh.
<- snip ->
I'm not bringing into question the technical security benefits of web
filtering; those are obvious. Do web filters in schools and offices
*really* give productivity a boost, or do they simply shift what sites
or activities employees waste company time on? Have there been any
solid studies on this topic?
